Government prepares to take back control – of your privacy

The UK Government has unveiled their plans to deregulate data protection laws. In the Government’s usual fashion, the Minister for digital, Oliver Dowden, announced this policy shift in an “exclusive” paywalled piece in the Telegraph, ahead of the official press release to the public.

We knew that this policy shift was coming. Nonetheless, this Government announcement speaks volumes regarding the vision they have embraced and the priorities they are setting for the year to come. Let’s unpack them.

Prioritising corporate profits over your rights

Legislators in the EU, the US, India, Brazil, and even in China have been moving to increase privacy protections, regulate the uses of data, and rein in privacy abuses by platforms. In the post-Brexit parallel universe, though, the UK is worried about “churches being prevented from sending parish newsletters to advertise jumble sales”. To address this pressing threat, the UK Government proposes to alter the mandate of the Information Commissioner’s Office from regulating privacy law to “promot[ing] data-driven growth and innovation.”

What does this mean for your data rights? Facebook argues that enforcing data protection laws against them would have “devastating” and “irreversible” consequences for its business. Adtech companies argue that restricting online surveillance would undermine the financial sustainability of the media and the open internet. Google holds a similar opinion, and argues that “The open and affordable web is only possible today because of [surveillance] advertising”.

Government also wants new data protection laws to ease the life of SMEs, charities, and other small organisations. By prioritising the economic interest of organisations of any shape and size, we wonder how the new Information Commissioner will have the opportunity to uphold our rights, and against whom.

In other words, adtech vendors, surveillance capitalists, and businesses engaging in data exploitation will find the UK’s data protection model a highly attractive prospect.

Jeopardizing the UK’s adequacy decision before the ink is dry

You may have heard that the Court of Justice of the European Union judged US surveillance practices to be incompatible with GDPR standards. The UK, instead, has announced their intention to strike a deal to resume unfettered data transfers from the UK to the US, alongside five other countries.

Oliver Dowden claims these agreements “will be subject to assessments that ensure high data protection standards”. However, he seems not to be worried about the outcomes of these assessments. After all, these partnerships are meant to “make it easier for UK organisations to exchange data with important markets and fast-growing economies”.

In other words, Government seem to think of these partnerships as “done deals”, leaving little space to any data protection considerations. This approach will inherently jeopardise the already weak UK adequacy decision, whose withdrawal would halt data transfers with the EU and result in hefty compliance burdens and costs for UK businesses.

It’s not about the cookie banners

The Government’s announcement depicts these changes as an opportunity to eliminate “cookie banners”. However, removing the batteries from your smoke alarm to stop the annoying beeping won’t stop a fire, and watering down your data rights won’t prevent adtech companies from abusing your data.

Also, Government conveniently ignores that, as we speak, hundreds of GDPR complaints are being lodged in the EU against adtech “cookie consent terror”. Cookie banners are already unlawful, and we can get rid of them with enforcement, not deregulation.

Finally, the ICO already found in 2018 that adtech practices were illegal, but they chose to start a debate instead of enforcing the rules. In 2021, after endless engagement and empty commitments by the adtech industry, nothing has changed. Needless to say, Government plans to make the ICO more collaborative and business-friendly will only exacerbate these failures.

The new ICO needs not to follow the same route

Government proposed changes are a good recipe to cement abuses and malpractices. Another outcome is possible, though, and the new Information Commissioner can play a leading role in solving the issues we described before.

On the one hand, rogue actors and offenders with no intention to comply with the law learnt to engage in endless discussions with the ICO as a way to dodge responsibility and avoid enforcement. The ICO could discourage such behaviours by making them an aggravating factor, thus issuing heftier penalty notices to those organisations that try to game the ICO Regulatory Action Policy. A good measure to judge the good faith of an organisation would be whether engagement resulted in improved compliance and substantive changes to their data practices.

Further, the ICO shouldn’t be afraid of detailing the compliance standards that apply within the context of their guidances. For instance, the ICO Guidance for the use of personal data in political campaigning states that political parties may profile individuals without asking for their consent, depending on the risks involved. While this may be true as a general rule, political profiling will inherently entail high risks for the data subjects, and thus require consent. The ICO needs not to stay on the safe side, and they shouldn’t be afraid to state strict compliance requirements upfront. In doing so, the ICO would help organisations understand how they are expected to operate in practice, to the ultimate benefit of our data rights.

Please join our mailing list to stay in touch and help us fight these appalling proposals.

Hear the latest

Sign up to receive updates about Open Rights Group’s work to protect digital rights.