Government is seeking to water down data protection and gut the ICO, warns ORG
Measures are designed to favour business and government interests over those of the individual, says Open Rights Group
The government is looking to gut the data protection rights afforded to individuals and weaken the oversight and transparency into how personal data can be used by businesses and government agencies, according to the non-profit campaigning organisation Open Rights Group (ORG).
In a public online discussion on Tuesday, the ORG's Legal and Policy Officer, Mariano delli Santi, said the authorities are seeking to "steamroll" anything that might get in the way of government and commercial use of personal data, to avoid the sort of reversals they suffered in bringing in Palantir and Google DeepMind to the NHS without sufficient transparency and contractual safeguards.
However, at the same time the authorities do not want to lose EU adequacy status, which is up for review by the European Commission in 2024. Losing adequacy would mean data could not flow freely between the UK and countries in the EU, with severe adverse economic consequences likely.
UK data protection legislation is currently based on the EU GDPR, but the government has signalled on numerous occasions that, having left the bloc, it wants to dilute many of its provisions. This includes replacing GDPR Article 22, which covers the right of individuals not to be subject to a decision based solely on automated processing, and Article 5, which requires personal data collection to be restricted to "specified, explicit and legitimate purposes," and be "adequate, relevant and limited to what is necessary".
The TIGGR report, drawn up by three Conservative politicians in the summer, argues that such measures hinder development of AI.
The Government avoids mention of these issues in its public pronouncements, instead focusing on cookie banners and onerous opt outs (which are often actually illegal under the current legislation which is rarely enforced) to make its case.
"You can clearly see that they want to get rid of the GDPR but on the other hand, they want to retain the adequacy of the European Commission and therefore they don't want to make too much noise," delli Santi said.
In its public consultation document Data: a new direction, The government proposes expanding the definition of legitimate interest for commercial organisations, removing the requirements for balancing tests to ensure individuals are not adversely affected or discriminated against, softening purpose limitation - which stipulates that data should only be used for its stated purpose and not reused thereafter - and dispensing with the need to publish data protection impact assessments (DPIAs).
In the public realm it proposes to expand the range of application deemed to have a "public purpose", and therefore be exempt from the rules, including for law enforcement, and to remove or water down the accountability and right to know currently embodied by Article 22. Subject access requests, by which people can find out what their data has been used for, would be chargeable.
The government is also seeking to neuter and control the data protection watchdog, the ICO, requiring the regulator to balance 'public safety' and 'growth and innovation' against its primary duty to uphold data rights. An individual wishing to complain to the ICO about data misuse will first need to inform the abuser, which would create an obvious disincentive, and businesses will find it much easier to claim that processing personal data is vital for their economic wellbeing.
In addition, the government wants to exert control over the ICO by having the power to dictate its priorities via an annual statement, said delli Santi. "They basically want to decide whether the ICO should be enforcing the law or policing in one sector rather than another."
They also want to directly appoint the regulator's CEO, with the power to amend the salary of the commissioner without parliamentary approval.
See also: ICO: 'Government should not appoint our CEO'
"The ICO is supposed to be a watchdog, it's supposed to be an independent supervisory authority, and it's also supposed to supervise how government and the private sector can use data. Giving the power to who is being watched to basically cut the salary of who's watching you will have a clear chilling effect," delli Santi commented.
Among the recent cases brought to the courts under GDPR that would likely not succeed under the proposed rules are the reversal of the flawed algorithmic marking of A-levels, the case of Bounty UK, which was fined £400,000 by the ICO for selling 14 million records of mothers and children to advertisers and data brokers, and various cases where AI models have been found to have inbuilt bias, for example discriminating against certain ethnic groups.
The principle of the GDPR is to wrest control of personal data from governments and private interests and return it to the citizen. It seems the government is keen to turn back the clock, delli Santi said.
"They are trying to retain things in name, but they are simply twisted the meaning to a point where the concept of data protection that was designed to protect the individual becomes the concept of giving protection to the criminals and offenders."
ORG CEO Jim Killock added: "GDPR has been a revolution in data protection. We're able to actually get things done with GDPR. We can challenge governments and corporations and make things happen. This is happening exactly the time when data has become fundamental to society. So it's just a terrible, terrible step."
The public consultation Data: a new direction closes for public input on Friday November 18th, with the government expected to respond to its findings in the Spring.
The DCMS and ICO have been contacted for comment.