'Government has made it pretty clear it just wants a free pass', ORG on GDPR replacement
The draft Data Protection and Digital Information Bill is a data grab, the advocacy group says
At the recent Conservative Party Conference, which now seems so long ago, Michelle Donelan, secretary of state for Digital, Culture, Media and Sport (DCMS) reiterated the government's plan to introduce a "truly bespoke" replacement for the UK's current European-derived data protection regulations.
"We will be replacing GDPR with our own business and consumer-friendly, British data protection system. Our plan will protect consumer privacy and keep their data safe, whilst retaining our data adequacy so businesses can trade freely," said Donelan, claiming the result "will be simpler and clearer for businesses to navigate."
What that will look like in practice was the topic of an online meeting organised by advocacy organisation Open Rights Group (ORG) last week. The direction of travel, based on the TIGGR report, the Data: A New Direction consultation, and this year's Data Protection and Digital Information Bill (DPDIB) is clear, said legal and policy officer at ORG, Mariano delli Santi.
"The government has made it pretty clear it just wants a free pass," he said.
The government has been vocal about its aim to boost technological innovation, particularly AI, and one way it seeks to do this is by liberalising access to data. In addition, it wants to set the UK up as a global data processing hub, which in practice will also mean reducing restrictions on exporting personal data abroad, in a way that may be incompatible with EU GDPR.
The DPDIB, in its current form, makes it harder for individuals to object to or find out what data business or government agencies hold on them via a subject access request, delli Santi said. The draft Bill lowers the threshold that enables organisations to refuse a request, charge a fee for data access or be required to respond to "vexatious" requests.
The use of the word "vexatious" in this context is new and troubling as it is vague rather than definitive and could apply, for example, to repeated requests for information. Last year Uber drivers managed to find out why they had been unlawfully fired only after many attempts to obtain data about them held by the ride-sharing company. Under the proposed rules, this could now be considered vexatious and rejected.
It also removes the right of citizens to challenge discrimination arising from AI decisions. For example, a biased fraud detection algorithm might result in a person's Universal Credit being stopped, and they would have no recourse to find out why.
Another backward step for personal data rights is that the draft Bill grants much more power to the Secretary of State to decide what data should be shared with government. The government can force private companies and public sector bodies to hand over any data "of general interest" about individual customers, with the government able to change that definition as and when it sees fit.
And the DPDIB neuters the data protection watchdog, giving the Secretary of State the power to dictate priorities to the Information Commissioner's Office.
"The ICO is supposed to be the watchdog about how the government treats our personal data. Of course, giving the government the power to dictate what they can do and what they cannot do is not compatible with this role," delli Santi said.
Pointing out that Norway, which is also outside of the EU, has been reforming its data protection framework "in an exact opposite direction to the UK", delli Santi said the draft Bill would also be bad for businesses that share data overseas. With two sets of rules to comply with, they will be burdened with a whole new set of paperwork, even if the EU does not revoke its adequacy judgement, which is a possibility.
"These reforms show a real illiteracy on the part of the UK government of what data protection is and why it's important," he said.
"We live in a society where technology is increasingly being used to take decisions about us. Eventually it comes down to the fact that if you want to have rights, if you want to have human rights, then we need to have data protection rights."
In her address to the Conservative Party Conference, Donelan said the government is finalising the new legislation together in consultation with business, and that it would be looking "to those countries who achieve data adequacy without having GDPR, like Israel, Japan, South Korea, Canada and New Zealand" for guidance.
However, given the turmoil in government, the final shape of the Bill and the timeline of its progress through parliament remains unclear.