Digital Trade and the EU – Post Brexit
On Friday, 21 October, the Wales Cross Party Group on Digital Rights, of which Open Rights Group (ORG) is the secretariat, held an online event discussing the EU and digital trade post-Brexit and in the wake of new legislation. How easy will it be for trade between the EU and the UK when the UK is watering down the inherited General Data Protection Regulation enshrined within the Data Protection Act 2018 and the EU must maintain equivalency for trade to take place?
To answer that question, Mariano Delli Santi, ORG’s legal and policy officer, broke down how incoming legislation will cause problems for the UK and EU’s trade experience. Valentina Palace, a legal researcher from the Ada Lovelace Institute (ALI), also spoke about the missed opportunity of the new legislation to redress the power imbalance between data subjects and data controllers. Meanwhile, Ceri Williams from Wales Trade Union Congress (TUC) relayed the impact of reforms on workers’ rights. The event was chaired by Sarah Murphy, MS from the Welsh Senedd keen to raise the issue of digital rights on the agenda in Wales. She is also chair and founder of the CPG on Digital Rights.
Digital rights are human rights
“Data protection is recognised in Europe and increasingly throughout the world as a human right,” iterated delli Santi, opening the presentation, emphasising the protections currently afforded by the GDPR. He stated how important enhanced data protection rules are when new technology allows personal information to be more available than ever. Credit agencies, employers, and schools all have access to our data. One only has to look Stateside for the dire implications of having the biggest source of data – our phones – accessible by the government as women are being prosecuted for accessing abortion clinics.
While the GDPR gave individuals more control over their data, reforms by the incoming Data Protection and Digital Information Bill intend to make it easier for organisations to use and share that data, regardless or in spite of the impact this may have on the individuals whose data is being processed. It purports to make it harder for individuals to access the information an organisation holds on them. It has also presented changes to the accountability framework for organisations to demonstrate compliance when processing data. The Bill will also make it easier to transfer data to third jurisdictions and give the Secretary of State carte blanche on whether data sharing should occur. Murphy drew attention to an upcoming data adequacy agreement between the US and UK as it becomes clear that rules are sought to make data transfers easier.
The impact on digital trade
The UK currently enjoys adequacy, allowing the EU and UK to trade data; losing this will come at an economic cost – one estimate is in the region of £1.6 billion for legal fees – deterring EU companies from working with the UK. It will also impact the way the Secretary of State decides to legislate and create a lot of legal uncertainty and a stigmatising effect. For instance, an individual could make a subject access request to a UK company and see it rejected, only to find out that another company based in the EU will provide them access to their personal data without too much hassle.
ALI’s previous analysis on public attitudes certainly found they want more control over their data and greater regulation as they beocme sensisitsed to data issues. ALI’s Palace also said the new Bill was a missed opportunity for more emphasis on rights.
“The GDPR has always had a dual role,” said Palace during her session, “to protect rights but also to protect the EU’s economy.” The instrument should achieve both objectives but there is now more emphasis in the UK on innovation and driving private and corporate agendas, she added. In her view, there could also be more non-legal interventions, such as guidance, templates or other tools to help small to medium-sized enterprises implement new standards. Typically only bigger corporations can implement major legal changes.
“It is important for the Welsh and Scottish parliaments to push back as it’s not good for business or trade. Devolved administrations should not want to suffer those disadvantages.”
Jim Killock, Director, Open Rights Group
Enforcement and transparency
ALI has already raised the alarm on the lack of enforcement around biometrics. In its independent legal review around the need for greater governance of the collection and analysis of biological data and enforcement of regulation. There must also be transparency, said Palace, particularly where automated decision-making takes place.
The Home Office’s visa streaming tool, deemed unlawful, was a prime example, as the algorithm that determined which nationalities were more “suspect” was opaque and the Home Office refused to provide meaningful information about what factors were used to grade applications.
The new provision around automated decision-making in the Bill could benefit from definitions and specificity. For example, what is a “significant decision” or “meaningful human involvement”? And does scientific research include any research broadly described as scientific? The definition as it currently stands could raise questions over private-funded research and lead to the rise of technologies dangerous to society, according to Palace.
Workers’ rights
Williams explained how Wales TUC had been working on algorithmic systems processing data with automated decisions at work. The risks to workers included data protection infringements, lack of control and knowledge of data uses, fewer boundaries to data uses, health and safety, discrimination and barriers to challenging decisions.
The GDPR, while imperfect, allows some redress of the imbalance between worker and employer, for instance, by imposing lawful grounds for processing data but the new law would remove important safeguards. “Decisions should be made by people and not machines, particularly where those decisions will have a significant effect and there must be a right to human review,” said Williams. That’s why MP amendments should work towards a new digital ethos, according to Williams, to oppose discrimination and makes human engagement mandatory for employers with workers.
Williams also stressed how workers could use AI and data reciprocity could help redress the power imbalance if they could benefit from AI tools with data analysis to support TUC’s campaign for better work and conditions.
Implications for Wales
The ramifications of the Bill are significant for Wales as a devolved administration on two fronts. First, Welsh industry would be made less competitive and become harder to trade with Europe, damaging the relationships with Welsh businesses. There are also public policy impacts – the Prevent duty is one example – and solutions to major problems will become harder, opening the floodgates to bad practice, said ORG director Jim Killock.
“It is important for the Welsh and Scottish parliaments to push back as it’s not good for business or trade. Devolved administrations should not want to suffer those disadvantages.”
The power afforded to the Secretary of State especially signals the limitless uses of enhanced data sharing that could be possible – that doesn’t rule out selling data – and could be implemented solely by statutory instruments, last voted down in the 1970s.
“This very much goes back to the heart of the matter,” summarised Murphy, “In that, it gives limitless powers to certain people and it is very undemocratic.”
The next CPG will be held on 9 December on migrant women and sharing of their data between public bodies.