SCRAPPING THE ACCOUNTABILITY FRAMEWORK

2.2 Reform of the Accountability Framework

The Government is proposing to scrap the UK GDPR accountability framework, and replace it with privacy management programmes.

These proposals undermine the accountability principle: where the UK GDPR required organisations to demonstrate compliance, privacy management programmes will allow organisations to freely assess the legal requirements they should follow. The burden to demonstrate that irresponsible or malicious organisations did not implement compliance or accountability requirement will be shifted to their victims or the ICO.

In our answer to Q2.2.1, we explain how:

• The UK GDPR accountability framework is already flexible and risk-based.
• Clear and prescriptive accountability rules promote legal certainty. However, and contrary to Government opinion, they do not result in a box-ticking exercise.

In our answer to Q2.2.2, we explain how:

• Responsible organisations will still be expected to perform similar tasks to those required under the UK GDPR, but with reduced legal certainty.
• Irresponsible and malicious organisations will benefit from easy-to-game privacy management programmes and their grey areas.

In our answer to Q2.2.3, we explain how:

• Individuals will loose legal tools that have already proven to be helpful against abuses.
• Irresponsible and malicious organisations will exploit the loopholes in privacy management programmes to avoid accountability.

The government is proposing to implement a more flexible and risk-based accountability framework which is based on privacy management programmes.

Q2.2.1. To what extent do you agree with the following statement: ‘The accountability framework as set out in current legislation should i) feature fewer prescriptive requirements, ii) be more flexible, and iii) be more risk-based’?

We strongly disagree that “The accountability framework as set out in current legislation should i) feature fewer prescriptive requirements, ii) be more flexible, and iii) be more risk-based”. The UK GDPR is already flexible and risk-based (Q2.2.1). Prescriptive accountability rules fosters legal certainty and enforceability, and they must be retained.

Q2.2.1a. Please explain your answer, and provide supporting evidence where possible.

The UK GDPR accountability framework is already flexible. Organisations (Controllers) are required to “implement appropriate technical and organisational measures to ensure and to” demonstrate accountability. These measures must be proportionate to “the nature, scope, context and purposes of processing”. These means that

• Encryption, pseudonymisation, and other security measures (Article 32 of the UK GDPR).
• Data protection policies (Article 25(2) of the UK GDPR).
• Contractual safeguards for Controller-Processor relationships (Article 28(3) of the UK GDPR).
• Records (Article 30 of the UK GDPR).

are all measures that can be implemented or not, according to the specific circumstances of the case. In particular, organisations that have less than 250 employees are not required to keep Records.

The UK GDPR accountability framework is already risk-based. There are a number of tasks that organisations (Controllers) must carry out only if there is if a certain risk threshold for individuals and their rights is met. These requirements are:

• Data breaches need to be notified to the ICO only if they present any risk for the individuals concerned (Article 33 of the UK GDPR). Individuals must be informed only when the data breach is likely to result in a high risk for his or her rights and freedom (Article 34 of the UK GDPR).
• Data Protection Impact Assessments must only be carried out for high-risk activities (Article 35 of the UK GDPR).
• Prior consultation with the ICO is required only if the activity is high risk and adequate measures to mitigate that risk were not identified after conducting the DPIA (Article 36 of the UK GDPR).
• The appointment of a Data Protection Officer is needed only for organisations that are public bodies or authorities, or for another set of activities that inherently present a high risk for individuals.
• Small organisations need to keep Records only if there is a high risk for individuals’ and their rights (Article 30(5) of the UK GDPR.

Furthermore, general obligations under the UK GDPR are also influenced by the level of risk involved, as higher risk will demand stronger data policies and stronger data security measures.

The UK GDPR is prescriptive, and rightly so. Clear legal obligations promote legal certainty, in that it provides clear criteria that organisations can rely upon to demonstrate compliance. They also ensure enforceability, for the benefit of individuals seeking redress or authorities performing their oversight functions. Both aspects are addressed in our answer to Q2.2.2.

On the other hand, and contrary to the Government view at §139, prescriptiveness does not equal “box-ticking” compliance, exactly because proportionality, risk, and legal obligations interact with each other. In other words, you cannot “tick a box” if the risk for the individual’s rights and freedom has not been mitigated in practice. We are deeply worried that the Government analysis accompanying this proposal routinely mischaracterise and misinterpret the UK GDPR.

Q2.2.2. To what extent do you agree with the following statement: ‘Organisations will benefit from being required to develop and implement a risk-based privacy management programme’?

We strongly disagree that “Organisations will benefit from being required to develop and implement a risk-based privacy management programme” (Q2.2.2). Privacy management programmes will introduce significant legal uncertainty, without any appreciable benefit for responsible organisations. Irresponsible or malicious organisations, instead, will be able to exploit the grey areas of privacy management programmes for their own benefit.

Q2.2.2a. Please explain your answer, and provide supporting evidence where possible and in particular: Whether a privacy management programme would help organisations to implement better, and more effective, privacy management processes; Whether the privacy management programme requirement would risk creating additional burdens on organisations and, if so, how.

Responsible businesses benefit from existing accountability rules in that they are not only risk-based and proportionate, but also prescriptive. This provides them with clear requirements to fulfil.

If the Government were to scrap these requirements, responsible organisations would likely keep fulfilling the same tasks. Indeed, the Government provides a list at §159 of the consultation of the activities they would expect to be part of their privacy management programmes. These activities roughly overlap with existing accountability requirements. For instance,

• Instead of Data Protection Officers, organisations would be expected to designate individuals who are responsible for “overseeing the organisation’s data protection compliance” and “representing the organisation to the ICO and data subjects”.
• Instead of Records, organisations would be expected to produce “Personal data inventories”.
• Instead of Data Protection Impact Assessments, organisations would be expected to produce “Risk assessment tools for the identification, assessment and mitigation of privacy risks across the organisation”.

However, responsible businesses would now miss regulatory reference as to the qualities and the independence requirements of the “designated individual”, the kind of information that needs to be included in personal data inventories, and when and how to assess risks. Instead, the UK GDPR provides these references in the articles related to Data Protection Officers, Records, and DPIAs.

On the other hand, introducing privacy management programmes will greatly benefit irresponsible businesses by providing a useful tool to evade accountability and shred the evidence of their malpractice. We provide evidence and further explanation in our answer to Q2.2.3.

Q2.2.3. To what extent do you agree with the following statement: ‘Individuals (i.e. data subjects) will benefit from organisations being required to implement a risk-based privacy management programme’?

We strongly disagree that “Individuals (i.e. data subjects) will benefit from organisations being required to implement a risk-based privacy management programme” (Q2.2.3). On the contrary, individuals will lose legal tools that have proven invaluable to hold offenders to account and obtain remedies against the violation of their rights. Instead, irresponsible and malicious organisations will greatly benefit from privacy management programmes that are easy to game and can be used to operate with impunity.

Q2.2.3a. Please explain your choice, and provide supporting evidence where possible.

Please share your views on which, if any, elements of a privacy management programme should be published in order to aid transparency.

What incentives or sanctions, if any, you consider would be necessary to ensure that privacy management programmes work effectively in practice.

Accountability requirements under the UK GDPR played a significant role in allowing individuals to enforce their rights against offenders. For instance:

• The NHS Free Trust and Google DeepMind failed to implement adequate contractual safeguards to regulate their Controller-Processor relationship. They also failed to conduct a DPIA, and to notify the ICO.¹ These requirements are now proving fundamental to hold them accountable for the seizure of 1.6 million health records.²
• UK residents were able to challenge in Court the adoption of live facial recognition.³ The Court found that a Data Protection Impact Assessment was not properly conducted, thus denying legitimacy to the deployment of a dystopic real-time surveillance system.
• The first Data Protection Impact Assessment of the NHSX Contact Tracing App was key in exposing serious security and privacy flaws.⁴ This helped to persuade the Government to scrap their original plans, and develop a more privacy-preserving digital contact tracing system in its stead.⁵
• Test and Trace was successfully challenged via pre-action protocol, and led to the Government admitting that the test had been run illegally.⁶ Legal requirements regarding Data Protection Impact Assessment held the Government to account for their failure. If carried out, it would have likely prevented incidents such as data breaches,⁷ distribution of sensitive information via social media channels by staff,⁸ or sexual harassment perpetrated by bartenders with contact tracing details of their customers.⁹

This list was drawn from notorious incidents, and it is far from been exhaustive. However, it does prove that legal certainty around accountability requirements is instrumental for protecting individual rights against irresponsible or malicious organisations.

On the other hand, the vague nature of the duties organisations are expected to perform in their privacy management programmes would deny useful grounds to victims seeking redress, while providing impunity to offenders. In the examples made above, offenders would be able to claim that they implemented a “privacy management programme which includes the appropriate policies and processes for the protection of personal information”, or that they relied on “risk assessment tools for the identification, assessment and mitigation of privacy risks across the organisation”.

This is more than a suggestion: asked about their failure to conduct a DPIA for Test and Trace, the Health Secretary held during a parliamentary Q&A that the Government carried out other three DPIAs that “cover all of the necessary”, and that the Government would not be held back by bureaucracy.¹⁰ This shows how legal uncertainty about what do these requirements mean in practice would allow irresponsible or malicious organisations to contest their legal responsibility and shield themselves from accountability.

Furthermore, and contrary to the Government opinion at §157, guidance by the ICO would not provide a solution to this issue, where:

• Responsible organisations already benefit from legal certainty thanks to the accountability regime of the UK GDPR. Scrapping this regime in favour of privacy management programmes and then producing regulatory guidance would just leave them in the same position they were under the UK GDPR.
• Irresponsible or malicious organisations would always be able to contest in Court that ICO regulatory guidance is “not the law”, and thus they can decide not to follow it if they think the ICO made a wrong assessment.

Finally, it is true that a Judge could eventually find that the “privacy management programme” conducted by the offender was not adequate. Even then, privacy management programmes would still represent a significant shift in terms of the burden of proof and grey areas that malicious actors can leverage.

1ICO, Royal Free – Google DeepMind trial failed to comply with data protection law. Available at: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/07/royal-free-google-deepmind-trial-failed-to-comply-with-data-protection-law/

2The Register, Brit law firm files suit against Google and Deepmind over use of hospital patients’ data. Available at: https://www.theregister.com/2021/09/30/royal_free_deepmind_representative_action_uk/

3Liberty, Libertywinsground-breakingvictory againstfacial recognition tech. Available at: https://www.libertyhumanrights.org.uk/issue/liberty-wins-ground-breaking-victory-against-facial-recognition-tech/

4Michael Veale, Analysis of the NHSX Contact Tracing App ‘Isle of Wight’ Data Protection Impact Assessment. Available at: https://osf.io/preprints/lawarxiv/6fvgh

5BBC, UK virus-tracing app switches to Apple-Google model. Available at: https://www.bbc.com/news/technology-53095336

6BBC, Coronavirus: England’s test and trace programme ‘breaks GDPR data law’. Available at: https://www.bbc.com/news/technology-53466471

7BBC, Coronavirus: Serco apologises for sharing contact tracers’ email addresses. Available at: https://www.bbc.com/news/uk-52732818

DigitalHealth, Welsh data breach exposes information of Covid-19 patients. Available at: https://www.digitalhealth.net/2020/09/public-health-wales-data-breach-covid-19/

The Guardian, NHS Covid jab booking site leaks people’s vaccine status. Available at: https://www.theguardian.com/world/2021/may/06/nhs-covid-jab-booking-site-leaks-peoples-vaccine-status

8The Times, Coronavirus contact tracers sharing patients’ data on WhatsApp and Facebook. Available at: https://www.thetimes.co.uk/article/coronavirus-contact-tracers-sharing-patients-data-on-whatsapp-and-facebook-rg3zqn5l6

9The Telegraph, Test and trace is being used to harass women – already. Available at: https://www.telegraph.co.uk/women/life/test-trace-used-harass-women-already/

10Source: https://twitter.com/OpenRightsGroup/status/1285260608875700225