The Government assault on your privacy rights

It has been a busy few months for developments on privacy, even placing the COVID response aside. Last week, the Government again confirmed its intentions to water down data protection and privacy rights, by dismissing the risks to privacy from trade agreements. Ministers also laid out their intention to ‘diverge’ from GDPR standards while making the usual noises about ensuring you continue to have reasonable privacy rights. This came on the heels of Government’s intention to appoint an Information Commissioner who will put industry first and privacy second.

In addition to these statements , the Government is running proposals that could impact on everyone’s privacy, both through the Police, Crime, Sentencing and Courts Bill as well as a consultation on extending the National Fraud Initiative’s data matching practices to cover criminal investigations.

Let’s look at these developments in depth, so we can evaluate how committed the UK Government is to keeping its commitments to preserve privacy standards.

What the Government says it wants

In a Parliamentary hearing on digital trade and data, the Minister for Data, John Whittingdale MP, explained the Government position:

… We are consulting at the moment as to what reforms we might make to our own data protection laws, particularly to try to reduce the burdens on small businesses and to facilitate data exchange. That is part of a consultation that we launched in the National Data Strategy, and we will be publishing the consultation response very soon.

… We see an opportunity to demonstrate that it is possible to have high standards of data protection and to facilitate data exchange. To some extent, now that the UK has the ability to set its own laws, we are in a very strong position to promote digital technology and data transfer and we are going to use that through our influence in places like the WTO. We have made it one of the main themes of our G7 presidency. …

GDPR is certainly not perfect, and in some areas it has proved to be quite burdensome. We are not seeking to dismantle our entire data protection regime but certainly we are interested in making what changes can be achieved that will make it easier for data to be shared, while not diminishing the standards of protection. …

Elsewhere, in the National Data Strategy, the Government has highlighted the need to foster data innovation for businesses, and greater cross-border data flows, again reiterating that these changes will include a ‘high standard’ of data protection.

What the Government does

The agenda set out above may sound reasonable, if the desire to maintain high data protection rights can be demonstrated . However, within the Government’s own legislative agenda, the desire to see data used more is plain to see, but we do not see data protection concerns being properly considered.

(1) Police to be able to demand any Government data relating to violent crime

The draft Police, and Crime, Sentencing, and Courts Bill contains measures that would give the Police the power to demand personal information from a wide range of public bodies for the purposes of combating ‘violent crime’. While it is reasonable for the Police to be able to obtain personal information in many circumstances, the Bill does not create any particular safeguards, such as a warrant or independent request system, like that which exists for telephone records.

The Government here is clearly looking for ‘new ways to use data’, and to ‘remove barriers’ to its use, as it explains in the draft national Data Strategy. However, the commitments to respecting privacy and data protection rights have translated into nothing.

Among the many practical consequences of this Bill, racial profiling of communities and individuals through pattern analysis of data appears inevitable. This could lead to unfair discrimination, targeting and exclusion. Using data to find and target individuals without prior suspicion will always be both tempting and a recipe for gross mistakes. Yet there is nothing in the Bill to ensure that such practices will not be not the direct result of this proposal.

(2) Police to get any data they want from the National Fraud Initiative

The same is true for a barely-publicised consultation which would extend the data matching powers of the National Fraud Initiative. Here, the Government has identified some dormant powers to use the NFI scheme for the detection and prevention of crime, and seeks to put these into action.

However, these powers would be exercised at the full discretion of the Cabinet Office, that is carefully avoiding to commit to the implementation of any meaningful safeguards in the draft code of practice currently under review. Tthe result is an unrestrained power for the police to gain data, through the NFI, for any crime or investigation at all, without the need for even the most basic of additional safeguards. If this is put into law, it would produce a gateway for police to gain all kinds of information about people without their knowledge or consent; and reduce the likelihood of marginalised groups interacting with these services.

(3) Trade agreements risks to privacy dismissed

The International Trade Committee last week heard from MPs John Whittingdale and Greg Hands. Both appeareds to suggest that there were no risks to privacy from trade agreements, such as CPTPP, and that it would always be possible for the UK to operate data transfers in ways the UK wants. Greg Hands said:

First, the CEPA data protection provisions are a way of promoting data protection laws internationally, to say, “The counterparty to this agreement must have good data protection laws domestically.” Obviously with Japan we know that but, with CPTPP, that is an important thing to assert. …

Secondly, they do not provide the legal basis for the transfer of personal data from the UK. That is all provided for by our domestic legislation, which is not affected by the FTAs.

However, only in March trade experts told the same Committee something very different:

Mick Whitley: Is the [Japan CETA] exception sufficiently broad to allow the UK to maintain its current data privacy regime?

Professor Collins: The exception doesn’t look like it would be sufficiently broad to do that. Let me make one final point. It [the Japan exception] is very narrow, but it is perhaps not as narrow as it could be. I say that because, if you look at the CPTPP and its prohibitions on data localisation and restrictions on transfer, there is an extra little bit there and it makes reference to the notion of there being no other way. …

Importantly, one final point: “necessity” in the CEPA is not self-judging. It is not what the UK or Japan thinks is necessary; it is what a neutral arbitration panel thinks.

The surprising thing is that the Government does not have to run these risks, in CETA and CPTPP. It can mitigate them through either not signing clauses experts believe are dangerous, by freezing clauses so they are not implemented, or by adding ‘side letters’ that state an interpretation of clauses agreed by all parties to reduce the threat of trade challenges.

It is therefore very confusing for the Government to claim that it does not want dangerous changes to data transfers, while also refusing to acknowledge or mitigate risks that may be contained in the agreements. If the statements made by Greg Hands MP represent what the Government wants – to maintain its ability to set the status quo – then there is no downside to mitigating the risks. It only makes sense if the Government prefers a strategy that will lead to weakening protections.

(4) Rigged process to appoint an industry-friendly ICO

The search is underway for a new Information Commissioner to act as the UK’s chief privacy watchdog. The government wants to use this process to appoint a Commissioner that is friendly to industry concerns, and understands how to extend the use of data, but lacks regulatory experience. This should worry anyone who is concerned about privacy. So should the ICO’s reticence to pick any fight with the Government, whether on COVID tracing apps or their failure to conduct data protection impact assessments for Test and Trace. The ICO is creating the impression that they wish to reduce the political risk to themselves by keeping their heads down. This may be understandable, but is letting down people whose rights are being daily breached by Government behaviour, and who should be able to count on the Commissioner to speak truth to power. And it does not appear likely to work.

(5) Prohibitions on ‘general monitoring’ quietly dropped

One of the major worries surrounding the forthcoming Online Safety Bill, the result of the online harms white paper and framework, is that the ‘duty of care’ to reduce ‘harmful content’ will, in practice mean monitoring and removing content at scale. Because of the risk of automated mass-monitoring of content, which can be viewed as an infringement on both privacy and free expression rights, current legislation prohibits what is known as a‘general monitoring obligation’. The Government appears to have dropped commitments to retain this prohibition, which derived from EU legislation, to clear the way for some form of general monitoring under the Online Safety Bill.

Our privacy is under threat from this Government

As all these disparate strands come together, iIt is hard not to conclude that this is a Government which has committed to increasing amount of data which is collected, as well as the amount of data which is shared, but has not absorbed the risks and consequences. An obvious answer to address these risks is to improve the enforcement of existing legislation. Instead, the Government identifies legislation – or, in the words of the National Data Strategy, “burdensome regulations” – as a barrier to its objectives.

Data protection legislation is based on user-centric principles, and it forces those who hold that data, whether the public sector or business, to balance its use against potentially adverse consequences to individuals.

It is hard to see how to facilitate the greater use of data without enabling the public sector and businesses to have less regard to the privacy impacts. Indeed, the Government’s’ own approach to its own policing powers are exactly that: more data use, but no consideration of privacy and justice concerns.

We should be extremely worried. Proposals seem to have regressed to the kind of thinking we saw at the worst moments of the New Labour government. We need to act now – starting with the new Police data sharing powers – to push back against this regressive strategy.

Hear the latest

Sign up to receive updates about Open Rights Group’s work to protect digital rights.