A Pivotal Event in Data Protection Law

The recently completed UK Department for Digital, Culture, Media & Sport (DCMS) Consultation on “Data: A new direction”  on revising the UK GDPR is a watershed moment.  The Consultation looks at whether GDPR based laws are truly serving the needs of an information society.  The DCMS forward states: “Our ultimate aim is to create a more pro-growth and pro-innovation data regime whilst maintaining the UK’s world-leading data protection standards.” The consultation made tough suggestions on how the regulation might be improved. The IAF staff thought some DCMS suggestions were wise and believed some others would not be fully productive.  The IAF filed comments as part of that Consultation. The Consultation discussed scientific research, reiterated that research is a compatible purpose and suggested a specific mechanism to create a legal basis for that compatible purpose. In its comments, the IAF suggested:

  • A two-phased approach: knowledge creation – the generation of insights about individuals in general – and knowledge application – utilization of knowledge created on a specific set of individuals.  Our comments focused on creating a pathway forward for using data to create new knowledge through the data analytics process, consistent with the Consultation’s premise. 
  •  , Private sector research, knowledge creation should also be recognized as a legal basis.  To support this suggestion, the IAF used its comments on the Consultation to highlight that two-phased approach to advanced analytics (and AI), knowledge creation and knowledge application, have different impacts.  There is no impact on individuals from knowledge creation while there is an  impact on individuals from knowledge application  from actually using the knowledge to make decisions pertaining to a specific individual.  

These comments are consistent with the comments the IAF made on the EU draft AI Regulation.

We also commented on the Consultation’s suggestions that legitimate interests as a legal basis should include a limited set of legitimate interests that would not require a balancing test. The IAF suggested the impediment to legitimate interests was not the balancing test but rather the transparency responsibilities related to the right to object.

Our comments also included a discussion on regulator cooperation related to fair outcomes versus fair processing.   The Consultation suggested regulators other than the Information Commissioner should have jurisdiction on fair outcomes, such as discrimination in lending.  We suggested the ICO’s jurisdiction should be specific to assuring processing is fairly done to achieve fair outcomes and that the definer of what is a fair outcome should be left to other regulators with jurisdiction over those issues.

Lastly, the IAF agreed with the Consultation that a specific requirement for comprehensive accountability programs, such as found in Canada and Singapore, made sense.  However, we pointed out that the removal of requirements to conduct assessments is not necessarily prudent.

Our comments are consistent with the provisions of the IAF model legislation, the FAIR AND OPEN USE ACT.