The UK government’s plans to reform data protection laws have been criticised by campaigners and lawyers for giving too much power to ministers over privacy and data sharing, as well as reducing digital rights and safeguards.
The Data Protection and Digital Information Bill, which was introduced to Parliament on 18 July 2022, provides more detail on reforms to the UK’s post-Brexit data protection landscape.
While the government claims the reforms will protect citizens better while unburdening businesses, lawyers and civil society groups are worried that the changes could lead to a lower standard of data protection and undermine digital rights contained within the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Formerly known as the Data Reform Bill, the updated Bill was described by Matt Warman, minister for media, data and digital infrastructure, as an “opportunity to seize the benefits of Brexit and transform the UK’s independent data laws”.
Warman said the burdens of the UK’s current data protection requirements have held businesses back from realising the benefits of greater personal data use, adding: “By focusing on outcomes, not box-ticking, we will unburden businesses from prescriptive requirements and empower them to protect personal data in the most proportionate and appropriate way. Our changes could create around £1bn in business savings over 10 years.
“The Bill will sustain and scale the UK’s approach to supporting international data flows by capitalising on its independent status to strike partnerships with some of the world’s fastest-growing economies. Reforms will ensure that the mechanisms to transfer personal data internationally are secure and flexible to help British businesses grow.”
The introduction of the 192-page Bill comes a month after the government published its official response to a consultation on the Data Reform Bill in June 2022, in which it pledged to press ahead with a number of changes to the UK’s post-Brexit data protection framework.
Suggested changes included removing organisations’ requirements to designate data protection officers (DPOs), ending the need for mandatory data protection impact assessments (DPIAs), introducing a “fee regime” for subject access requests (SARs), and removing the requirement to review data adequacy decisions every four years. All of these are now included in the updated Bill in some form.
“We now have confirmation of what the UK’s post-GDPR data framework is intended to look like,” said Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy and cyber security practice. “Nips and tucks rather than a full facelift, although many of the small changes could have significant effects in practice and likely won’t go unnoticed as the Bill moves through Parliament.
“The GDPR isn’t perfect and it would be foolish for the UK not to learn from those lessons in its own approach, but it’s walking a tightrope between improvements to the current framework and performative changes for the sake of ripping up Brussels red tape. My initial impressions of the Bill are that the government has struck the balance in favour of business and overlooked some civil society concerns, so I would think that reduced rights and safeguards for individuals will be areas that are targeted for revision before the Bill is finalised.”
There are also concerns that the direction of travel the UK is taking could lead to it losing its data adequacy status with the European Union (EU), which allows the continued free flow of data between UK businesses and those in the bloc.
The European Commission granted the UK data adequacy in June 2021, but warned that this may yet be revoked if the UK’s new data protection rules diverge significantly from the EU’s.
MEPs have also previously argued that UK laws allowing government agencies to access and retain bulk data on individuals who are not under suspicion is inconsistent with the GDPR, and that data sharing between UK signals intelligence agency GCHQ and the US National Security Agency “would not protect EU citizens or residents”.
But Warman said: “The EU does not require countries to have the same rules to grant adequacy, so it is our belief that these reforms are compatible with maintaining a free flow of personal data from the European Economic Area.”
While the June 2022 consultation response previewed many of the intended changes to UK data protection law, the updated Bill goes into more detail and makes a number of further changes that were not previously announced.
For example, one of the most significant additions to the Bill is that it would make any data processing lawful if it is conducted for a “recognised legitimate interests”, which are listed in Annex 1 of the Bill’s text. As it stands, the legitimate interests that provide a lawful basis for data processing include: national security, public security and defence; emergencies and crime; safeguarding vulnerable individuals; and democratic engagement.
However, the Bill would also give the secretary of state sweeping powers to extend or reduce the list of legitimate interests that organisations can use as grounds for data processing, as well as to amend almost any aspect of the legislation through further regulations, thereby circumventing parliamentary debate on future changes.
Mariano delli Santi, legal and policy officer at Open Rights Group (ORG), said: “The Bill will remove the balancing test for data uses based on [a list of] legitimate interests. That is to say, an interest will be considered legitimate even if it is harmful. The government will have the power to amend this list as soon as we are looking the other way.”
He added: “This translates as: the government wants to have the power to establish arbitrary lawful grounds for data uses that lack definition, foreseeability and safeguards against abuses. Parliament will be asked to rubber-stamp what the government proposes.”
On top of new powers for the secretary of state, the Bill also contains provisions to water down Article 22 GDPR restrictions that protect people from solely automated decision-making.
The government confirmed in its consultation response that it will not pursue a proposal to completely remove Article 22, but said it was considering how to amend the article to clarify how it applies in practice. “Reforms will cast Article 22 as a right to specific safeguards, rather than as a general prohibition on solely automated decision-making,” it said. “Reforms will enable the deployment of AI-powered automated decision-making, providing scope for innovation with appropriate safeguards in place.”
Responding to the Bill’s introduction, Michael Veale, an associate professor in digital rights and regulation at UCL, tweeted: “Article 22, around automated decision-making, is gone, replaced by three articles which in effect say that normal significant, automated decisions are never forbidden but get some already-present safeguards; decisions based on ethnicity, sexuality, etc require a legal basis.”
Again, the secretary of state will have powers to amend Article 22 further, including by adding or changing the safeguarding requirements.
There are also a number of important changes to law enforcement-specific data protection requirements, which were set out for the first time ever in Part Three of the Data Protection Act 2018.
These include: police and criminal justice organisations no longer being required to log a justification for why they have accessed specific data records; no longer being required to inform people that they have been subject to automated decision-making, which the government has justified by saying it “could risk prejudging an active investigation by tipping off an individual”; and extending the time in which law enforcement bodies have to respond to information access requests by a full two months.
According to the explanatory notes published by the government alongside the Bill, it would also “introduce a power that will allow the secretary of state to issue a notice designating some specified competent authorities to process data jointly with the intelligence services under Part 4 of the DPA 2018 for national security purposes.”
The ORG has said this means that “mass data sharing will be allowed with law enforcement agencies without proper checks and balances”, turning the UK into a “digital police state”.
The notes added that the Bill will also “abolish the Biometrics and Surveillance Camera Commissioners’ posts, and the Surveillance Camera Code. The Information Commissioner’s Office (ICO), which covers the use of all personal data by all bodies, remains in place. The Bill would transfer these review functions to the Investigatory Powers Commissioner”.
While the notes acknowledge that “the current oversight arrangements for police use of biometrics to help identify and eliminate suspects are complex and confusing for the police (as controllers) and the wider public”, the government recently rejected the findings and recommendations of a House of Lords inquiry into the police’s use of emerging tech – which called for an overhaul of how police deploy artificial intelligence and algorithmic technologies – claiming that there is already “a comprehensive network of checks and balances”.
Regarding the ICO, the government is seeking to limit its independence by giving itself the power to set and cut the commissioner’s salary, forcing it to consider the government’s priorities when exercising its regulatory functions – which will be set out in an official “statement of priorities” – and making it so that the secretary of state must approve any statutory codes of practice before they are laid before Parliament.
The ICO will also have new duties to promote innovation and competition when carrying out its data protection functions.
The ORG said in a blog post that the changes to the ICO and its functions “will codify cronyism into law”, adding: “At a time when personal data can be leveraged to do all sort of wrong things, depicting data protection as a burden is wrong, irresponsible and negligent.”
On the changes to the ICO, Ropes & Gray’s Machin added: “It’s disappointing that the government has stuck to its view that Parliament needs greater influence over the ICO – particularly as watering down regulatory freedom while trumpeting the UK’s own independence smacks of hypocrisy. The ICO is not a trigger-happy or sleepy regulator, so it’s hard to see the logic of a change that risks undermining its status on the global stage for negligible domestic benefit.”
The Bill will also “establish a body corporate, the Information Commission, to replace the former regulator, the Information Commissioner, which is structured as a corporation sole”.
The notes added: “The nature of the regulator’s role and responsibilities remains fundamentally unchanged. The office of the Information Commissioner is abolished, and provision is made for the transfer of functions etc from the Information Commissioner to the new body, and for the current Information Commissioner to transition to the role of chair of the Information Commission.”
On 14 July 2022, the ICO unveiled its three-year regulatory plan, which included proposals to look at the impact of predatory marketing calls, re-examine the use of algorithms in the benefits system, consider the impact that the use of AI in recruitment could have on certain groups, and deepen its ongoing regulatory support of children’s online privacy.