UK Biometrics Commissioner says data protection law could leave gaps in oversight
Outgoing UK Biometrics and Surveillance Camera Commissioner Fraser Sampson is warning that the country’s new data protection law could leave “a shortfall in oversight” for surveillance technology.
The country’s parliament is currently debating the Data Protection and Digital Information Bill (DPDI) which is set to absorb the dual role of the Biometrics and Surveillance Camera Commissioner. The law also removes the requirement for the government to publish a Surveillance Camera Code of Practice.
The new law has been widely criticized by Sampson and his predecessor as well as UK academics. Sampson has announced he will step down from his role at the end of October 2023 after arguing that his post would become irrelevant with the new law.
In a new letter, published Tuesday, the commissioner explains that the DPDI Bill is based on the premise that public space surveillance is simply a subset of wider data protection and privacy. If the British Parliament accepts that premise, the Information Commissioner Office (ICO) will be expected to fill the gap left by the absorption of the Surveillance Camera Commissioner and giving up on the Surveillance Camera Code.
The Information Commissioner Office, however, does not have the necessary resources to cover pressing subjects that fall within the data protection remit, according to Sampson. He also noted that there are gray areas where regulatory responsibility is not clear-cut, particularly as new technologies develop.
“While the state’s use of biometric surveillance technology plainly engages individual data rights, it is well documented that some of the key issues giving rise to public trust and confidence considerations go beyond data protection and therefore, by extension, beyond the current remit of the ICO,” says Sampson.
The commissioner also called for a “systemic approach to regulation” and clear standards as the country nears the completion of the DPDI Bill, expected to be signed into law until early 2024 or later. The Bill is intended to set less burdensome requirements than the EU General Data Protection Regulation (GDPR) in lower-risk situations while maintaining high data protection standards.