COOKIE CONSENT REVIEW EXPOSES WEAKNESSES IN UK DATA PROTECTION REFORM

The Information Commissioner’s Office (ICO) is running a consultation on a new enforcement approach to regulating advertising. This call for views will also support the government in developing planned secondary legislation to create a new exception to consent requirements for specific low-risk advertising purposes.

In a previous blog, we explained the issues about cookie consent requirements and online tracking. This blog focuses on the impact that the recent Data (Use and Access) Bill is having on this important issue.

As the first test to the UK data protection regime emerges, fears over Henry VIII powers are already materialising: key changes to the UK data protection regime are being discussed with little publicity, and despite the potential impact they may have on the privacy and safety of UK internet users. This contributes to a broader concern, characterised by ever-lower standards of public life and the ongoing attacks on the integrity of the Information Commissioner’s Office (ICO), whose role is being hijacked by governments’ partisan agendas and the private interests of online tracking companies.

As poor political leadership and captured institutions are withdrawing from their responsibilities toward the British public, Parliament will come under increased pressure to step in and fill the void. Members of Parliament and peers in the House of Lords have an opportunity to act, and ensure the interests of their constituents are not lost by deteriorating institutions and corporate capture. Will they seize it?

HENRY VIII powers deny scrutiny and debate

The Data (Use and Access) (DUA) Bill introduced several Henry VIII clauses, which allow the government to override key data protection provisions with Statutory Instruments. Among others, the government was given powers to introduce new exemptions for the requirement that websites muct get consent before storing cookies that are not strictly necessary for the functioning of a website, such as advertising cookies.

Statutory Instruments do require Parliamentary approval, but scrutiny of delegated legislation is a rubber stamp exercise that lacks substance. Debate in the Delegated Legislative Committee cannot last longer than 90 minutes, but is usually much shorter. This is followed by a motion which Parliament votes on without any debate at all. The process as a whole must be completed within no more than 40 days (usually, 28) since a Statutory Instrument has been laid before Parliament. According to the Institute for Government and the Hansard Society, the House of Commons has not rejected a single Statutory Instrument since 1979.

The process that the DUA Act has put into place is a dangerous one. Rewriting cookie rules strikes at the heart of online platforms’ business model and could open the floodgates for online harms and the toxic Internet. Despite their importance, the government has the power to punch holes in these provisions in as little as 28 days. Parliamentary debates of Statutory Instruments leave little room for substantive scrutiny, leaving our representatives and the public ignorant, and the debate dominated by industry groups and their interests.

ICO legal framework favours corporate capture

The DUA Act also introduced changes to the statutory framework that underpins the ICO. These include wide, arbitrary powers for the government to determine the composition of the new Information Commission and interfere with the functioning of the ICO, detracting from its impartiality and objectivity. At the same time, the new ICO statutory framework shifts focus away from enforcement of rights and regulatory oversight, towards private commercial interests such as “growth” and “innovation”.

The ICO’s proposal to deregulate online tracking rules constitutes part and parcel of a plan of the UK government to “promote growth”. It is one of a number of pledges the ICO committed to, following pressure from the Labour government to independent regulators which culminated with the Trump-style removal of the Chair of the Competition and Markets Authority. Given this background, is the ICO’s call for views compromised from the start, and can they they retain sufficient arms-length from the government to conduct their function.

Industry and commercial interests are deeply rooted within the structure of the ICO. Following its governance shake-up, a senior director of regulatory affairs at Google has been appointed to become Executive Director. The ICO has also been working alongside Meta during the development of a supposedly “privacy-preserving” advertising technology. Even Liveramp, against whom we have filed a complaint for privacy violations in the online advertising space, has revealed that they “have been working with the UK ICO for the last 2.5 years” as part of their “ongoing engagement with regulators to ensure LiveRamp delivers privacy-centric solutions”.

Finally, democratic accountability requires regulatory authorities to enforce the law as it is, insofar and until changes have been legitimately introduced by lawmakers. The process envisioned in this review—where the ICO would first relax enforcement, and the government would then amend regulatory requirements to legalise this posture—breaches this basic principle. Unfortunately, UK case law has inappropriately given the ICO a rather large discretionary remit, which weakens democratic oversight and makes it difficult to hold such behaviours to account.

Parliament needs to fill the void

Facing its first test, the weaknesses introduced by the Data (Use and Access) Act to UK data protection law are already showing troublesome signs. The framing of the call for views is inadequate to support meaningful public debate. Statutory changes to the ICO’s legal framework, the appointment of senior industry representatives within its corporate structure, and close cooperation with major adtech players suggests that the ICO, supposedly, an impartial body, is shifting away from data protection oversight and toward the protection of industry interests instead.

On top of that, democratic checks and balances appear compromised. Existing case law makes it unlikely to hold the ICO to account if they were to adopt a new regulatory posture that contradicts legal requirements. Even if a judicial review were successful, Henry VIII powers would allow the government to legalise whatever stance the ICO adopted within as little as 28 days, thus neutralising judicial oversight.

Given this state of affairs, our representatives need to fill the void left by poor party leadership and defective data protection reforms. Whereas Parliament retains formal scrutiny over Statutory Instruments, the complexity of these issues and the speed of the approval process will require parliamentarians to be proactive and to step up pre-legislative scrutiny, to ensure fair representation of the interests of the British public.

Likewise, the ICO deserves closer scrutiny from the Select Committee for Science, Innovation and Technology. The relationship between the government, large technologies companies and the ICO need be investigated, as it is liable of compromising the independence and integrity of regulatory oversight. In addition, the limits surrounding judicial oversight require the Select Committee to step in, to ensure that the laws of Parliament are not overridden by the internal agenda of the ICO.