How the Data Protection and Digital Information Bill affects you

Nadine Dorries and the Department for Digital, Culture, Media, and Sports (DCMS) have released their Data Protection and Digital Information Bill– Our policy expert Mariano deli Santi has produced his initial analysis ‘Data the Wrong Direction’ of the implications.

We have a major fight on our hands to stop their plans to tear up our data rights. One challenge we face is that ‘data rights’ can be quite an abstract concept. That’s why we are working on concrete examples of how these measures will effect you.

Over the coming months, ORG will be campaigning hard against these damaging proposals. Proposals that will increase data discrimination and prejudice. We will need the support of people such as yourself to be successful. So please do contact your local ORG group, or me personally if you want to get involved with our grassroots campaign

For the rest of this blog post, I’m going to set out some of our key objections, followed by some real life examples of how these changes could impact you.

1. Creating a ‘Data Oligarchs Charter’

Data transfers to other countries – The Government wants to transfer your data to other countries with lower privacy standards. This will create a ‘Data Oligarchs’ charter where data is laundered globally.

You buy a family member a ‘DNA testing kit’. The company you purchase the kit from then sends information about your genetic makeup to a country with very low data protection standards. It is then bought up by a large pharmaceutical company. 

Risking our EU adequacy status – Huge volumes of trade rely on us having EU adequacy status. This status means the EU determines the UK to be a safer place for its citizen’s data to be processed. In the race to the bottom of global standards, we risk losing this status.

Your company trades with both UK and EU citizens. At best you need to change your CRM system to cope with different data regimes, at worst you can’t process data on EU citizens who are your customers. 

2. Creating a Digital Surveillance State

The government wants to grant itself new powers to collect and share your data– Currently, the UK GDPR defines the six lawful basis for obtaining and sharing people’s data. This provides objective, robust, and clear legal standards that protect us from unjustified and disproportionate inferences with our private lives.

Under these proposals Government will grant itself regulatory powers to rewrite the law, and compel private businesses to share personal data they hold about you with the State and law enforcement authorities. While this is already being proposed for a list of activities related to national security and crime detection purposes, the Secretary of State can amend this list arbitrarily, at any time, and for any purpose they deem “of general interest”. In other words, the Govt will rule by decree, undermining trust, legal certainty, and the rule of law.

HMRC decides it wants to automatically scan all personal financial transaction records to detect fraud under the National Fraud Initiative. The minister amends data protection rules to allow unfettered data sharing for “fraud detection”. From banks, stores, and e-commerce retailers, every transaction you make is now sent automatically from your bank to HMRC where it is run through an AI algorithm to detect patterns of ‘suspicious behavior’.

Removing safeguards in place to protect people – If these plans went ahead the Government could use a statutory instrument to introduce a new basis for data processing and privatise law enforcement, for instance by allowing supermarkets to use the data they hold about you for ‘determining individuals at risk of offending. Their identities are then shared with the Police by ministerial decree. Marginalized groups within society could then be lawfully placed under surveillance programs as we have seen with the Met Police’s use of a ‘Gangs Matrix’ and ‘Project Alpha’.

The Police want to deploy an automatic system for detecting suspicious behavior or criminality among immigrants. The Minister introduces new data protection regulations to ensure that employers, landlords, and General Practitioners can share the right to work, right to rent, and Practitioners’ records to hunt down migrants and refugees.

3. Risks to British Businesses and data security

Scrapping requirements for organizations to undertake digital privacy impact assessments (Data Protection Impact Assessments). This will increase the likelihood of organisations making costly errors.

Your company implements new systems and experiences a large data leak. This results in damages being paid and reputation damage. The lack of a proper digital privacy impact assessment was a contributing factor to the data leak occurring. 

Scrapping independent data protection officers – Removing the requirement for an independent DPO will reduce the need to appoint an expert with sufficient autonomy and resources to ensure that people’s data are protected. Instead, it will encroach on a “yes-man” culture, where privacy officers follow orders and do not promote positive change. 

You are sacked from your job as a data protection officer. A senior manager is placed in charge of data protection. However, they have no real expertise or interest in it and are being driven by other corporate agendas. 

Subject Access Requests – The Government is proposing to make it harder for you to make subject access requests. This will be achieved by increasing the grounds upon which an organization can refuse your requests to access your data. Vulnerable people will find it harder to hold the powerful to account. 

A company has been treating you poorly. You have complained about them a couple of times in the past. You put in a subject access request to try and get to the bottom of the problem. Due to previous complaints, they decide to mark you down as a ‘vexatious complainant’ and refuse your request to access the data they hold about you.

Removing the right to challenge data discrimination arising from AI decisions– The Government wants to reduce the right we have to challenge unfair and biased decisions made by artificial intelligence. Whether it’s an automated sacking by a corporation, an algorithm wrongly determining your A-level results, or an AI system rejecting your mortgage or life insurance application. If the computer says no, you will have no right to appeal. 

You are automatically fired from your job by an AI algorithm. The algorithm didn’t take into account some of your circumstances. You are left without recourse to challenge their decision-making. 

4. The politicisation of the ICO and Ministerial Power Grabs

Ministerial Power Grab – The Bill grants Ministers the power to set the priorities of the ICO. They will also gain control over the Information Commissioner’s salary, and gain the power to veto the adoption of statutory codes and guidance. This will expose the ICO to political direction, pursuing cultural wars, corporate capture, and corruption.

The government decides it needs to crack down on Trade Union’s use of members’ data for ‘political purposes. It sets this as a priority for the ICO.

 Discretionary Power to Ignore Complaints – The ICO will be given discretionary power to ignore complaints. This will worsen their (already poor) track record, and allow the ICO to keep ignoring widespread and systemic abuses of data rights. Abuses that will only expand under these proposals. 

You make a complaint to the ICO. This is your last chance to try and get justice. You send the complaint off, only to receive an automatic email stating due to a backlog in cases your complaint has been triaged as not meriting further investigation’. You are told to go back to the organisation you are complaining about to resolve the situation.