The Open Rights Group says that the government is planning measures are designed to favour business and government interests over those of the individual.
The group thinks that the government will gut the data protection rights and weaken the oversight and transparency into how personal data can be used by businesses and government agencies.
ORG’s Legal and Policy Officer, Mariano delli Santi, said the authorities are seeking to “steamroll” anything that might get in the way of government and commercial use of personal data, to avoid the sort of reversals they suffered in bringing in Palantir and Google DeepMind to the NHS without sufficient transparency and contractual safeguards.
The only thing that is stopping Boris’s boys killing the entire thing stone dead is that they cannot afford to lose EU adequacy status, which is up for review by the European Commission in 2024. Losing adequacy would mean data could not flow freely between the UK and countries in the EU, with severe adverse economic consequences likely.
UK data protection legislation is currently based on the EU GDPR, but the government has signalled on numerous occasions that, having left the bloc, it wants to dilute many of its provisions. This includes replacing GDPR Article 22, which covers the right of individuals not to be subject to a decision based solely on automated processing, and Article 5, which requires personal data collection to be restricted to “specified, explicit and legitimate purposes” and be “adequate, relevant and limited to what is necessary”.
The TIGGR report, drawn up by three Conservative politicians in the summer, argues that such measures hinder the development of AI.
The Government avoids mention of these issues in its public pronouncements, instead of focusing on cookie banners and onerous opt-outs— illegal under the current legislation— to make its case.
“You can clearly see that they want to get rid of the GDPR but on the other hand, they want to retain the adequacy of the European Commission and therefore they don’t want to make too much noise”, delli Santi said.
The government is also seeking to neuter and control the data protection watchdog, the ICO, requiring the regulator to balance ‘public safety and ‘growth and innovation’ against its primary duty to uphold data rights. An individual wishing to complain to the ICO about data misuse will first need to inform the abuser, which would create an obvious disincentive, and businesses will find it much easier to claim that processing personal data is vital for their economic wellbeing.
In addition, the government wants to exert control over the ICO by having the power to dictate its priorities via an annual statement, said delli Santi. “They basically want to decide whether the ICO should be enforcing the law or policing in one sector rather than another.”
Among the recent cases brought to the courts under GDPR that would likely not succeed under the proposed rules are the reversal of the flawed algorithmic marking of A-levels, the case of Bounty UK, which was fined £400,000 by the ICO for selling 14 million records of mothers and children to advertisers and data brokers, and various cases where AI models have been found to have inbuilt bias, for example discriminating against certain ethnic groups.