Post GDPR ‘Global Britain’ to be built by restricting data protection rights, recourse
A new bill has been introduced to the UK parliament which proposes significant changes to data protection, biometrics, law enforcement, digital identity and identity verification, and even changes to the civil registry for births and deaths.
The Data Protection and Digital Information Bill (previously called the more descriptive Data Reform Bill) was introduced Monday to both the House of Commons and House of Lords with a statement read out in both. Debate will take place at subsequent readings.
It spans international data flows, to gig workers, to establishing trust frameworks for digital ID.
The downsizing of Biometrics and Surveillance Camera Commissioners has continued beyond merging to abolishment of the roles in favor of the Information Commissioner and Investigatory Powers Commissioner.
For the upcoming Digital Verification Services (DVS), the bill empowers the Secretary of State to undertake a raft of projects. There is a lot of work to do for completing trust frameworks, establishing a register of providers, determining potential fees, an information gateway and setting up trustmarks.
The bill proposes changing the way the UK civil registry works by establishing an electronic system to register births and deaths, moving the country on from paper record keeping.
The bill includes a lot of removals of the EU. For example with the EU’s upcoming eIDAS trust framework for the bloc, giving the Secretary of State powers to decide that overseas providers of trust services are not qualified, but on the other hand adds that EU conformity assessment bodies are to be recognized as qualified.
It is the post-Brexit government’s attempt to move away from what it considers restrictive EU GDPR law. The intention is that it will help the UK become an international data powerhouse of confident enterprises offering global data services, while still meeting the EU’s data adequacy requirements.
This is only the introduction, and the bill will go through various rounds in the House of Commons and then House of Lords, and will be subject to amendment. However, aspects of the bill propose significant changes to existing legislation such as the 2018 Data Protection Bill. It also deviates from the findings of a recent consultation into data protection on which it is supposedly based. Civil society groups called the consultation unlawful.
The Open Rights Group says the bill turns the UK into a “global data laundering hub.”
All political boxes ticked
“We now have the opportunity to seize the benefits of Brexit and transform the UK’s independent data laws,” said Matt Warman, Minister for Media, Data and Digital Infrastructure in his statement to introduce the bill. “We have designed these new updates to our data protection framework so it works in our interests, protects our citizens, and unburdens our businesses.
“Through this Bill we will realise the opportunities of responsible data use whilst maintaining the UK’s high data protection standards. The EU does not require countries to have the same rules to grant adequacy, so it is our belief that these reforms are compatible with maintaining a free flow of personal data from the European Economic Area.”
His boss, Nadine Dorries, the Secretary of State for Digital, Culture, Media and Sport has also signed off the bill as compatible with the European Convention of Human Rights. Dorries supports Foreign Secretary Liz Truss who is standing to be leader of the Conservative Party and therefore UK prime minister and who has said she would leave the Convention if reform attempts to reduce the influence of its judges are unsuccessful, reported The Independent.
Warman foresees £1 billion in business savings over the next ten years by “reducing the burdens on businesses that have held the UK back from the benefits of greater personal data use before now.” Life will be better because some pop-up cookie requests may no longer be needed and, according to the statement, safer too by improving “the efficiency of data protection for law enforcement and national security partners – encouraging better use of personal data where appropriate to help protect the public.”
The text of the bill itself could lead to different interpretations. Also, somewhat ironically, the Parliament website is having trouble hosting the bill but staff will helpfully email a copy.
Controversial consultation
As part of the UK’s National Data Strategy, the Department for Culture, Media and Sport ran a 10-week consultation from September 2021 to gauge sentiment around its proposed changes to data protection law. The government published its response in June 2022.
Thirty civil society groups including Liberty and Privacy International wrote a joint letter to Dorries to complain that her department refused to meet them as part of the consultation, reported Tech Monitor. The DCMS denies the claims. The executive director of one of the groups called the process rigged.
The consultation discussed making changes to the role of the recently-merged Biometrics and Surveillance Camera Commissioner, Fraser Sampson. He even welcomed many of the proposals in his critique, such as the intent not to pass on his oversight of DNA and fingerprint use by police to the ICO.
The new bill would abolish the two original roles. The biometric oversight role will be transferred to the Investigatory Powers Commissioner. Other powers would go to the Information Commissioner’s Office. Technically the role of the Information Commissioner is to be abolished and powers transferred to the Information Commission.
Arguably the role gaining the most power from the bill is the secretary of state who will be able to make changes unilaterally (via consultation with the Information Commissioner and anyone they see fit).
The ICO is taking on more powers, yet perhaps the tool it wanted to push the most has had its wings clipped. Just last week promoted the use of subject access requests for individuals in tackling disputes with organizations. The tool would link in the ICO to a dispute. The new bill restricts this.
Data controllers would be able to determine whether a request is “vexatious or excessive” and may even be allowed to charge a fee to answer the request.
The bill covers many other areas of life somewhat beyond the scope of Biometric Update. So far, much of the analysis in the first day has focused on these.
“This bill will scrap important projection from prejudice and bias afforded women, workers, patients, migrants, ethnic minorities, and vulnerable people and communities, and everyone else,” comments Executive Director of the Open Rights Group, Jim Killock,
“This Bill will enshrine discrimination, bias and prejudice into UK law.”
Article Topics
biometrics | civil registration | data protection | digital identity | identity verification | Information Commissioner’s Office (ICO) | legislation | regulation | UK
Comments