Mega thread detailing some of the GDPR and PECR reforms that the UK government will be pursuing.
I'll see how far I get anyway.
Let's go 🧵
I'll see how far I get anyway.
Let's go 🧵
First, research.
The government is moving the definition of "research" from the recitals to the articles of the GDPR.
I'm sure someone will provide a reason to be upset about this but seems sensible enough to me.
The government is moving the definition of "research" from the recitals to the articles of the GDPR.
I'm sure someone will provide a reason to be upset about this but seems sensible enough to me.
Moving the research provisions around a BIT, but not as much as was proposed.
There will be NO new legal basis for "research".
Messing about with consent. The government will move bits of the recitals into the articles to "clarify" the "broad" nature of consent.
More leeway for researchers to conduct further processing without obtaining additional consent. This might be a bigger deal than it sounds.
Next onto the "further processing" section of the consultation.
The government will "clarify" the rules around further processing. This is likely to make re-using personal data easier.
The government will "clarify" the rules around further processing. This is likely to make re-using personal data easier.
Same goes for the definition of an "incompatiable purpose". The government will "clarify" this in the primary legislation.
The government will clarify that if you collect data on the basis of consent, you can't use it for further purposes except under certain conditions.
This idea actually tightens the law up rather than liberalising it.
This idea actually tightens the law up rather than liberalising it.
Next, legitimate interest reforms.
A reminder: the government proposed to remove the requirement to conduct a "balancing test" for processing on the basis of legitimate interest.
There would be a set of pre-determined purposes for which the balancing test was not required.
A reminder: the government proposed to remove the requirement to conduct a "balancing test" for processing on the basis of legitimate interest.
There would be a set of pre-determined purposes for which the balancing test was not required.
The government will be going ahead with this, initially for a limited set of purposes.
Initially controllers will not have to conduct a balancing test if they wish to use the legitimate interests basis to "prevent crime or report safeguarding concerns".
Initially controllers will not have to conduct a balancing test if they wish to use the legitimate interests basis to "prevent crime or report safeguarding concerns".
Next, on bias mitigation in AI.
The legistlation will be amended to state that special category data can be processed for the purposes of preventing bias in AI.
The EU's AI Act contains a similar provision.
The legistlation will be amended to state that special category data can be processed for the purposes of preventing bias in AI.
The EU's AI Act contains a similar provision.
As predicted, ARTICLE 22 SURVIVES.
People will still be able to object to AI-driven decisions with legal or similarly significant effects.
However, looks like the government will be restricting its use to specific situations.
People will still be able to object to AI-driven decisions with legal or similarly significant effects.
However, looks like the government will be restricting its use to specific situations.
I need a break now.
Next, anonymisation.
The government will "clarify" (there's that word again) the definition of anonymised data.
"This could be where a living individual is identifiable by the controller or processor by 'reasonable means'..."
Hat tip to Convention 108+ in this section.
The government will "clarify" (there's that word again) the definition of anonymised data.
"This could be where a living individual is identifiable by the controller or processor by 'reasonable means'..."
Hat tip to Convention 108+ in this section.
Privacy management programmes. This is a big one.
A lot of stuff that was previously mandatory for certain orgs will no longer be mandatory.
DPOs, RoPAs, DPIAs.
Usually the org will need to do something else instead that LOOKS similar but might be quite different in practice.
A lot of stuff that was previously mandatory for certain orgs will no longer be mandatory.
DPOs, RoPAs, DPIAs.
Usually the org will need to do something else instead that LOOKS similar but might be quite different in practice.
Details on what a privacy management programme actually IS are relatively scant.
But the consequence of persuing this path is the removal of a lot of currently mandatory stuff.
How much difference this makes in practice is up for debate.
But the consequence of persuing this path is the removal of a lot of currently mandatory stuff.
How much difference this makes in practice is up for debate.
Some further details on the "designated individual" that would replace DPOs.
As far as I can see, there is no suggestion that it will be prohibited to discipline a designated individual for actions taken in the course of carrying out their tasks (as is the case with DPOs).
As far as I can see, there is no suggestion that it will be prohibited to discipline a designated individual for actions taken in the course of carrying out their tasks (as is the case with DPOs).
Similarly, mandatory DPIAs will be replaced by mandatory *something*, and DPIAs will remain a valid sort of risk assessment.
And RoPAs are dead but long live "personal data inventories... which describe what and where personal data is held, why it has been collected and how sensitive it is..."
Orgs will no longer HAVE TO consult with the ICO before conducting high-risk processing activities.
This confirms that the government is implementing all its proposals in this section of the consultation, in some form.
This confirms that the government is implementing all its proposals in this section of the consultation, in some form.
The government is NOT planning to mimic Singapore's "Active Enforcement" regime.
Perhaps there were copyright issues.
Perhaps there were copyright issues.
NO CHANGE to data breach notifiation thresholds.
The government planned to permit orgs not to report data breaches if the likely damage would be "not material". This would have been a syntactical travesty if nothing else.
The government planned to permit orgs not to report data breaches if the likely damage would be "not material". This would have been a syntactical travesty if nothing else.
The government will NOT be introducing a standard charge for subject access requests.
But it will be lowering the threshold at which orgs can refuse or charge for a request from "manifestly unfounded or excessive" to ‘vexatious or excessive".
But it will be lowering the threshold at which orgs can refuse or charge for a request from "manifestly unfounded or excessive" to ‘vexatious or excessive".
COOKIE TIME
The UK will move towards an opt-out model of cookie consent for ALL cookies.
Of course this would involve geo-restricting cookie banners in the UK. Not sure how many international orgs would do this (genuinely).
The UK will move towards an opt-out model of cookie consent for ALL cookies.
Of course this would involve geo-restricting cookie banners in the UK. Not sure how many international orgs would do this (genuinely).
The soft opt-in for direct marketing will be extended to non-commercial organisations such as charities.
Seems fair enough? I'm waiting for someone to tell me that it isn't.
Seems fair enough? I'm waiting for someone to tell me that it isn't.
Nuisance calls: The ICO will be able to account for the number of calls GENERATED rather than the number of calls CONNECTED when setting penalties.
Communications providers will that a "duty to report" "suspicious levels of traffic on their networks" to the ICO.
Communications providers will that a "duty to report" "suspicious levels of traffic on their networks" to the ICO.
PECR fines will now match GDPR fines.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
