Part 6.2 – Enforcement
The second half of the enforcement section of the Data Protection Act 2018. Just really looking at the basic functions of appeals, complaints and liminal cases.
Section 162 – Rights of appeal
A lot of words saying that if you are given a notice in any of its guises you can appeal.
Section 163 – Determination of appeals
The tribunal undertakes the determination of the appeal and can if they so choose to cancel the Commissioner’s determination. That could be a fun time.
Section 164 – Applications in respect of urgent notices
If there is an urgency statement on the notice you received then you can appeal to the court in respect to the whole appeal or just the urgency section.
Section 165 – Complaints by data subjects
People can complain. Perhaps they weren’t counting on the fact that people will complain regardless?
Section 166 – Orders to progress complaints
The Information Commish has 3 months to respond or update on the progress of a complaint or the tribunal can step in and give the commissioner a stern look.
Section 167 – Compliance orders
A court can issue an order that compels you to become compliant with the Data Protection legislation if a complaint is found by a court to be legit. There doesn’t appear to be any mention of appealing this though.
Section 168 – Compensation for contravention of the GDPR
Yay, you can get compensation for distress. I’m glad that is well defined. How do I put in my complaint against any and all companies that have my data in the hopes that someone isn’t complaint and then I can be in fear for my life because…duh, duh, duh…Hackers!
Section 169 – Compensation of contravention of other data protection legislation
I love how all of a sudden this legislation gets vague on compensation. Words like damages or distress are thrown around with no definition.
Section 170 – Unlawful obtaining etc of personal data
It is unlawful to go get a copy of personal data, there are a few exceptions here, however there appears in my mind to be a large flaw. Data can be gotten to remotely. So why don’t we look at getting extra national companies to acquire and make public personal data. Once the data is made public it is no longer personal as it has been made public regardless of the fact that a controller or data subject didn’t want it to be public. Then once everything is public we can just move on with life with no one to blame because foreign hackers are never caught. With the exception of Kim Dot Com, that is. Don’t screw with the American media industry.
Section 171– Re-identification of de-identified personal data
This is a bit difficult for me to get my head around. It looks like it is illegal to attempt to re-identify data that has been stripped of its identifying factors. So if I anonymize data and someone re-engineers the data to identify individuals then instead of that being a defence for myself, both myself who allowed the breech to happen and the person that committed it would be at fault.
Section 172 – Re-identification: effectiveness testing conditions
Apparently you can re-identify data if you are doing it because of good reasons? I’m wondering if they needed to think this through a bit more before just putting this vague stuff here in law.
Section 173 – Alteration etc of personal data to prevent disclosure to data subject
Another weird one. It is an offence to alter data held tin order to block the ability of data subjects their rights to access and the like. My first thought is anonymization is now illegal, but I’m thinking the gist is if you are doing it expressly to not have to give rights to a data subject. So if you are doing it post request maybe?
Section 174 – The special purposes
If you are doing it for journalism, academics, arts or literary reasons then you can have a free pass.
Section 175 – Provision of assistance in special purposes proceedings
If you are using special purposes as a defence then you can ask the Information Commissioner to step in and help with your situation. They don’t have to, but you can ask.
Section 176 – Staying special purposes proceedings
The court can stay special purpose proceedings if they need the Information Commissioner to make a determination first.
Section 177 – Guidance about how to seek redress against media organisations
The Information Commissioner must provide guidance about how a data subject can make a complaint/bring charges against a media company.
Section 178 – Review of processing of personal data for the purposes of journalism
The Commish can review the process journalists use to process personal data.
Section 179 – Effectiveness of the media’s dispute resolution procedures
The Commish can also review the process journalists use to deal with dispute resolution.
Section 180 – Jurisdiction
Just details about which courts do what. In Scotland it is the Court of Session or the Sheriff.
Section 181 – Interpretation of Part 6
A whole section that links random terms to their respective definitions in other sections throughout the document. If this was object orientated code this would strike me as redundant.
All in all this is a piece of legislation for people to attempt to use to bash each other with. Given a year of GDPR on 25 May 2019 I’d love to see the numbers of complaints. How many, what types, and how long they took. It would make interesting reading.