The Office of the Information Commissioner (ICO) has announced its response to the Department of Digital, Culture, Media and Sports (DCMS) data consultation. A new direction for considering data protection rules after Brexit.
In response, regulators seem to think the consultation is like a curated egg, partly good, partly a bit uncomfortable, and at times rotten.
In the preamble, Information Commissioner Elizabeth Denham said, “It is important to enable the UK to adapt to the future and take a leading role in the global digital economy. Hence, this review and its back. I support a certain intention.”
But she adds: “Once a proposal is made, the devil becomes more elaborate.”
One of the details that the ICO strongly opposes is DCMS’s proposal to directly appoint a regulatory CEO.
“For future ICOs to be accountable to governments, their governance models will remain independent and can be effectively accountable within a framework set by Parliament. Essential,” writes Denham.
“The current proposal by the Secretary of State to approve ICO guidance and appoint a CEO does not adequately protect this independence.”
On the other hand, given the scope of observation, he welcomed the move to strengthen the governance model of data regulators.
“The Legal Audit and Supervisory Board, which has an independent chairman and CEO, is better suited to the role of the ICO as a regulator of the economy as a whole and the public sector with a wide range of national and international responsibilities.”
“Innovation is possible without the threat from high data protection standards,” Denham said of the importance of strong and independent regulators in how the UK will look globally. where did it go.
The ICO also welcomes suggestions to help organizations comply with the rules, but urges them to be careful not to over-balance. For example, cookie banners cause opt-out fatigue and need to be simplified, but removing prior consent to all types of cookies is not the answer.
Similarly, regulatory agencies welcome a review of Article 22 of the GDPR, which covers the rights of individuals who are not subject to decisions based on fully automated processing. It can provide clear guidance, but confirms that it should not be removed. UK data protection law, as the government clearly wants it.
“We do not agree with the Task Force on Innovation, Growth and Regulatory Reform. We need to remove the right to human review. Human beings make decisions that can have a fundamental impact on our lives. The right to review has been part of data protection legislation for many years, including before the GDPR. “
A better way is said to be looking at ways AI can improve accountability, fairness and transparency.
The government is also proposing to do away with the need to appoint a Data Protection Officer (DPO) for medium and large businesses.
The ICO agrees that the current requirements are overly standard, but “as a result of the changes, links to the independent advice, skills, leadership and board-level governance provided by DPOs have been lost. It is important not to do so.”
Furthermore, if the legitimate interests of an organization apply for the processing of personal data on legal grounds, and if the government proposes simplification of compliance, ICOs would be excessively easy to harm citizens. I warn you not to change.
“We are concerned that the types of processing are too broad to provide the necessary certainty, as are currently being discussed.”
Elizabeth Denham will be replaced by John Edwards, who held the equivalent position in New Zealand.