New data privacy rights under the General Data protection Regulation depend on a UK consultation which tells readers nothing about its implications
The General Data Protection Regulation (GDPR) sets out many new rights for UK citizens, including better notions of consent, the right to obtain and download your information, and to delete it at a company. You can also find out more about profiling and automated decision-making. There are big fines available when companies don’t comply after it comes into force in mid 2018.
However, many of the new rights will depend on enforcement. One of the better ideas in the regulation is to allow privacy groups to represent citizens in complaints, without having to find specific people who have been directly affected. The GDPR requires member states to choose to allow this, or not, in Article 80(2). We of course very much believe this should be legislated for.
However, this consultation is another very disappointing piece of work. Shoddy, even, because it calls for evidence and views, but sets out no background at all for the consultation, so only experts can practically respond. It merely states:
Theme 9 - Rights and Remedies
Rights and Remedies
The derogations related to Rights and Remedies include articles:
Article 17 - Right to erasure ('right to be forgotten')
Article 22 - Automated individual decision-making, including profiling Article 26 - Joint controllers
Article 80 - representation of data subjects
Government would welcome your views on the derogations contained in the articles above. Please ensure that you refer to specific articles/derogations.
There is no way that an average reader could understand the implications of this consultation, which, just like the recent Home office consultation on the IP Act Codes of Practice, means that the consultation appears to breach Cabinet Office guidelines, which state that consultations should:
Give enough information to ensure that those consulted understand the issues and can give informed responses.
This consultation provides exactly no background information whatsoever. You wouldn’t begin to understand that they want to know if you are in favour of privacy organisations being able to make complaints to the ICO under Article 80, or not.
We feel sympathy for the staff at DCMS who have been asked to set out this consultation, and presumably have been prevented from spending time developing background documents due to capacity constraints. This should serve as a warning to us.
Once Brexit kicks in, DCMS staff will need to be able not just to recycle existing policy advice from EU and other organisations on legislation prepared elsewhere, but also to have the expertise to evaluate it and recommend changes. Under the Great Repeal Bill, they may have to advise ministers about things to remove, with little Parliamentary involvement — potentially including aspects of the GDPR of course.
Right now, however, DCMS officials appear to lack the capacity to even produce decent consultation documents for key privacy laws like the GDPR. Ministers should be demanding more resources, or we will start to see serious policy mistakes being made.