No doubt by now most of you will have had a chance to digest the Department for Digital, Culture, Media and Sport’s (“DCMS”) new proposal to update our data protection laws. The document is titled ‘Data – a new direction’, perhaps adding “off a cliff” would have captured the essence of their vision. Being a data protection lawyer, I am never going to be in favour of eroding people’s privacy, but I am also not going to object to safe and lawful use of people’s personal data because I know in an ever-growing data driven world, businesses need data to carry out legitimate activities. The concept of respecting data protection laws and having the right conditions for businesses to flourish are not mutually exclusive, one can support the other very harmoniously.
Some of the aims for the new data protection regime are to be adaptable, dynamic, and flexible. One should also be able to interpret it quickly and clearly. Those are all very reasonable and by all means pleasant to the reader. However, they play into the hands of those blessed with the most resources including highly paid lawyers who scare regulators into having their own way. You know the group of organisations I am talking about, and it’s not just the owner the popular messaging application which recently went down but most of them, a lot of the big juggernauts rely on stretching the boundaries of lawful processing of data in order to serve the needs of their ever-expanding business empires.
There is a lot that is wrong with the proposal – I could critique the entirety of the 146-page document, but I’ll just highlight a few:
1. DCMS’s proposal claims that it wants to rid organisations of having a disproportionate administrative burden created by the existing regulations. However, not only does the current regulations already allow for this, the proposed changes wouldn’t necessarily mean less administrative burden but just a different kind;
2. Most readers will accept that the landscape around international transfers post-Schrems II has been challenging. However, Schrems II raised legitimate concerns around people’s fundamental rights, and international transfers to the USA should have always been prefixed with a big warning sign. DCMS’s proposal just repudiates Schrems II by allowing the flood gate of personal data to flow into the USA with various justifications, for example, it even allows exporters to make their own decisions about how to protect personal data being exported. Finally, it allows the Secretary of State, who will of course be impervious to the lobbying power of big companies, to recognise new transfer mechanisms;
3. Potential for limiting the scope of Article 22. Article 22 is a baseline which acts as a safeguard for individuals. In an increasingly digitised world where more and more machine learning and artificial intelligence are being used to dictate people’s rights, it is only fitting that people can rely on human intervention to challenge those decisions and that there are additional measures to safeguard people’s rights and freedoms. Anything which limits these will be a big win for industry players at the expense of people who will be affected by those automated decisions;
4. Most of the proposed changes to the UK’s Privacy of Electronics Communications Regulations are accepted. However, the intention to exempt political parties from these regulations is nothing short of scandalous. Most ordinary members of the public would just as easily been offended by political canvassing calls as they would receiving nuisance calls about, say, fictitious accident claims. This kind of exemption would infringe on people’s rights to a private life and will most definitely benefit the existing political establishment with deep pockets and well drilled campaign strategies, further eroding that notion that we have a choice when it comes to electing our politicians.
Though some of the proposed changes are acceptable, overall one is left with the overriding impression that what we are seeing here is an attempt to pimp out our population’s personal data, and this is all at the expense of people’s rights and freedoms whilst taking away, or at least watering down some of the existing safeguards which are there to protect individuals. UK organisations, mostly public but also some private organisations, have good information management processes and that means we are sitting on a tranche of useful data. By sticking to the “levelling up” mantra, you will find on closer inspection that they are watering down your rights to privacy. Very soon you might find your sensitive data being disseminated across the globe with very little recourse because it will be permitted under the new proposed privacy laws. I would therefore encourage people to engage with DCMS’s consultation on this, which closes on 19th November 2021 at 11:45pm, and our clients can rest easy knowing that whatever the changes may bring, we will ensure you remain compliant.