It seems like years, but about a month ago, the Secretary of State for Digital, Culture, Media and Sport gave a speech at the Conservative Party Conference. Michelle Donelan, who is at the time of writing still in post, announced that the government was still intent on reforming the UK GDPR and something would be happening on that subject soon. Though light on details of what that might actually be, Donelan coloured her speech with some interesting details.
Possibly the most eye-catching was her claim that current data protection legislation hampered small businesses: “At the moment, even though we have shortages of electricians and plumbers, GDPR ties them in knots with clunky bureaucracy.” She also made the following claim about the effect on GDPR on churches: “We’ve even had churches write to the department, pleading for us to do something, so that they can send newsletters out to their communities without worrying about breaching data rules.”
I was curious about all this, so I made an FOI request to the DCMS to find out about the basis of Donelan’s concerns. I asked what information the department held about the impact of GDPR on electricians and plumbers. The answer? “DCMS does not hold granular information on the profession-by-profession impact of the UK’s data protection regime.” So she made that bit up on the basis of no research; indeed “The department produced no new or bespoke research used for writing of the speech”.
It’s not really a surprise that Donelan just spouted confected bullshit as her excuse for a Brexit-themed rewrite of UK GDPR, but anyone trying to engage with DCMS in the coming months over their rewrite plans should bear in mind that this is the level of analysis going on.
More interesting is the church angle. I asked what information DCMS held about churches who had written to them about their problems with the GDPR. Donelan wasn’t being entirely accurate, at least in terms of the information held by her department. They provided no correspondence from any individual churches. There was a brief letter from the Diocese of Worcester, which itself seemed to be forwarding a separate longer letter to the former SoS Oliver Dowden from the Church of England Church Commissioners. The names of the senders have been redacted, so presumably these are people who want the privilege of lobbying the government to change the law, but not to be held accountable for what they have said. Both letters were sent in 2021.
Cards on the table: I have no religious beliefs whatsoever. I think the Church of England should be disestablished, the UK should operate complete separation of church / religion and state, and the privileges enjoyed by religious organisations – tax, charity, seats in the House of Lords, involvement in state schools – should be removed. They should be private institutions, funded exclusively by their members. I am very far from unbiased here.
Nevertheless, the shopping list set out by the Church Commissioners was eye-popping. They claim to advocate for “a lighter touch regime for small organisations, not only in the faith sector but also more generally”, but many of their requests are specifically focussed on relaxing data protection for religious groups.
The list includes removing the requirement for religious belief to be treated as a special category – the example cited is the fact that by listing someone as a Reverend in a mailing list, you are processing special categories data. It’s true that the existing carve-out for religious groups – Article 9(2)(d) which allows for processing within a religious group – is hampered by the fact that the Church of England is a vast web of controllers rather than a single entity. However, the first thing to say is that the law shouldn’t be changed just because a particular group have chosen to organise themselves in a complex way, and secondly, describing yourself using a religious title could easily be interpreted as putting your religious belief in the public domain, engaging 9(2)(e) which covers any special categories data made public by the subject.
The Church also complains about the definition of social work – important for both relying on the safeguarding provisions in the Data Protection Act and also the exemption that allows data to be withheld from subject access applicants. Given the dismal track record that most religious groups have on dealing with the abuse committed by their priests and representatives, it seems rather hollow for any church to expect to be treated on a par with local authority social services (essentially what they are asking for). The idea that the government should make it easier for the Church to keep data secret from abuse victims is particularly ugly – and of course, this would have to apply to any church or religious organisation, so presumably the Catholic Church would get the same advantages.
The crucial part about churches being scared to send newsletters comes in an ill-informed section about marketing. “Parish newsletters (increasingly electronic communications) often contain all sorts of personal information and requests for fundraising or promoting forthcoming events” meaning that such messages could “inadvertently” fall under the definition of direct marketing and be captured by PECR. It’s plain that communications of this sort are covered by PECR – there is no need for a message to have a commercial motive in order to be direct marketing. Either the Church Commissioners simply haven’t done their research, or they’re being disingenuous. At any rate, they want an exemption which means they don’t have to get consent to send out religiously-themed messages and fundraising.
The final element of the letter worth commenting on is a matter that has been raised regularly since I started work on data protection more than 20 years ago. The Church doesn’t want to get consent use special categories data in order to pray for people: “In relation to prayers about a person’s health, in theory explicit consent is needed, i.e., written consent because of the Article 9 implications, which effectively creates an administrative burden on religious/faith-based organisations for a spiritual and core activity”. They say explicitly that the A9(2)(d) exemption doesn’t help because they might want to pray for someone who doesn’t have regular contact with the church, and they can’t guarantee confidentiality from churchgoers.
Let me spell this out: these people want to talk about someone’s health in an ostensibly public place without consent or even consulting that person to see how they feel about it. Their sense of entitlement outweighs that person’s autonomy and privacy, and they want the government to change the law to give them the right to reveal and comment on confidential information about even unreligious people when they are at their most vulnerable. They don’t have the guts to say this clearly, but it’s absolutely what they want and expect.
Oh, and they want to be exempt from the DP fee and there to be a special hotline run by the ICO for religious organisations. A separate section runs through another series of requests aimed at small organisations in general, to include lower fines, longer time limits for answering subject access requests, a cap on compensation claims, and exemptions from ROPA and detailed privacy notices. They also want the ICO to stop expecting organisations to carry out legitimate interest assessments or account for what exemptions they’ve used in subject access.
I assume the Church of England still wants their God-Out-Of-Jail-Free card, and as Donelan’s department embarks on another consultation on how to reform GDPR (apparently using the DPDI Bill as a jumping off point), I expect they will be making their case again. More importantly, the Secretary of State thinks their perspective is so important that they’re worth citing as key examples of how GDPR is going wrong, rather than special pleading from a group that represents a dwindling proportion of society.
The central claim that underpins the letter – GDPR is one-size-fits-all – is a myth, ignoring the fact that some of the most burdensome activity is risk-based, that religious groups already have an exemption, and the ICO hardly ever fines anyone anyway. However, if Donelan is still highlighting the Church’s complaints more than a year after they were made with zero analysis, reality isn’t going to beat an ideological fairy story.