Digital Privacy
01 Aug 2024 Mariano delli Santi
Light and Shadow of the Digital Information and Smart Data Bill
In what could be a new, welcomed development, Labour appear to have decided to narrow the scope of the data protection reform by … taking away the data protection parts. Open Rights Group has engaged with the Conservatives’ data protection changes since the very outset, working with both domestic and EU stakeholders throughout the years and playing a key role in averting the adoption of a disastrous Bill.
As we look forward to analyse the new proposals once available and engage with the Government and Parliament on the proposed new Bill, we want outline our key focus areas, concerns, and lessons learnt. In particular, we address the new Digital Information and Smart Data (DISD) Bill, the Information Commissioner’s Office (ICO), and the impact of regulatory divergence with the European Union (EU). We want to warn against efforts from industry to bring back some of the Conservative’s bill that would undermine data protection and efforts to regulate Artificial Intelligence technologies.
THE DISD BILL IN A NUTSHELL
The outline of a new DISD Bill discussed in the King’s Speech would bring back provisions from the former DPDI Bill that would establish a trust framework for digital verification services and enable customers to share data about them more easily—for instance, to enable interoperability in a similar fashion as OpenBanking, or to make it easier to switch to a different service provider. The Bill is also expected to introduce changes to the Digital Economy Act to “help the Government share data about businesses that use public services”, make changes to the regime that regulates the use of data for scientific research, and introduce some changes to the Information Commissioner’s Office.
Notwithstanding some uncertainties—that we will discuss shortly—it is already worth noticing that retaining high data protection standards is key to the success of digital identity, smart data schemes, or data sharing initiatives. The public needs assurances that digital identity solutions will not compromise their privacy, or allow digital verification providers to share their data with third parties for commercial or otherwise exploitative purposes. Consumers will be keen to share their data more widely if there are strong and enforceable boundaries that prevent companies and service providers to use this data in unexpected ways, or sell it to third parties. Likewise, important data sharing initiatives have failed before due to poor data protection standards—see, for instance, the mass data opt-out from the NHS data sharing scheme, fuelled by fears that medical data would be grabbed by private companies rather than used for public research purposes.
Against this background, the new DISD Bill proposal seems to have taken the changes to the regime that regulates the use of data for scientific research straight from the DPDI Bill, a move that risks reigniting the widespread controversies that accompanied the UK data protection reform under the Conservative Government and, ultimately, threatens public trust on the use and sharing of data for “scientific” purposes. Likewise, the argument that UK data protection law needs be clarified in order to allow the deployment of new technology echoes very dubious arguments made by corporate lobbyists over the past four years, and embraced by the previous Government to justify the wholesale deregulation of the UK data protection framework the DPDI Bill would have introduced.
In other words, it is good news that Labour seem to be refocussing on worthwhile policies. However, their efforts risk being undermined by misguided attempts to resurrect dangerous DPDI Bill proposals that would undermine the operating environment upon which these policies need to rest.
ICO REFORM
According to the notes accompanying the King’s Speech, the proposed DISD Bill would to “ensure your data is well protected” by modernising the ICO and, in particular, by introducing a “more modern regulatory structure, with a CEO, board and chair”. Taken at face value, this announcement is more than welcome: the ICO and its approachfavouring of corporate interests represents perhaps the biggest barrier to the effective enforcement of data protection in the UK—or, as some experts have put it, the “undoing of 40 years of progress on information rights”. Likewise, a board structure could increase resilience against leadership failures and corporate capture.
However, the DPDI Bill previously proposed some of these changes, bundled into several clauses that would have undermined the independence of the ICO, watered down its statutory objectives, and reduced its accountability. It remains to be seen if Labour will be able to separate the bad out from some objectively worthwhile changes to the corporate structure of the ICO.
Finally, there are more urgent changes that the ICO needs to support Labour’s ambitions, such as the transfer of its appointment to Parliament, the implementation of collective redress mechanisms, and a reform of Section 166 of the UK DPA to allow substantive scrutiny of ICO enforcement decisions by the Information Tribunal. Implementing a new board structure to the ICO alone will fall short of addressing its institutional shortcomings, if this is not accompanies by deeper changes that are able to address the root causes of the ICO failures.
EU–UK RELATIONSHIPS
In a nutshell, the DPDI Bill wanted the moon and back: companies would have moved to the UK to use EU personal data (and move them abroad) more freely. This would have been possible by retaining the adequacy status with the EU, that recognises the equivalence between the EU and UK data protection frameworks and allows seamless cross-border data sharing. Of course, the Conservative Government and the corporate lobbyists that proposed this approach were certain that lowering data protection standards would not endanger the adequacy status.
Needless to say, this cunning plan was working just as well as any other time when the UK Government tried to “have the cake and eat it”: the DPDI Bill was met with dismay by the Members of the European Parliament that were monitoring the adequacy status of the UK. The DPDI Bill was also identified as a barrier to the functioning of the EU – UK Trade and Cooperation Agreement, and of important cross-border initiatives in fields as research or law enforcement data sharing. The European Commission raised several concerns around the compatibility of the DPDI Bill with EU adequacy standards, the LIBE committee wrote to the House of Lords, and EU civil society organisations were asking for the adequacy agreement to be scrapped if the UK data protection reform were to pass.
These developments should act as a warning for the new Government: regulatory divergence threatens the UK’s ambitions to further cooperation with the EU, such as by entering veterinary agreements or, potentially, rediscussing the Trade and Cooperation Agreement.
WE NEED TO MOVE ON
Over the past four years, the UK has been pursuing ideologically-driven digital policies that advocated deregulation to meet the interests of a few large technology companies, stimulate far less restricted and dangerous business innovation and use of personal data, and thereby justify the decision to leave the European Union. As the UK finally leaves this page of its history behind, Labour will need to learn from the DPDI Bill to avoid the mistakes of the past.
A cultural and policy shift is needed: one where the Government does not ignore independent experts and public interest organisations for the benefits of the private interests of a few companies and, that recognises the importance of data protection and the boundaries and prohibitions it imposes. Such an approach should get the public onboard through persuasion, rather than coercion. Most importantly, it should favour socially responsible innovation, by imposing clear guidelines and limits, rather than fostering a culture of irresponsible data abuse and mistrust of technology industries.
Read more about the Hands Off Our Data campaign