back to article Lawyers say changes to UK data law will make life harder for international businesses

Legal experts say UK government plans to create new data protection laws will make more work and add costs for business, while also creating the possibility of challenges to data sharing between the EU and UK. Last week, the Queen's Speech – in which the British government sets out its legislative plans – said the ruling …

  1. Doctor Syntax Silver badge

    None of this counts when it comes to Team Brexit's opportunities for willy-waving.

    1. Anonymous Coward
      Anonymous Coward

      I think it's a combination of three things.

      Firstly it's what Sam Lowe at the CER calls "performative divergence". Not diverging because it makes sense, just to show that divergence is possible.

      Secondly I suspect that there have been a few people among the oligarchs in the 'Leader's Group' that have bought time with the government who have complained that consumers are too protected and it's hampering their business.

      Thirdly I suspect the government would love to connect more and more datasets (facial recognition databases with DWP data? NHS data with the police?) and they have run into obstacles regarding data collection that is "reasonable" for a specific use.

      1. Anonymous Coward
        Anonymous Coward

        This is about NHS data and enabling it to be sold off with less restrictions. Boris has talked about data being the next gold rush, so somebody has been in his ear telling him there is serious money to be made. While not all of the NHS's data is UK centric most of it is, so its simpler (as simple as any big NHS project gets) to enable for them.

        The other big winner are the big tech giants like Facebook and Google who can afford to quickly develop a new set of privacy rules just for the UK and would love more access to their customers' data.

    2. NoneSuch Silver badge
      Holmes

      The politicians of this country, or indeed any country, will never admit they were wrong and would rather drive the UK to the brink of bankruptcy rather than saying BREXIT was a massive and expensive lie.

      What amuses me are news shots of people who voted for BREXIT stuck in Spanish airport queues saying the Irish are getting preferential treatment. THEY ARE. They are members of the EU and we're not because of your ignorant choices and misleading politicians.

      NSS icon, because NSS!

      1. Anonymous Coward
        Anonymous Coward

        the Irish are getting preferential treatment. THEY ARE. They are members of the EU

        This is rather amusing in the context of the article. Citizens of EU countries can go through passport control faster, because those countries already share your flight & personal data between their immigration systems, as permitted by GDPR.

        It would seem that you want the UK to share data when it's convenient for you, but object to it changing the DP rules to make it easier for businesses to share data. Smacks of cakeism to me...

        1. Anonymous Coward
          Anonymous Coward

          That's not it. The EU shares data also with other countries such as the US, it still does not allow Americans to use the EEA passports lines.

          https://euobserver.com/rule-of-law/138621

          1. Lis

            So, the E.U. sharing data with the Yanks is fine with you as long as the Yanks can't use E.E.A. passport lines? How grown up of you /S

        2. Anonymous Coward
          Anonymous Coward

          > Citizens of EU countries can go through passport control faster, because those countries already share your flight & personal data between their immigration systems, as permitted by GDPR.

          Well the UK was ahead of the EU pack back in 2012 with e-Borders where they *required* all airlines/ferry companies to provide passenger data for those entering/leaving UK to Border Agency *before* the travel occurred (i.e. before the plane took off). Indeed the UK Gov even offered to provide this data to their equivalent bodies in the rest of EU without being asked for it.

          Plus the UK has engaged in Policy Laundering ("https://wiki.openrightsgroup.org/wiki/Policy_Laundering") in the past - the UK used the fallout from the 2004 Madrid training bombings to convince the Spanish Gov to push for more EU personal data collection, all so the UK Gov could then claim "we don't want to collect this, the nasty EU is making us do it" when it fact the UK (behind the scenes) "authored" the EU's requirement for the collection.

          > It would seem that you want the UK to share data when it's convenient for you, but object to it changing the DP rules to make it easier for businesses to share data.

          A consideration of Data Protection law is the "balancing test", to balance individuals' right to privacy against the societal benefits of sharing the data in question. However many businesses (i.e. advertising/marketing/big data) in general don't want to do "balancing tests", they think they have a right to the data regardless.

      2. Trigonoceps occipitalis

        BREXIT was a massive and expensive lie.

        One thing BREXIT is not is a lie. For good or ill we are out.

        On the subject of e-gates, Portugal allows UK passport holders to enter using e-gates so there is no reason, except punishment, for not to allow UK passport holders to use e-gates to enter France, Germany etc.

        I believe that EU passport holders can use e-gates to enter the UK. How about a bit of quid pro quo?

        Do not assume that I support, or not, Brexit. Just an example of unnecessary friction as a result. Anyone could see it coming and, presumably, those who voted yes discounted the effects.

        1. Doctor Syntax Silver badge

          Re: BREXIT was a massive and expensive lie.

          The lie was saying it was a good idea. We will now have to follow rules into which we no longer have an input or suffer the consequences. You might call that taking back control but it doesn't look like it to me.

          1. Trigonoceps occipitalis

            Re: BREXIT was a massive and expensive lie.

            May be, may be not. It is just that was not what was written.

        2. Anonymous Coward
          Anonymous Coward

          Re: BREXIT was a massive and expensive lie.

          Portugal allows UK passport holders to go through e-gates to speed up some of the processing, but they're still queuing up to have their passports stamped afterwards before entering Portugal. This is not treating UK passport holders the same as EU passport holders.

          When EES and ETIAS come online, UK passport holders will be processed by those instead of having their passports stamped, EU passport holders won't be.

          When a British passport holder travels from one Shengen country to another by land they should report their presence in each new Shengen country and be prepared to answer questions about reason for stay, place of stay, sufficient funds, etc... This is not treating UK passport holders like EU passport holders.

          UK continues to use e-gates and single queues in airports because it doesn't have the space to do anything else. Likewise for goods shipments UK is waving everything through inbound because it doesn't have the infrastructure to do proper checks (smugglers' charter).

        3. Warm Braw Silver badge

          Re: BREXIT was a massive and expensive lie.

          How about a bit of quid pro quo?

          Strangely enough, EU countries are not all the same and have their own procedures and autonomy. There's an implementation cost to making exceptions - such as having a special category of e-gate users who are not in the EU. Portugal (and Spain) see an economic benefit in extending access to UK citizens who are a significant source of tourist income. Other countries don't see the same imperative, though the roll-out of ETIAS may well change things. Sovereignty, innit?

          What's interesting is that the UK is defiantly resisting flexibility even in the face of its own economic detriment. All of the EU citizens who could previously visit the UK with their ID cards now need a passport - which many will not get simply for the "privilege" of seeing Big Ben from a bus. It's one reason why language schools are struggling to survive and the formerly-buoyant market for EU school trips to the UK has vanished. The UK is deliberately punishing itself.

          1. H in The Hague Silver badge

            Re: BREXIT was a massive and expensive lie.

            "All of the EU citizens who could previously visit the UK with their ID cards now need a passport"

            Yup! That's one thing I really don't understand. Presumably in most EU member states the ID cards and passports are generated using the same databases and are therefore pretty much equivalent. (Or have I got that wrong?) Seems pointless and must really hurt the language school and school trips market.

        4. Ivan Headache

          Re: BREXIT was a massive and expensive lie.

          Just entered Spain through an e-gate. Still. had to get my PP stamped though afterwards.

        5. Roland6 Silver badge

          Re: BREXIT was a massive and expensive lie.

          >On the subject of e-gates, Portugal allows UK passport holders to enter using e-gates so there is no reason, except punishment, for not to allow UK passport holders to use e-gates to enter France, Germany etc.

          Obviously wasn't paying attention!

          The UK had a choice it could have negotiated with the EU about borders and movement of people as part of the Withdrawal Agreement or, as it did do wait until I had left the EU and then negotiate such matters with each individual EU member... So I suggest you address your gripe not to "the EU" but those in Westminster who negotiated the UK's withdrawal.

      3. BebopWeBop

        And those of us with dual nationality, British and Irish passports laugh at those people who voted for Brexit, including those who live in the EU who also did and are complaining about their (relatively minor) restrictions.

  2. LDS Silver badge

    "a data protection framework that is focused on privacy outcomes rather than box-ticking"

    Actually that was what many complained about GDPR, because it says what is required but not how to do it. and most executives and lawyers really like "box-ticking" because it is simple to implement, and makes fake compliance easier.

    Best practices" were introduced based on the Regulation, but are not part of the Regulation itself - there is no "box ticking" there.

    1. Anonymous Coward
      Anonymous Coward

      Re: "a data protection framework that is focused on privacy outcomes rather than box-ticking"

      As with plenty of EU regulations, the implementation details are left to the member countries transcription in their local laws.

      Eg, we in France already had strong data protection in place, with existing how-tos that didn't change mucb with the GDPR.

      1. Anonymous Coward
        Anonymous Coward

        Re: "a data protection framework that is focused on privacy outcomes rather than box-ticking"

        > As with plenty of EU regulations, the implementation details are left to the member countries transcription in their local laws.

        Nope, that would be what happens with a EU Directive.

        The GDPR is a Regulation (that's what the "R" in GDPR stands for), it is not transcribed into National Law, rather the GDPR itself becomes effective in all EU member states. What the GDPR does permit, however, is derogations from some specific aspects of it and those derogations are defined/implemented by national law, e.g. the UK DPA 2018 defines some UK derogations from GDPR.

        Quote from https://en.wikipedia.org/wiki/Regulation_(European_Union):

        "A regulation is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously. Regulations can be distinguished from directives which, at least in principle, need to be transposed into national law."

  3. Stork Silver badge

    Any business experience in government?

    Have any of the ministers actually been involved in running a business, one dealing with the world outside UK?

    I suspect not, and this is not only a problem in the UK.

    1. James 139

      Re: Any business experience in government?

      Likely only in so far as giving "advice" or taking "bribes" to pass a message on to a colleague who has better "advice".

    2. Anonymous Coward
      Anonymous Coward

      Re: Any business experience in government?

      Well there's Grant Shapps, the current Secretary of State for Transport. His Wikipedia page has plenty of information on his business dealings under the heading "Business Ventures". Apparently he founded his first business at the age of just 22. As to whether any of them were outside the UK, the item about his company "20/20 Challenge" has the prices and returns listed in US dollars.

      Didn't Jacob Rees Mogg's company move to Dublin a few years ago? Although I seem to recall he's not an active director of it (he's a sleeping partner in it I think).

      1. Cederic Silver badge

        Re: Any business experience in government?

        No. Rees Mogg's company set up an office in Dublin to service their EU clients, while retaining the bulk of their business in the UK.

        The allegations that the business had moved were malicious misinformation from the people that hate democracy.

        1. Anonymous Coward
          Anonymous Coward

          Re: Any business experience in government?

          Thanks for the correction - I did recall that the "move to Dublin" wasn't quite what it was portrayed as, but forgot the details. And I now see that Rees-Mogg's Wikipedia page describes him as "a partner in the business who does not make investment decisions", so he wasn't directly involved.

        2. Snapper Bronze badge

          Re: Any business experience in government?

          I love democracy, and Smoggie is one of the biggest purveyors of malicious misinformation in this gubmint.

      2. batfink Silver badge

        Re: Any business experience in government?

        Was that the one where Shapps was operating under the false name of Michael Green?

  4. Philip Storry

    And nothing much will change for 95% of companies

    GDPR doesn't apply to territories. It applies to EU citizens.

    Given that we have Northern Ireland as part of the UK, no company can operate there as an employer without having to adopt GDPR as their minimum standard for data processing.

    And given that the Common Travel Area allows Irish citizens - who are also EU citizens - to work in the UK, this then extends to the rest of Great Britain.

    The only way to avoid GDPR in the UK is to simply not trade with, employ, or provide services to anyone Irish. Which is hardly practical.

    Of course, the hardcore Brexit supporters may see this as part of the return to the Glorious Past. No doubt they're eager to break out their old "No Irish, No Blacks, No Dogs" signs and are eagerly awaiting legislation on the latter two groups to follow.

    Meanwhile everyone looking to the future will just follow GDPR because anything else would be a waste of time.

    This is the most prominent example of how we'll be rule takers, not rule makers - until we rejoin the EU. Quite ironic really.

    1. EricM

      Re: And nothing much will change for 95% of companies

      You seem to imply that Gov.UK will only "ease the burden" of GDPR by removing some of its rules, while otherwise keeping it compatible. In this scenario companies could simply still follow GDPR rules and go about their business as before.

      But as I read the announcement, the idea really is to come up with a new, different set of rules, presumably easier, but not necessarily a subset of GDPR rules.

      So companies operating in UK and the EU might end up having to comply to 2 different, even potentially conflicting sets of rules in parallel, at higher operational cost.

      Conflicts might even lead to a future SchremsX decision against the UK, even further excluding UK companies from EU service business.

      1. Doctor Syntax Silver badge

        Re: And nothing much will change for 95% of companies

        If the EU decides that the new legislation is no longer sufficient to support adequacy then at best companies might have a lot of additional hoops to jump through to do business with EU residents.

        A Schrems style situation might even become a Schrems plus. Whilst the consumer rights side of the EU pushes GDPR etc the trading side doesn't really want to avoid doing business with the US and keeps inventing new fig leaves for Schrems to tear down. They might be less inclined to do the same for a country they regard as uncooperative.

      2. James 139

        Re: And nothing much will change for 95% of companies

        Something tells me, every time I read these sort of Government ideas, that they are convinced that most businesses in the UK don't do anything outside the UK.

        It's the only thing that seems to make a reasonable excuse for it.

        And, that being the case, only a small number are being expected to have to end up following 2 sets of rules, just a shame that past evidence suggests otherwise.

        1. Dan 55 Silver badge

          Re: And nothing much will change for 95% of companies

          Something tells me, every time I read these sort of Government ideas, that they are convinced that most businesses in the UK don't do anything outside the UK.

          I think they're trying their hardest to make that happen.

    2. Mike 137 Silver badge

      Re: And nothing much will change for 95% of companies

      "GDPR doesn't apply to territories. It applies to EU citizens"

      Unfortunately, it doesn't. It specifically applies to persons present in the territories regardless of their citizenship, and to businesses located anywhere processing the personal data of persons in the territories.

      Article 3 states:"This Regulation applies to the processing of personal data of data subjects who are in the Union" So the data protection rights of an American on holiday in Paris (while they remain there) are the same as those of a permanent resident.

    3. Doctor Syntax Silver badge

      Re: And nothing much will change for 95% of companies

      GDPR is written into the current UK Data Protection Act, give or take a little wriggle room for HMG to indulge in its data fetish. That means it applies in the UK anyway.

      The scope is a little different to what you say, however. The restriction would be on forms of business that involve collecting personal data so business to business transactions might not be affected nor consumer cash transactions. OTOH GDPR applies to EU citizens as a whole, not just Irish citizens.

      A specific point about Irish ancestry, however, is that it can grant citizenship to those not born in Ireland so that my grandchildren have dual British and Irish (and hence EU) nationality despite being born in England by virtue of the fact that their mother was born in Belfast (not even in the RoI).

      1. Ken G Bronze badge
        Headmaster

        Re: And nothing much will change for 95% of companies

        Irish nationality is based on the residency of ancestors on 6 December 1922, the 24 hour period after Independence and before Northern Ireland seceded.

        1. Anonymous Coward
          Anonymous Coward

          Re: And nothing much will change for 95% of companies

          The RoI has always considered NI to be part of the "national territory" (although it watered down that consititutional claim as part of the Good Friday Agreement). Anyone born in NI is an Irish Citizen, and is entitled to an Irish passport, Irish secession from the UK notwithstanding.

        2. Ken G Bronze badge
          Paris Hilton

          Re: And nothing much will change for 95% of companies

          I'm not sure why the downvotes, do people think I'm wrong about that or just disageee with the Irish citizenship law?

    4. Len
      Unhappy

      Re: And nothing much will change for 95% of companies

      The biggest problems will be for the many UK tech services companies. If you are a data analytics company and some of your customers have users all over the EU, your company will need to meet the legal requirements of the GDPR before they can give you access to some of their user data. Same if you run an online payroll system, office and collaboration tools, business process outsourcing etc. etc.

      It will likely pan out as a classic case of the Brussels effect, UK companies doing international business will still have to adhere to GDPR standards. Only UK companies that target the UK alone because it's legally too much hassle to go international (betting firms? pension tools? some fintechs?) have the luxury of a single regulatory environment with reduced data protection. It will be very interesting to see what this will do the SaaS sector in the UK.

      1. Doctor Syntax Silver badge

        Re: And nothing much will change for 95% of companies

        The problem I see with this is that if the prevailing legislation doesn't meet GDPR requirements and something like the proposed public body data sharing comes into play then it might be impossible to claim GDPR compliance.

        Never mind, companies can just set up an EU subsidiary to do what would otherwise have been done in the UK, or even just move the whole business to the EU. In the meantime the UK remains the best place in the whole world for something or other. What was it? Ah, yes: taking back control.

        1. BebopWeBop

          Re: And nothing much will change for 95% of companies

          Despite having 65% of our employees in the UK, with 80%+ of business and growth in the EU we found it simpler to incorporate in the EU at no significant c0st.

        2. Cederic Silver badge

          Re: And nothing much will change for 95% of companies

          It's almost as though UK companies will be prevented from doing business in the EU to the same extent that US ones are.

          Oh woe, pity our poor businesses, being held back and prevented from growth, just like Google, Amazon, Apple, Facebook, Microsoft and Twitter.

          1. Strahd Ivarius Silver badge
            Trollface

            Re: And nothing much will change for 95% of companies

            looks like the EU was targeting specifically Cambridge Analytica...

      2. codejunky Silver badge

        Re: And nothing much will change for 95% of companies

        @Len

        "It will likely pan out as a classic case of the Brussels effect, UK companies doing international business will still have to adhere to GDPR standards. Only UK companies that target the UK alone"

        Didnt need the extra text after that. The domestic market is a real thing. I have no idea what the UK gov will do and expect they will probably cock up somehow, but if they water down rules we dont care about and dont want to apply domestically it would be a great boost domestically while those dealing with the EU will need to follow EU rules, Amazingly that is the norm when dealing with any country, we dont domestically apply Chinese law just because we want to trade with them.

        Fingers crossed the gov do an overall good job

        1. batfink Silver badge

          'Fingers crossed the gov do an overall good job'

          Well, as they say, there's a first time for everything.

          1. codejunky Silver badge
            Thumb Up

            Re: 'Fingers crossed the gov do an overall good job'

            @batfink

            "Well, as they say, there's a first time for everything."

            We can agree there

            1. Strahd Ivarius Silver badge

              Re: 'Fingers crossed the gov do an overall good job'

              don't hold your breath though...

            2. batfink Silver badge

              Re: 'Fingers crossed the gov do an overall good job'

              @Codejunky it's weird that someone is downvoting the fact that we agree on something!

              Obviously that's not allowed...

    5. Anonymous Coward
      Anonymous Coward

      Re: And nothing much will change for 95% of companies

      GDPR doesn't apply to territories. It applies to EU citizens.

      You have that 100% backwards. GDPR applies to processing of data concerning people who are physically present in the EU. Citizenship has absolutely nothing to do with it. An American on holiday in France has his data protected by GDPR when it's being processed by an EU company.

    6. Anonymous Coward
      Anonymous Coward

      Re: And nothing much will change for 95% of companies

      The GDPR applies to all individuals who are in the EU.

      https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en

    7. Anonymous Coward
      Anonymous Coward

      Re: And nothing much will change for 95% of companies

      "GDPR doesn't apply to territories. It applies to EU citizens."

      First off, you appear to be referring to the EU GDPR. There is now also the UK GDPR (since the end of the transition period). Currently the UK GDPR is a copy of the text of the EU GDPR with all references to the EU crossed out and UK Goverment written in. The "risk" is that the UK Gov is making noises about changing the UK GDPR at which point it will diverge from the EU GDPR and risk the current EU's adequacy "finding" being removed.

      Secondly the EU GDPR applies to EU citizens personal data no matter where they are in the world (with some caveats), but *also* applies to the processing of personal data within the EU borders regardless of whether that processing is of EU or non-EU citizens.

      For example if a company based in Germany is only processing the personal data of Turkish people it still needs to comply with (aspects of the) EU GDPR.

      Likewise if a USA-based/headquarterd company is processing the personal data of EU citizens it *may*, in some cases, be required to comply with aspects of EU GDPR (depending on whether it has operations/subsiduaries in the EU, whether it targets EU citizens located in the EU, etc). Obviously whether the EU could actually take action regarding any breaches of EU GDPR by a non-EU based company is another matter completely, that's why there's the requirement for such a company to appoint a EU-based Representative.

      "Given that we have Northern Ireland as part of the UK, no company can operate there as an employer without having to adopt GDPR as their minimum standard for data processing."

      To clarify, a Northern Ireland-based company already has to comply with UK GDPR. In your scenario they would perhaps in some cases have to comply with EU GDPR.

      "And given that the Common Travel Area allows Irish citizens - who are also EU citizens - to work in the UK, this then extends to the rest of Great Britain."

      This may require such NI-based and GB-based companies to comply with EU GDPR and to appoint a Representative in the EU if they do not have a EU-based subsiduary.

      "The only way to avoid GDPR in the UK is to simply not trade with, employ, or provide services to anyone Irish. Which is hardly practical."

      Again you mean "avoid EU GDPR".

      Also how would, for example, a NI-based company avoid this scenario when they have not seen their customer's passports (including those born in NI who hold either an Irish or both Irish and British passports)? Indeed some people may not possess a passport at all (a passport is an indication of nationality, not a requirement to hold such nationality).

  5. Andy E
    FAIL

    Additional and unnecessary costs

    Developing a DP regime that substantially differs from GDPR will add additional and unnecessary costs to the businesses and organisations that have to comply with its requirements.

    I can't see what the attraction is, except to monetarize and share the data subjects personal data without their knowledge or consent (that's the "innovation" bit).

    1. Haff
      Big Brother

      Re: Additional and unnecessary costs

      The attraction is the additional costs , and the ability to make money from them with new companies owned and run the wives and family of the ministers

      1. BebopWeBop
        Megaphone

        Re: Additional and unnecessary costs

        And mistresses, mentioning no names.

    2. Nick Ryan Silver badge

      Re: Additional and unnecessary costs

      It's definitely about making money, not "innovation". After all, these are the elected criminals that think that it is perfectly reasonable to sell country-wide personal medical data to the US pharma industry and to control this through a paper based time limited "opt-out".

    3. iron Silver badge

      Re: Additional and unnecessary costs

      The attraction is obvious, Peter Thiel promised Boris a nice shiny ring if he increases the ability of Palantir to spy on everyone. I hear he has nine such rings to give away.

    4. Anonymous Coward
      Anonymous Coward

      Re: Additional and unnecessary costs

      Or it's another performative act by a governement used to making pronouncements to their voting base that in reality have little effect other than to make life difficult but look good as Daily Mail headlines.

      ie another populist move to appeal to those who are fond of phrases like "it's data protection gone mad I tell you".

      1. Dan 55 Silver badge

        Re: Additional and unnecessary costs

        "Mr Johnson, tear down those cookie banners!" cry the Mail and Express (previously briefed by government).

        GDPR has nothing to do with cookie banners, that's the EPD, but it's a good excuse to get the low-information electorate cheering while more rights are removed.

    5. BOFH in Training Bronze badge

      Re: Additional and unnecessary costs

      I have visited EU before, but not UK.

      If I was creating a business, my first priority will be GDPR, followed by whatever UK wants.

      Simply cos the size of the population at both locations, and so the number of potential users / clients / etc.

  6. Peter D

    Improve data sharing between public bodies...

    When I was a civil servant 40 years ago hardly any data sharing between government departments was allowed. For low clearance staff departments had no access to criminal records and instead personnel departments collected press cuttings relating to staff with convictions. When I later worked on computerising HR functions of a department I was amazed at the number of people whose careers had been stopped in their tracks without their knowledge because they were unlucky enough to have a local reporter write up their conviction. Now the pendulum is swinging too far in the other direction.

    1. Anonymous Coward
      Anonymous Coward

      Re: Improve data sharing between public bodies...

      the proof of the swing in the wrong direction being the current government...

  7. stewwy

    So what are the tropes indicating a bad company to work in

    Not invented here syndrome

    Let's reinvent the wheel

    Basically anything Pointy haired boss

    I think we have a cabinet and leader who have taken the pointy haired boss as a role model.

    1. iron Silver badge

      If only Boris were as lucid as the PHB. He's more like a cross between the CEO and Wally.

      1. a pressbutton

        So who is Dogbert?

        1. BebopWeBop

          D Cummings?

  8. Anonymous Coward
    Anonymous Coward

    Data Protection howler from Health Service org

    In related news, today I finally received, via FOI Request, a HSC (Northern Ireland version of "NHS") organisation's written response to a ICO letter (relating to a case I opened with ICO):

    "Let me start by apologising unreservedly for any confusion caused by previous correspondence in this matter. There clearly has been a misunderstanding collectively on our part on the legal basis applicable for use by ECR since the project was initiated."

    That is the org responding to ICO's demand that the org provide documentary proof that the project used the claimed lawful basis for the processing (including sharing) of sensitive personal (health) data processing of the whole (approx 1.9 million) NI population since 2013 despite multiple sets of evidence (DPIAs, Privacy Notices, Data Sharing Agreements, emails, Public Information) to the contrary.

    Basically they're admitting "no one here knows what lawful basis we've allegedly used since July 2013" - which then means that all the health-sector organisations (Trusts, GP Practices, Dentists, Pharmacists, etc) participating in this project have been breaching both the UK DPA 1998 (for 2013-2018) and GDPR/UK DPA 2018 (for 2018-the present day) on a daily basis since July 2013.

    This organisation have also ignored ICO's written demand to produce said documentary proof within a 14 day period (its now 23 days beyond the end of that period). The ICO case officer apparently does not want to escalate yet to submitting a "Information Notice" (a legal demand to produce the requested information).

    UK government agencies see Data Protection Law as a "blockage" that needs to be removed so that they can share all the personal data they have between all departments. The only reason we have any GDPR protections was due to the UK's membership of the EU at the time of GDPR's introduction. Now the UK Gov is starting to remove those protections step-by-step.

    Things are not helped by the fact that the ICO is an ineffectual regulator and does not have the "regulatory appetite" to adequately enforce data protection law.

    1. graeme leggett

      Re: Data Protection howler from Health Service org

      Does not knowing what lawful basis they used mean the data was shared unlawfully? Or that they broke the law in not correctly recording it?

      1. Anonymous Coward
        Anonymous Coward

        Re: Data Protection howler from Health Service org

        "Does not knowing what lawful basis they used mean the data was shared unlawfully? Or that they broke the law in not correctly recording it?"

        As per Data Protection law "they" (the participant organisations involved in the sharing) were required to identify (i.e. decide upon) one, or more, lawful bases for processing personal data and one, or more, lawful conditions for sharing sensitive personal data (i.e. health related).

        That they failed to document said identified lawful bases and conditions, in this case via the project/system's Data Sharing Agreement (DSA), means they cannot prove (i.e. to ICO) that they reached any such decision. The burden of proof lies with them.

        If they never identified any lawful basis (and lawful condition in this case as they are processing health data) then they have clearly acted unlawfully.

        It is further complicated for them as there is not just a single organisation involved - there needs to be a form of Data Processing Agreement (DPA) in place between organisations (whether for Controller-Processor or Joint Processors relationships) and that document must contain information regarding lawful bases/conditions as it forms one of the "strands" that governs the data protection relationship between the orgs and all the orgs need to understand what they are agreeing to and so that information must be in whatever DPA document they sign. For this particular system/sharing their DSA acts as the required DPA document.

        The IT system enables the sharing of personal health data between 500+ organisations and its DSA governs the operation of the system as well as the participants involvement (i.e. sharing) with the system - however the agreed versions of the DSA never defined *any* lawful bases or lawful conditions used (and therefore none were agreed by the parties). As the DSA is the sole legal "framework" for any such sharing to occur then the lack of definition of lawful bases and conditions means any sharing has never occurred in a fashion compliant with Data Protection law and therefore has been unlawful.

        Other related documentation such as multiple DPIAs, Privacy Notices, etc each refer to differing lawful bases/conditions allegedly being used. Basically the orgs (well actually the org running it on behalf of the others) can't even tell a consistent story, every document they produce, every letter they write, tells a different story.

        Additionally as approx 470+ of those organisations allegedly party to the DSA have never actually seen/agreed/signed the DSA then any sharing that those organisations performed or use they made of data shared by the other orgs (who did agree to the DSA) via the system has been unlawful. Likewise the orgs that did agree to the DSA are on the hook (i.e. as Joint Controllers) for the use they made of data shared by the orgs who never agreed to the DSA.

  9. Anonymous Coward
    Anonymous Coward

    Misdirection and Window-Dressing......

    Quote: "...replace the EU's General Data Protection Regulation (GDPR) to ease the burden on business with an approach to data protection that encourages innovation while retaining protection of personal data and privacy...."

    Quote: "...creating a data protection framework that is focused on privacy outcomes rather than box-ticking...."

    Quote: "...the UK will go its own distinctive way with data protection..."

    Link1: https://www.bloomberg.com/features/2018-palantir-peter-thiel/

    Yup....Palantir now contracted to work on the NHS!!

    Link2: https://www.theregister.com/2022/01/10/ipco_report_2020/

    Yup....GCHQ "keeping us safe"....by ignoring UK Laws!!

    Link3: https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds

    Yup...the usual excuse "The data is anonymised".....is a lie....see Link1.

    So....who do you believe?

    My take: GDPR is (still) a joke......

    ....and the proposals reported here are misdirection and window dressing.......

    Link4: https://www.wired.com/1999/01/sun-on-privacy-get-over-it/

    Yup....Scott McNealy got it right twenty-three years ago.......

  10. Potemkine! Silver badge

    Cool!

    The less UK competitors there will be, the better it is for European companies for EU markets. So please, may the Tory government change rules and make things more complicated and expensive for British companies.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022