1) The UK Government published their plans to water down GDPR. It is bad, incredibly bad. My first reaction on @OpenRightsGroup blog, but if you scratch under the surface it gets even worse. You won't believe how bad it is.
Thread below
Thread below
https://twitter.com/openrightsgroup/status/1436264258061447173?s=21
2) First things first, Government purports the new framework as intended to ‘maintain high data protection standards’. Except that, in their consultation they NEVER, EVER touch upon or seek views on how to strengthen protection for individuals. 
3) Moving to funnier stuff, the UK new framework manages to scrap data protection in its entirety with one, single blow. It introduces a legal ground to ‘improve services for customers’
4) If you work in data protection, you know that ‘we process your data to improve our services’ is a practical joke, i.e. the single, most abused buzzword the industry uses when they're doing something bad. This will be made legal under UK Government plans.
5) The new framework also wants to introduce fees to exercise data subject access requests. I will spell it you: you will have to pay money to exercise your data rights and access personal data held by *all data controllers*.
6) The UK Government also wants to dictate ICO priorities, and have the power to amend the Information Commissioner's salary without Parliamentary scrutiny. In other words, they want to put the ICO under Government direction.
7) Govt will control the ICO directly, by setting their agenda, and indirectly, by retaining the ability to retaliate against Commissioners who do not please Government, and award Commissioners that do what Government want. We remind you that the ICO is supposed to be a watchdog
8) Also, Government would allow solely automated decision making based on legitimate interest. Organisations will be able to take life-changing decisions about you in a black box, insofar it fits the new legal grounds (such as reporting criminal acts, or improving services)
9) Elizabeth Denham G7 proposal for binding privacy signals lasted very little. This would be too inconvenient for surveillance advertising crooks, and unnecessary: they now have a handy legal ground for processing data and ‘improve customers experience’ (see n. 3,4).
10) Of course, this also means that adtech companies won't need to ask you whether you want to be tracked or not. They don't need it anymore. After displaying bad faith for years, the adtech industry is getting their free-of-jail card.
11) There are other funny stuff, such as the removal of accountability requirements. Organisations will be free to shred the evidence that they did something wrong. In its stead, they will have to organise privacy trainings.
12) Further, data breaches will need be notified only when the risk to individuals is material. No seriously, I don't even feel like commenting on this one.
13) Just to make sure you can't hold a Controller accountable anymore, you will have to demonstrate that you tried to negotiate a solution with the offender before reporting it to the ICO. The ICO was in dire need of another ground to arbitrarily dismiss complaints (sarcasm).
14) Of course, organisations will have to demonstrate they have complaint procedures in place, but we also saw that they have limited need to keep records anyway (see n. 11). What could possibly go wrong?
15) To conclude, Government proposed deregulation of the GDPR confirms an old saying: no good story ever started with someone saying ‘we will cut red tape’.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
