Leading data rights lawyers, including one who led the case against notorious political consultancy Cambridge Analytica, have urged Members of the House of Lords to take more to time to scrutinise the Government’s controversial Data Bill.
In a paper published today by the Social Market Foundation think tank, two of the UK’s leading data rights lawyers – Ravi Naik and Alex Lawrence-Archer – have warned that the Government’s proposed changes to UK GDPR risk undermining important data protection rights. Vulnerable groups such as problem gamblers and gig economy workers are at particular risk of being exploited if the government fails to change course, they say.
In his foreword, Lord Clement-Jones CBE, Vice Chair of the All-Party Parliamentary Group on Digital Regulation and Responsibility, said that the Bill is “a significant step back from current data protection standards, potentially compromising individuals’ privacy rights, introducing ambiguity, and risking the UK’s data adequacy status with the EU, which could have profound implications for businesses and trade”. He added that “there is no Brexit dividend to be found here.”
Echoing these concerns, University of Cambridge academic Dr Ann Kristin Glenster said, in her foreword, that “the effects will be stark. The power imbalance between individuals and large data controllers, especially Big Tech and public services, will widen drastically.” She argued that “the knock-on effect will not only be felt by individuals,” but “business too will suffer.”
Following Brexit, the UK has the option to leave the EU’s General Data Protection Regulation (GDPR) and create its own privacy rules. The UK Government is introducing the Data Protection and Digital Information (DPDI) Bill, which it claims “will safeguard the public”. This Bill has been rushed through the House of Commons and now sits in the House of Lords, where it is currently being scrutinised by peers.
Ravi Naik and Alex Lawrence-Archer, co-authors of the paper, are two of the country’s most prominent data rights lawyers. Naik has used the law in the past to highlight the data harvested on individual voters by the political consultancy Cambridge Analytica – as well as trailblazing cases against the likes of Google and Facebook. Now he and Lawrence-Archer are raising the alarm about the risks from the proposed changes in the DPDI Bill.
The authors of the paper say that the Bill fundamentally weakens protections against personal data being misused by unscrupulous digital operators. If the Bill passes, operators will no longer be obliged to protect anonymised data, creating a considerable risk of privacy breaches in relation to sensitive information. This change is relevant in many fields where pseudonymous data is used, such as the health sector and where companies track individuals’ internet use.
The Bill also includes changes to rules on Subject Access Requests (SARs), which allow an individual to ask an operator for copies of personal information that it holds on them. Previously, organisations could only reject a request if it was deemed “manifestly unfounded or excessive”. If the Bill goes through, organisations will be allowed to refuse SARs if they are “vexatious or excessive”, conditions that the report argues are vague and open to misinterpretation.
These changes to the rules on data processing and SARs would mean that it will be easier for operators to ignore requests and take longer to resolve disputes, the authors argue, creating an incentive for operators to refuse the exercise of data subject rights. Furthermore, processing in many areas – such as excessive data collection on gig economy workers to detect supposed fraud – will be easier.
The result is that fundamental digital rights for both consumers and workers will be undermined. Alarmingly, the Bill is being rushed through Parliament, despite the Government introducing 150 pages of last-minute substantive amendments at Report Stage in the Commons. It is essential that Parliament is given time to scrutinise these amendments, the authors say.
Specifically, the paper recommends the following:
- The new ‘recognised legitimate interests’ clause should be removed from the Bill, retaining the requirement to consider how data processing affects individuals
- The proposed lower thresholds to refuse data subject requests should be removed from the Bill
- The new definition of personal data must be clarified to reduce the risk of hacks and leaks leading to privacy breaches
- Representative bodies should be empowered to bring claims and ‘super-complaints’ on behalf of data subjects to improve levels of legal compliance
Ravi Naik, Legal Director at AWO, said:
“We are really pleased to deliver this report for the Social Market Foundation. The principles of data protection are critical for business and fundamental for individual rights. Regrettably, as the paper shows, the Data Protection and Digital Information Bill is designed to restrain protections for individuals and will lead to uncertainty for businesses.
The many successes of the current framework – from shedding light on how gambling operators profile individuals, to providing the central legal guardrail against concerns from AI – should be built on, but the current Bill cannot do so. Rather, the Bill as presented appears to be a solution in search of a problem.
Moreover, the consequences from this Bill go beyond the UK. The EU will be watching, with our ability to share data across the continent at risk from the Bill. The Bill should not be passed in its current form. It needs scrutiny and development to serve its central purpose. We hope our paper helps with the debate on the future of the Bill.”
Lord Clement-Jones, in a foreword to the briefing said:
“This is an extremely useful and authoritative briefing paper. It makes it clear that the Bill is a significant step back from current data protection standards, potentially compromising individuals’ privacy rights, introducing ambiguity, and risking the UK’s data adequacy status with the EU, which could have profound implications for businesses and trade. There is no Brexit dividend to be found here.”
Dr Ann Kristin Glenster, Executive Director of the Glenlead Centre said in a foreword to the briefing:
“Data protection was meant to guarantee fundamental rights that could not be sold or bartered away. The Data Protection and Digital Information Bill does just that. To avoid this scenario – and the impact it will have on the UK’s data protection regime’s EU adequacy status – Parliament should adopt the recommendations herein. While the Bill’s proposed changes may seem to only introduce a few technical alterations, their likely effect if adopted without the changes proposed in this briefing, will be profound.”
Notes
- The SMF briefing will be published at https://www.smf.co.uk/publications/data-bill-uk-gdpr-reforms/ on 20th March 2024.
- The briefing is published by Social Market Foundation. The authors retain full editorial independence.
Contact
- For media enquiries, please contact press@smf.co.uk