In light of the investigation currently being undertaken by the Information Commissioner into Facebook and Cambridge Analytica, I thought it was worthwhile considering some of the relevant provisions of the Data Protection Bill as it currently stands.
One of the issues that has arisen is the apparent inability of the Information Commissioner to obtain a warrant for entry and inspection of Cambridge Analytica’s offices; I’ve already looked at the Commissioner’s current powers to obtain such a warrant under the Data Protection Act 1998 generally. Schedule 15 to the Data Protection Bill deals with the Commissioner’s powers of entry and inspection; it sets up the same scheme that is currently in place in terms of Schedule 9 to the Data Protection Act 1998. There have been some comments about the need for the Information Commissioner to give 7 days’ written notice demanding entry before applying for a warrant; but as I noted in my blog post earlier this week, the judge can grant a warrant without those conditions having been met in certain defined circumstances. Whether this process causes confusion for the Information Commissioner’s staff or not is only something that the Commissioner herself can comment on at this stage; however, it is not unusual for the Commissioner to obtain warrants – indeed her office executed a warrant in Scotland only yesterday.
Another part of the Data Protection Bill which may be of relevance is the provisions therein concerning the consent of children in relation to Information Society Services. The General Data Protection Regulation sets the age of consent at 16, but allows Member States to reduce the age to no lower than 13. Clause 9 of the Data Protection Bill currently provides that in the United Kingdom the age will be reduced from 16 to 13. Information Society Services include, but are not limited to, social media websites such as Facebook.
There are provisions within the Data Protection Bill which would require the Information Commissioner to prepare and publish, after approval, a code on age-appropriate design. This code can be taken into account by the Commissioner and the courts and tribunals, but the Bill provides expressly that failure to comply with such a code “does not of itself make that person liable to legal proceedings in a court or tribunal” (Clause 126(1) of the Data Protection Bill).
The provisions governing the age at which a child can consent to the processing of their personal data for Information Society Services has caused some concern during the Bill’s passage through parliament; it is ressonable to assume that the issue will come up again once the Bill reaches its final stage of the Parliamentary process in the House of Commons in light of developments over the past week.
Another clause in the Data Protection Bill which has caused some concern in light of the Cambridge Analytica revelations is the provision in Clause 6(e). What this provides for is that an “activity that supports or promotes democratic engagement” is to be considered “processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority” for the purposes of Article 6(1)(e) of the GDPR. The Information Commissioner has raised concerns that this would legitimise the activities of Cambridge Analytica. This was inserted, as a Government amendment, during the Public Bill committee stage of the Bill’s passage through the House of Commons.
In moving the amendment, the Minister explained that “term has been deliberately chosen with the intention of covering a range of activities carried out with a view to encouraging the general public to get involved in the exercise of their democratic rights”. It may be that between now and the Bill being finally agreed to by the House of Commons that this provision is tightened up somewhat to ensure that activities like those carried out by Cambridge Analytica do not fall within the ambit of that clause.
I would tend to agree with the Commissioner’s assessment on the impact of clause 6(e) in relation to the sorts of activities we are concerned with in respect of the Cambridge Analytica and Facebook investigations. The clause is extremely wide and while it is subject to a necessity test, it is entirely possible that these activities could fall within the ambit of clause 6(e). The Government may well be wise to revisit clause 6(e) and see if it can be tightened up in any way to ensure that its scope is narrowed.
As can be seen, there are a number of issues concerning the Data Protection Bill (of which the above are only some) arising out of the Cambridge Analytical and Facebook investigations; it will be necessary to wait and see how, if at all, the House of Commons reacts and whether there are any changes to the Bill as a consequence.
If you require assistance with the General Data Protection Regulation or the Data Protection Bill; or any other information law matter, you can contact Alistair Sloan on 0141 229 0880. Alternatively you can E-mail Alistair. You can also follow Inksters dedicated Information Law Twitter account: @UKInfoLaw.