The UK government is introducing a revised version of its oven-ready post-Brexit data protection reforms to Parliament, which it claims will save organisations £4.7 billion over the next decade.
This is a tall order as the EUs Data Protection Act has been one of the few laws from Europe that protected citizens from government and corporate spying. The UK version was expected to be watered down for this reason.
Originally introduced to Parliament in July 2022, the Data Protection and Digital Information Bill was due for its second reading on 5 September – the day the Conservative Party leadership election concluded – but was pushed back so that “ministers time to consider the bill further”.
The government now claims the updated bill will introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement, by providing businesses with more flexibility in how they comply with the new data laws, and further reduce the amount of paperwork required by organisations to show compliance.
Under the new law most companies will be allowed to ignore the law as only those whose processing activities is likely to pose high risks to individual’s rights and freedoms will need to keep processing records.
Science, innovation and technology secretary Michelle Donelan pointed out that the law had been co-designed with business from the start, “this new bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs.”
“ No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR [General Data Protection Regulation]. “Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next-generation technologies, create jobs and boost our economy.”
For instance, if an automated decision has been taken without “meaningful human involvement”, an individual can challenge that decision and request that another person review the outcome instead. However, the government has not specified what meaningful human input would look like.
More than 26 civil society organisations – including Open Rights Group (ORG), the App Driver’s and Couriers Union, Liberty, Big Brother Watch, and the United Tech and Allied Workers, among others – signed an open letter to Donelan calling for it to be scrapped and taken back to the drawing board.
“The most recent version of the bill contained many concerning and ill-considered proposals which endanger UK residents and UK data protection,” they wrote.
“In recent months, a wave of legislation (related to protest, freedom of speech, and more) has attempted to consolidate power in the hands of the government and corporations at the expense of the rights of every day people. Following that trend, the proposed changes in this bill will reduce proper oversight of data processing, jeopardise sensitive information about UK residents, and create opportunities for discrimination against vulnerable groups.”
Specifically, the signatories noted that the bill would change the data protection impact assessment process so that organisations no longer have to consult with data subjects affected by high-risk processing; lower the thresholds for organisations to refuse subject access requests; and remove the individuals right not to be subject to automated decision making.
They added the government would also be able to interfere with the regulatory function of the Information Commissioner’s Office (ICO), and allow the secretary of state to approve international transfers with little regard to the existence of enforceable rights and effective remedies.
The secretary of state will also be able to create new legitimate grounds for processing data, which has the potential for abuse.
Big Business was happy with the changes to the law. TechUK CEO Julian David said it would bring organisations clarity and flexibility when using personal data.
It would basically allow them to conduct research, conduct basic business services, use AI while magically keeping data protection in line with the highest global standards, including data adequacy with the EU.
