‘Gutting Privacy Rights’

UK Data-Law Plans Draw Advocates’ Ire

By Robert Bateman

The U.K. government has signaled its intention to diverge from the EU standards on data-protection and privacy law, claiming that a “less-European approach” could help drive economic growth.

But some experts told Digital Privacy News that the government’s proposals could weaken individual rights and could put EU trade at risk.

Since the U.K. fully transitioned out of the EU in January, it has been able to make changes to EU law, including the General Data Protection Regulation (GDPR), which passed in 2016.

According to Reuters, U.K. Culture Secretary Oliver Dowden said he hoped the country could “hold on to many of the strengths of GDPR in terms of giving people security about their data,” but focus “less on the burdens of the rules imposed on individual businesses.”

Dowden has not yet set out any concrete plans to amend GDPR. U.K. officials did not respond to a request for comment.

However, Digital Privacy News asked experts in privacy and data-protection about their predictions for the U.K.’s legal landscape.

“Until recently, we in the U.K. were protected by the EU GDPR against abuse and excessive sharing of our data by the state and with private companies,” said Douwe Korff, emeritus professor of international law at London Metropolitan University.

A new data plan could focus “less on the burdens of the rules imposed on individual businesses.”

U.K. Culture Secretary Oliver Dowden.

“The U.K. government has made it very clear that it wants to diverge from EU law, including EU data-protection law,” he told Digital Privacy News. “If the government plans go ahead, we will lose much of that protection.” 

Korff said the government “wants to bring about a ‘data-driven economy’ that would largely be built on personal data, perhaps lightly ‘anonymized.’”

He noted the danger that individuals could be denied access to such “lightly anonymized” data or be unable to object to its transfer to other jurisdictions, such as the U.S.

Korff also expressed concern about the “kind of person (the government) wants to appoint as the new information commissioner.”

New Commissioner Due

In October, the U.K. is due to appoint a new information commissioner, who will act as head of the country’s data regulator, the Information Commissioner’s Office (ICO). 

In a Feb. 28 post on its website seeking applicants for the position, the government said that the new commissioner must focus on communicating “the wider benefits of data-sharing” and “minimizing regulatory burdens.”

Korff said the ICO was “already tame,” but would become “not just a government lapdog but an active enabler of personal data abuse” under the government’s plans.

The changes could make the Information Commissioner’s Office “not just a government lapdog but an active enabler of personal data abuse.”

Douwe Korff, emeritus professor, London Metropolitan University.

The current commissioner, Elizabeth Denham, has served since 2016 and will end her term Oct. 31.

Denham has faced criticism by some privacy advocates, who have accused her of failing to take a strong stance against violations of data-protection law. 

Last November, the digital-rights group Open Rights Group (ORG) started legal action against the ICO over its alleged failure to properly investigate a complaint about the online advertising industry.

‘Fast and Loose’

Jim Killock, ORG’s executive director, said it was “clear” that the government was looking at “gutting privacy rights” and that it aimed to “undermine GDPR, just as other countries seek to adopt high standards.

“This means playing fast and loose with public trust, which underpins the digital economy,” Killock told Digital Privacy News. 

“Changing data-protection principles and rights would cause far more difficulties.”

Chris Pounder, Amberhawk.

“The government should not be seeking exploitative business models that disempower and discriminate,” he said. “But this seems to be the road they are taking in the name of business freedom.” 

‘Adequacy Decision’

Chris Pounder, director of U.K. data-protection training company Amberhawk, said Dowden wanted businesses to be able to “use personal data to achieve economic and social goals.”

An important consideration for the U.K., he said, is obtaining and maintaining an EU “adequacy decision” — signifying that the U.K.’s data-protection standards are “essentially equivalent” to the EU and enabling the country to continue importing personal data from the EU without impediment.

“This means playing fast and loose with public trust, which underpins the digital economy.”

Jim Killock, Open Rights Group.

The European Commission adopted a draft U.K. adequacy decision in February, which is expected to be approved later this year. However, if the U.K.’s standards diverge too far from the EU’s, it will put this adequacy decision at risk.

Pounder said that “without jeopardizing any adequacy decision,” the government could reduce the requirement on some organizations to appoint a data-protection officer, remove certain data-breach reporting obligations and reduce some of the GDPR’s record-keeping and risk-assessment requirements.

“Changing data-protection principles and rights would cause far more difficulties,” he said.

Another Perspective

David Erdos, senior lecturer in law and the open society at the University of Cambridge, said it should be possible for the U.K. to diverge on data-protection standards without losing its adequacy decision.

“The GDPR, in principle, provides strong protection for individual’s data-protection rights,” Erdos told Digital Privacy News. “But it has also been not unfairly criticized for excessive bureaucracy, an insufficiently graduated approach and a lack of clarity as to its reconciliation with other rights.”

“It is vital that this does not detract from the need to do much more to deliver robust and effective data-protection.”

David Erdos, University of Cambridge.

“The U.K. could maintain adequacy with the EU and the core standards of the Council of Europe’s updated Data Protection Convention whilst addressing some of those weaknesses,” he suggested.

“It is vital that this does not detract from the need to do much more to deliver robust and effective data-protection in practice.”

Robert Bateman is a writer in Brighton, U.K.