Digital Privacy
31 Jan 2024 Jim Killock
Are British Data Rights falling behind our EU neighbours?
With the roll-out of iOS 17.4, Apple iPhone users in the EU will benefit from downloading apps outside of Apple’s official app store. This benefit, which is known as sideloading, will be denied to British customers for now. On the fourth anniversary of our leaving the EU, we ask the question: is this evidence that we are now falling behind when it comes to our digital rights?
Regulating Big Tech
The EU appears ahead when it comes to regulating big tech. British citizens will have to wait until the Digital Markets, Competitions, and Consumer Bill comes into force to see whether Apple will face the same kind of regulation in the UK market it now faces in Europe. The Bill grants the Competitions and Markets Authority the powers to regulate, but it’s still being determined whether they will, in this instance, follow an EU or North American model.
However, What is certain is that changes to Apple’s App Store model would be much harder for the UK to implement independently. However, Apple has become the last of a long list of examples where tech companies provide products that comply with higher regulatory standards in the EU while distributing lower-quality products and services elsewhere. This opens up the option for the UK to follow the EU’s lead, but the choice exists because of the intervention of EU regulators controlling a much bigger market.
Failure to regulate AI facial recognition and safeguard biometric data
The EU AI Act provides some limited gains for rights, particularly a ban on pervasive live facial recognition. It limits predictive policing based on “personality traits or characteristics”, but doesn’t stop the wider growth of pre-crime systems that use data
and automated decision-making to ‘predict’ criminal activity. There are duties for human rights assessments of systems and disclosure duties for high-risk systems. The UK, however, has opted to do precisely nothing and continues to press ahead with AI-empowered surveillance to the extent that a Lord’s Committee is questioning the legal basis of the systems that are being put in place.
At the same time, the Government are addressing an all-time low level of trust in policing and law enforcement bodies by abolishing the Biometric and Surveillance Camera Commissioner. The decision, as stated in an independent report, would leave a huge oversight gap that will deplete “the capacity to address future challenges associated with increasingly sophisticated and digitally advanced surveillance tool”.
Implementing the rights and duties that now exist in the EU would be an important minimum step for the next Government if it makes the wise choice to step away from the current deregulatory digital approach.
The UK has not only failed to keep up with improving our rights but is actively weakening them. With the Data Protection and Digital Information Bill, the Government is attempting to abolish the Biometrics and Surveillance Camera Commissioner and weakening protections around automated decision-making.
Leading the way on chat controls and censorship with the Online Safety Act
With the introduction of the Online Safety Act, British legislators have made the claim that we now have ‘world-leading’ regulation of the Internet. Nevertheless, the OSA lacks many of the protections for free expression present in the European equivalent legislation, such as clear appeals processes.
In terms of the impact on digital rights, both the EU and UK were looking at encryption-breaking chat monitoring, but the UK has decided to jump and go first – despite the obvious risk that we might find ourselves cut off from services as the UK market is small enough to ignore if the UK government makes extreme demands.
The EU is pulling back from the brink on encryption and may land in a sensible place. The UK, however, presses on with more and more powers to prevent encryption from being deployed. For example, as highlighted in this joint civil society briefing, clauses in the Investigatory Powers (Amendment) Bill would make it harder for companies to deploy security updates, such as Meta turning on E2EE for messenger or Apple turning on encryption for its iCloud backups.
The Data Protection and Digital Information (DPDI) Bill will weaken UK data rights
The UK’s Information Commissioner is the ‘sick regulator of Europe’. Our report into how the ICO failed to hold the Government to account over the use of public health data during the pandemic demonstrated how poorly the UK’s regulator coped in a crisis. Many people’s experience of trying to complain to the ICO is to simply be informed they must take it up with the organisation that has violated their data rights or that they agree there has been a breach of data rights but can’t act.
This leaves an unjust situation in which only the wealthy will be able to enforce their data rights through the courts.
As our briefing highlights, the Government’s Data Protection and Digital Information Bill would appear to further weaken the role of the ICO, for example, granting it discretionary powers to ignore complaints and giving Ministers powers to set out its strategic priorities.
The Bill also weakens our ability to find out what information organisations hold about us by lowering the threshold for refusing Subject Access Requests (SARs). Organisations can refuse SARs that they consider to be vexatious. It is entirely plausible that the Post Office would have used such an excuse when numerous sub-masters made requests for the data that the company held about them. If this Bill becomes law, our ability to hold organisations to account will be diminished.
Impact of new trade partnerships on international data-trade
Any new sovereignty we have gained in theory is, in practice, being sold away for trade deals where the terms are written by negotiators and international corporate partners, especially regarding digital trade.
The UK is playing a dangerous game by entering deals such as the CPTPP, and ratifying other agreements that place a primacy on the free flow of data. While these deals allow for data protection laws to exist, they must restrict data flows only to the minimum necessary, and it may prove that “Data Adequacy” assessments, which are meant to enforce a high and comprehensive level of data protection, are too high a bar for commercially minded trade courts to tolerate.
If so, the UK could unleash a significant problem for the Adequacy model of European data flows by first allowing data to be exported onwards to less safe countries through a UK data laundering hub and later helping to push other states out of the adequacy system altogether, and starting a race to lower standards.
Finally, it is rather worrying that these political decisions have been taken in the dark and without meaningful scrutiny. After leaving the European Union, the UK has been left with a system to scrutinise international treaties, which is centuries old and completely inadequate to cope with the significance and the impact that international agreements can have on UK residents’ rights. Indeed, the Public Administration and Constitutional Affairs Committee has just released a report which proposes a radical overhaul of the role of Parliament in scrutinising international treaties. In other words, the Government has been ignoring real and tangible priorities for the future of the UK trade agenda to chase newspaper headlines and sign some rather modest deals.
Rise of the bureaucrats
Brexit was meant to be about Parliamentary sovereignty, but with the Online Safety Act and DPDI Bill, Parliament is giving ministers and regulators more powers with less Parliamentary oversight. Regulators may appear to be in charge, but the new laws place increasing powers in the hands of Ministers and Government Departments.
The regulators are, in any case, constrained by the law, and often in unhelpful ways. For instance, the new Data Bill demands that the Information Commission think about commercial innovation and state security before deciding whether rights are worth enforcing. This is not how rights are meant to work. Rather, we have rights, and any limitations to them are meant to be necessary and proportionate.
In any case, Parliament now has a much bigger job with more legislative areas to cover, yet there have been no changes to the Parliamentary committee system or to the resources that Lords receive to do their detailed scrutiny work. Any digital rights balance requires significant institutional reform, as will areas of environmental, industrial and employment law. Several years after Brexit, these yawning gaps are still far from being considered serious political questions. If we want to become world-leading and improve upon EU regulation of tech, then these capacity, bandwidth and issues around expertise in digital issues will need to be addressed.