It was an open secret that the UK government and GDPR made uneasy bedfellows. Back in 2018, Dominic Cummings, Downing Street’s former chief advisor derided the European data protection paradigm as “horrific”, and looked forward to binning it. In 2020, Boris Johnson voiced his desire for a separate and independent data protection policy, and in May 2021, a deregulation task force commissioned by the Prime Minister called for the replacement of the UK GDPR (which is essentially identical to the EU GDPR) with a framework of British data rights. It therefore came as little surprise when, last week, the government issued a wide-ranging consultation on changes to the UK’s data protection regime in a self-proclaimed dash for data-driven economic growth.
As businesses and civil society digest the proposals – which tip the balance from data subjects towards businesses, espouse a pragmatic approach to cross border data transfers, and bind the Information Commissioner (ICO) to the government’s agenda – arguments are being rehearsed for a forthcoming clash with privacy campaigners, whilst the EU is poised to axe the UK’s data adequacy agreement if necessary, just months after granting it.
Same but different
Chafing at what it perceives as vague, bureaucratic data protection rules and complex data-sharing obligations, the government’s proposals have twin themes: maintaining data protection standards by adhering to the headlines of UK GDPR’s framework; and fostering the conditions for economic growth, innovation and competition by removing unnecessary barriers to responsible data use. With SMEs currently constrained by the same rules as better resourced multinational companies, the alleviation of data compliance burdens on businesses is central to the government’s agenda.
Under its reforms, the accountability requirements of the UK GDPR – which oblige data controllers to adopt policies and take appropriate steps to demonstrate data protection compliance – would be replaced with a less onerous privacy management programme tailored to each organisation and overseen by a ‘responsible individual’ who would supplant the organisation’s independent data protection officers.
Transparency obligations would be pared back, with businesses permitted to re-purpose and re-use personal data for research purposes without first informing the data subjects affected if doing so would involve disproportionate effort. Current limitations on using artificial intelligence alone to make significant decisions about individuals could be stripped away, for example by allowing algorithms to be the final arbiter of whether a person is recruited, eligible for a loan, or entitled to state benefits.
Data protection impact assessments (DPIAs), originally conceived as a good practice tool to identify and minimise personal data risks, would be jettisoned. DPIAs are currently required before businesses introduce facial recognition, biometric and other high risk innovative technology. Businesses would no longer be obliged to consult the data regulator before proceeding with projects involving particularly high personal data risk. While the government acknowledges that abolishing DPIAs would reduce current safeguards, it believes that privacy management programmes would ameliorate this threat.
Despite a 2021 National Crime Agency strategic assessment report which identified significant underreporting of data breaches, the government argues data controllers are over-reporting and advocates that, in future, only ‘material’ breaches should be reported. The government accepts that this could reduce reporting of breaches which are likely to risk individuals’ rights and freedoms, but believes it a price worth paying to alleviate the reporting burdens on organisations. In a further change to the breach reporting regime, the government is considering a voluntary undertakings scheme, allowing businesses to avoid regulatory penalties if they demonstrate effective and timely steps to address the causes of a security breach.
Finally, to the dismay of privacy rights advocates, the government is proposing to address a long-held data controller grievance – that some data subjects abuse the right of access – by reintroducing fees for accessing their data (‘DSARs’) and creating an exemption for requests likely to cause a disproportionate or unjustifiable level of distress, disruption or irritation. DSARs do place significant administrative and financial burdens on businesses and other organisations, but allowing data controllers to charge for complying with them would likely have a significant chilling effect on the right of access, effectively limiting it to those sufficiently wealthy to pay.
Adequacy & the digital El Dorado
Avowedly international in outlook, the government estimates that £11 billion of trade around the world goes unrealised because of restrictions on cross-border data transfers. By adopting a pragmatic approach to the agreement of UK adequacy decisions in favour of third countries, the government aims to liberate companies from reliance on alternative legal mechanisms for cross-border data transfers such as standard contractual clauses and binding corporate rules. It is believed that adequacy decisions would boost the free-flow of personal data to and from the UK, affording customers faster, cheaper and more reliable products from around the world, and promoting Britain as the best place in the world to start and grow a digital business. The government has prioritised several countries for early adequacy decisions, including the USA, Australia and Singapore.
Regulatory rottweiler or lap dog?
Alarm bells about the government’s intentions for the ICO rang earlier this year when the Information Commissioner’s position was advertised. Prioritising candidates’ experience of data-driven innovation and growth over their data protection credentials, the advertisement prompted concern from Parliamentarians and privacy activists that the next Information Commissioner would become a government poodle. In reality, the ICO has long been legislatively obliged to have regard to the desirability of economic growth when carrying out its duties and to take enforcement action only as a last resort, particularly when regulating SMEs. The watchdog’s recent record bears witness to these obligations, earning it press criticism for a poor penalty imposition record.
The government proposes to double down on the data watchdog’s economic brief, setting its strategic objectives and imposing fresh obligations in respect of economic growth and innovation, competition and the government’s wider international priorities. To deliver on the ICO’s obligations, a board would be created, whose members would ultimately be approved by government to oversee the ICO’s activities. The Secretary of State would be empowered to initiate an independent review of the ICO’s activities and performance where they are perceived to slip, and to determine the Information Commissioner’s salary. With the data watchdog occupying a quasi-judicial role, there may be disquiet at the potential sway which, under its proposals, the government would hold over the ICO and its regulatory activities, diminishing respect for the data watchdog and raising the prospect of judicial review if its independence is compromised.
Upending a delicate balance
Not even the EU believes that its data regulation is perfect. For example, in its two year ‘EU GDPR birthday’ report released in 2020, the European Commission acknowledged that some SMEs found its provisions difficult to implement, and senior European politicians have suggested that it needs revision to cater for new technologies. However, on a practical level, the proposed revisions to the UK GDPR, particularly the requirement for a privacy management programme, risk considerable short-term administrative upheaval for the very SMEs and charities which the government seeks to assist. It was telling that, in the build-up to the consultation launch, rumours of a data protection ‘red tape’ bonfire met with a guarded response from industry and third sector bodies. The British Chamber of Commerce cautiously committed carefully to examine the government’s proposals, and third sector representatives voiced concern that the changes may require the investment of scant time and resources to ensure that charities are complaint with a new data protection regime.
Amending specific UK GDPR provisions and diluting data subject rights is also likely to generate fierce opposition from privacy campaigners. Scrapping restrictions on automated decision-making, for example, could arouse particular controversy because of its potential for discrimination, as Deliveroo discovered earlier this year when the Italian courts held that its recruitment algorithm indirectly discriminated against those with child-care responsibilities or who had previously suffered illness. Junking the general requirement for human oversight of such decisions jeopardises transparency in decision-making, risks unfairness for individuals, and undermines the accountability of the institutions making decisions about them.
Most significantly, by seeking to diverge from the EU GDPR, the government imperils the hard-won data adequacy agreement which it only secured from the EU in June 2021, and which allows for the unimpeded passage of personal data from the EU to the UK post-Brexit. Whilst cross-Channel data flows would have remained possible without such an adequacy decision, companies would have been obliged to rely on the alternative data transfer mechanisms within the GDPR. If the EU rips up its UK adequacy decision, the government estimates this would cost £1 billion in lost trade and would add £420 million in additional compliance costs for businesses over five years (independent estimates put businesses’ extra compliance costs much higher). The government admits that it has been unable to calculate the wider impact on UK-EU supply chains if the EU adequacy decision does fall.
In truth, the EU anticipated the day might come when European and UK data standards would part ways. Uniquely, the adequacy decision it bestowed on Britain contains an automatic ‘sunset clause’. Announcing the outcome of the adequacy review process earlier this year, the European Commission warned that, during the four-year shelf life of the adequacy decision, it would “monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place.” Though wary of the economic turmoil which could ensue for both sides if the UK’s adequacy decision were to be terminated, the EU would not wish to gamble away the credibility of its reputation for data protection by turning a blind-eye to perceived UK backsliding.
The grant of British adequacy decisions to third countries may provide an early flashpoint in this delicate EU-UK relationship. Government plans to issue them in favour of certain economies whose data protection standards the EU finds inferior threaten to cross a European ‘red line’; the EU believes onward transfers’ of European personal data from the UK to third countries should be permitted only where the further recipient outside the UK offers the same level of data protection as that guaranteed within the UK. In this regard, the UK’s plans to grant an adequacy agreement to the US stumble into immediate legal quicksand. Since 2015, the European Court of Justice has twice rejecting data sharing arrangements painstakingly negotiated between the US and the European Commission on the grounds of US data protection ‘inadequacy’. Privacy campaigners will have no hesitation in challenging EU-UK data sharing arrangements in the courts if Britain becomes a backdoor for transmitting EU personal data across the Atlantic without what they regard as acceptable safeguards.
Trust is a must
Reading between the lines of the consultation paper, the government clearly feels that the EU has a sclerotic approach to the possibilities of ‘big data’ and hopes that, by alleviating the burden of data regulation in this country, the UK can steal a march on EU member states to reap a digital bonanza. Whether or not this view of the UK’s erstwhile EU partners is justified (in April 2021, the EU released a proposal to turn the EU into a global hub for AI whilst maintaining fundamental rights and the EU GDPR), pan-European proposals are likely to take longer to implement than those in a single nation state. However, the relative size of the EU’s market will inevitably create a gravitational pull on UK companies hoping to do business there, leading them to adhere to EU data protection standards for reasons of economy. Irrespective of whether the UK avoids being stripped of its adequacy decision by the EU, therefore, the most immediate impact of UK GDPR reforms may turn out to be the imposition of more – not less – data protection bureaucracy on UK-based businesses wishing to do business in the Europe.
Few would disagree with the stated aims of the consultation paper – delivering more agile, effective and efficient public services and strengthening the UK’s position as a science and technology superpower – and data will be the resource fuelling these reforms. However, as the outgoing Information Commissioner rightly observed when welcoming her successor’s nomination, “the digital opportunity…will only be realised where people continue to trust their data will be used fairly and transparently”. The government claims the public is growing less concerned about the use of its data but the same survey it cites to support this assertion found 62% of respondents believed trust would improve if they had more information about how organisations used their data. The government’s proposals merit serious consideration, but legislators may wish to reflect on the impact which a number of them would have on trust. As the ever growing opt-out from the GP patient record research scheme shows, if the public feels hoodwinked into surrendering its personal data, trust will be the biggest casualty.