The Govt want to read your meter readings, and your mail could be next
The UK Government have announced that they will require energy suppliers to hand over meter readings of millions of UK residents to conduct “financial checks […] for assurance and the prevention, investigation, detection or prosecution of criminal offences including fraud”, as well as to “inform future Government policy”. It is worth mentioning, your meter readings may reveal what appliances you are using and at what time of the day, and according to the privacy notice the Government have published it may be shared with Credit Reference Agencies, Local Authorities and Debt Collectors. Data collected under the Energy Price Guarantee (EPG) scheme will be stored for “no longer than 10 years”.
Interestingly, the EPG scheme provides no incentive for cheating: the price guarantee only caps prices for gas units, and public money is given to energy companies. Thus, a perspective fraudster that were to inflate their energy bills would just end up paying more from their purse. This is likely to make the mass retention of your energy bills for a period of 10 years disproportionate and unjustifiable by its own terms, without the need to delve into the fine print.
Our analysis of this brilliant idea could end here, but proposals under the UK Data Protection and Digital Information Bill would legalise precisely this sort of unjustified intrusion into our private lives. This plan, and the attitude the Government are showing, gives us a good preview of how UK data protection reforms would work in practice.
Turning private companies into informants
Two foundational principles of the GDPR are lawfulness and purpose limitation. These abstract concepts become rather substantive if compared against the plan described above: is it lawful, and thus proportionate and justified, to treat you as a suspect unless proven innocent, and to store your energy bills for 10 years to detect a fraud you are not even likely to commit? Would you expect your energy company to use your meter readings to charge you, and then to repurpose and hand over your readings to a public authority even if you did nothing wrong?
The answer to these questions may not matter anymore. The UK Data Protection and Digital Information Bill would introduce two new lists of exemptions that would legitimise data uses regardless of these considerations when “making a disclosure” to a public authority, or when “detecting, investigating or preventing crime”. In turn, sharing your meter readings becomes perfectly legitimate in principle, even without a reason that justifies it in practice. Further, this would not stop to energy companies: be it a supermarket, a gym or a General Practitioner, any private organisation could be turned into a Government informant.
Ministers ruling by decree
The UK data protection reforms would also introduce the power for the Secretary of State to amend the lists of exemptions from the principles of lawfulness and purpose limitation via Statutory Instrument. But why should Ministers and not Parliament be given the power to amend UK data laws?
Say that you came up with some cunning legal argument to challenge the Government data collection plans described above. With the UK Data Protection and Digital Information Bill this would not matter, as the Secretary of State would have the power to bend the rules to their own needs. In turn, the Government could react to your successful Judicial Review not by aligning their illegal scheme to a Court Order, but by aligning primary law to their Ministerial will.
Other hints are pointing toward this approach. In the EPG privacy notice, the Government justify their collection of meters’ readings under the lawful ground of “the performance of a task carried out in the public interest […] and in the exercise of official authority vested in the Secretary of State for BEIS”. However, public tasks should be set out in law and be subject to appropriate safeguards, and you may wonder where’s the law that invested the Secretary of State with the task of reading your gas meter. But if you look at it from the perspective of a Minister that wants to rule by decree and do what they consider necessary, the EPG data collection scheme (and the UK data protection reform) start to show some coherence.
Wanted: the rule of law in the UK
The trends underpinning the UK Government attitude toward the use of data and their reform are rather clear. You should not worry about data protection: you have nothing to hide, nothing to fear. And Ministers could still rewrite the law via Statutory Instrument and get away with it, so why bother in the first place?
You may also wonder what happened to the old-fashioned idea that the law should be there not to legitimise bad ideas, but to constrain the Government and hold them to account. The fact is, the Data Protection and Digital Information Bill is the mini-budget of digital regulation: an announced disaster that will undermine Government accountability, unleash automated discrimination, and sink the UK digital economy.
It is about time that the Government take stock of their years-long failure to produce a decent proposal, and bury their data protection reforms for the better. Meanwhile, Open Rights Group will not be sitting on the fences: register for our upcoming briefing on this Bill or join our mailing list.