Data Protection and Digital Information (No. 2) Bill

Written evidence submitted by John McVeigh, Principal Consultant, AssureMore (DPDIB10)

House of Commons Public Bill Committee

UK Parliament

London

Dear Sir/ Madam,

I am writing to submit my input for your committee to consider in my capacity as a management consultant with significant experience in information security standards and data protection. I have been an Associate Consultant with the British Standards Institution (BSI) since 2017. As a representative of several overseas organisations I am concerned that the proposed removal of the mandatory requirement for a UK representative (Clause 13 of the draft Bill) presents a number of risks without delivering the benefits claimed.

1.0 Executive Summary

· The information provided below makes it clear that removing Article 27 from UK GDPR would effectively remove a level of data protection that provides a range of benefits to individuals in the UK, businesses in the UK and overseas, the supervisory authorities and associated UK government departments.

· Data breaches discovered in the UK that are related to overseas companies would be at higher risk of receiving a slower response.

· Removal of Article 27 would not produce the societal, scientific and economic benefits which are rightly claimed for other parts of the Bill.

· There is little evidence in the Impact Assessment that compliance with Article 27 presents an "unnecessary barrier to responsible data use" by reputable overseas companies.

· When combined with other proposed changes to UK Data Protection legislation it also increases the risk of the EU Adequacy decision being revoked which would lead to significant administrative overheads and extra costs for a huge number of UK companies.

· Making such a change would be a backward step and is especially worrying in the context of current global uncertainty and some of these companies being based in less well-regulated countries and countries which have little interest in protecting UK data subjects.

· It is therefore recommended that Clause 13 is withdrawn such that the obligation for companies outside the UK to appoint a UK Data Protection Representative is maintained, as presently required in the current legislation.

2.0 Review of Explanatory Notes & Impact Assessment

2.1 Explanatory Notes

In support of Clause 13 Removal of the requirement for representatives for controllers etc outside the UK the explanatory notes contain the following assertion "Given that legal requirements for such communication already exist elsewhere in UK GDPR, the removal of Article 27 will allow organisations to decide for themselves the best way to comply with the requirements for effective communication under the legislation, which may still include the appointment of a UK based representative."

This statement is misleading as it gives the impression that Article 27 overlaps significantly with other parts of UK GDPR which is not correct. Supervisory authorities in Europe have already made use of Article 27 specifically to hold companies outside Europe to account which has in turn benefited the data subjects in a range of countries. Evidence of this is readily available and some details are provided below as illustrations of this (c.f. Dutch Supervisory Authority enforcement example in section 2.2). The statement also seems to ignore the elephant in the room, i.e. many companies outside the UK have a very poor attitude towards the rights of data subjects in the UK and such companies are not the best judges with respect to effective communication.

Too little account has been taken of the issues involved and the problems that individuals can often come up against when trying to communicate with an organisation that is processing their personal data. The problem can often be that individuals are repeatedly ignored when they try to communicate with such organisations- I have a number of first-hand experiences of this myself as an individual living in the UK and I am happy to provide examples if needed. Further information relating to this issue is provided as follows.

Since the launch of GDPR, individuals in the UK have become used to being told how important many organisations regard their personal data – we hear it on telephone messages before we get connected, we see it on emails and websites, we see notices in shops and GP surgeries etc. Most individuals have by now gained a much higher level of awareness and some increased confidence in relation to how organisations should be treating their personal data. Many individuals are now aware that they can ask to see a privacy notice/ policy and many are aware there will normally be a link for one on the home page of most UK websites.

In the case of an individual in the UK who has an issue with how their data is being processed by a UK based company, the company will normally have a privacy statement that provides contact details and outlines how they can raise the issue and it also normally outlines the additional option of complaining to the ICO.

If the individual in the UK is dealing with a company that is not based in the UK it is much less probable that the information will be as clearly presented to them and it is likely that the individuals will not be as sure of their rights. When that company is required to appoint a UK Representative and include the Representative’s contact details on their privacy statements this provides a number of significant benefits including:

· It makes it easier for individuals in the UK to communicate in the same time zone and language and gives individuals increased confidence.

· It almost completely removes the situations in which individuals in the UK have their enquiries ignored by the company based overseas (since it is a primary responsibility of what the UK Representative is paid to do and would be a crystal-clear legal requirement for the Representative in the UK).

· The reduced number of queries from individuals that are being ignored would be expected to lead to fewer issues being escalated for ICO attention such that the ICO’s limited resources can be utilized more efficiently and focused on higher priorities. Conversely, removing Article 27 can be expected to increase the pressure on ICO resources and potentially also increase their costs.

· The process of engaging a UK Representative can in many cases also lead to improved data protection processes as the UK Representative can highlight limitations/ improvements that the company was previously unaware of.

· Appointing a UK Representative can also improve communications with supervisory authorities.

· In the event of a data breach that is discovered in the UK it can also lead to the problem being addressed more efficiently since they are in the same time zone and there would be reduced chances of language or cultural hurdles. This can then reduce the impact of the data breach, benefiting the individuals in the UK and also the overseas company involved. This can also reduce the resource commitment required by the supervisory authority.

· The absence of a UK Representative on a company privacy notice (when one would be expected) can also provide a ‘red flag’ for any interested parties that have concerns with that organisation and make it easier to initiate appropriate actions to address the concerns.

· The absence of a UK Representative (when one is required) can also be used as a means for supervisory authorities to more easily hold overseas companies accountable – evidence of this is available in the way that the Dutch authorities used Article 27 to hold the website LocateFamily.com accountable in May ’21 (more details in section 2.2 below).

2.2 Impact Assessment

Focusing next on the Impact Assessment, i.e. Data Protection and Digital Information Bill Impact Assessment - Impact on firms on changes to Article 27 representatives (p. 172-174)

Paragraph 583 states "There is limited information and data on the benefits of having an Article 27 representative as it is a relatively new and untested requirement and also one that applies exclusively to businesses and organisations outside of the UK which makes gathering evidence very challenging. It is therefore difficult to ascertain precisely how successful the Article 27 representative is at facilitating effective communication."

Evidence of the benefits of Article 27 is readily available. For example, in May ’21 the Dutch Supervisory authority fined a company based in Canada 525,000 Euro for not having an Article 27 Representative- further details are included in the Dutch Authority’s Press Release [1] . The article "Does the recent fine for a Canadian website without an EU representative signal a change in GDPR enforcement priorities" [2] outlines very clearly the many benefits of Article 27 to the various parties- including the data subjects and the supervisory authorities. Individuals in a number of different countries had complained about this company and nine other European supervisory authorities were involved in the investigation.

The potential benefits of an Article 27 Representative to the firm in this instance would potentially have been multiple – it would have been much easier to contact them and they would have become aware of the need to take action much earlier and engaging the Representative would certainly have improved their level of compliance. Also, the process of engaging a Representative should also have improved their data protection practices- potentially very significantly to the point at which they may then have avoided all these problems and the large fine.

In this example, the company appears to have paid little attention to international privacy regulations resulting in a large number of complaints by individuals in different countries- despite being based in a well-developed and stable country. It is inevitable that there will be many other similar companies around the world that will lead to further problems coming to light in future. Having Article 27 in place will certainly help to tackle such instances- in the same way it very clearly helped the Dutch supervisory authorities in the LocateFamily example.

It is also worth considering what happens when UK individuals encounter such problems but on a smaller scale and they complain to the ICO. In cases when there isn’t a large number of complaints and the company is difficult to reach – would the ICO have sufficient resources to chase these up? If the company was not obliged to have a UK Representative it would make things much more difficult (as illustrated by the LocateFamily example above) and individuals could end up badly disadvantaged as a result.

Re: Costs to firms (referenced in points 584, 585,586, 588, 589, 590, 591, 593, 594, 595, in Impact Assessment)

The previous version of the impact assessment contained details on costings that were excessive – some immensely so. While the latest version of the impact assessment has removed the most obvious flaws, the description of costs in the latest version is still overly complicated and potentially misleading.

Companies that simply perform a Google search for ‘UK GDPR Representative’ will very easily get a range of service providers offering relatively low prices (e.g. much lower prices than those quoted in the previous version of the Impact Assessment).

Furthermore, the majority of firms that would require a UK Representative would also require an EU Representative. Since some Representative service providers offer a service that covers both EU and UK at no extra cost this means that such firms would be saving nothing by the removal of Article 27.

Firms that provide the UK representative service at no extra cost include ‘Data Rep’ [3] which is referenced in the latest version of the impact assessment, but the information that there is no extra cost for adding the UK Representative Service has not been included.

Similarly, in relation to the internal ‘Administrative burden’ referenced in the impact assessment, the majority of firms that would require a UK Representative would also require an EU Representative. This means that those firms would have corresponding administrative overheads for the EU Rep service anyway and any extra overhead for the UK Representative service would therefore be expected to be minimal and so the costs/ administrative burden for that would be expected to be negligible.

Adequacy Decisions (referenced in paragraph 593 of the Impact Assessment)

While the removal of Article 27 on its own may not be sufficient to cause the EU adequacy decision to be revoked, it will be considered as divergence from EU GDPR with potential negative impacts. Combined with other changes in the Bill this would inevitably increase the risk of the current adequacy decision being revoked.

If changes to UK data protection legislation resulted in the EU adequacy decision being revoked this would lead to significant extra overheads and extra costs for a huge number of UK companies. This would be extremely unpopular with the UK businesses community and would inevitably become a significant political issue.

3.0 Conclusions and Recommendation

The evidence presented above shows clearly that the removal of Article 27 compromises the high data protection standards that currently exist in the UK. The proposed benefits of removal are unlikely to provide the boost to trade that is one of the overall policy objectives of the Bill. It is therefore recommended that Clause 13 is withdrawn such that the obligation for companies outside the UK to appoint a UK Data Protection Representative is maintained, as required in the current legislation.

May 2023