The UK Data Reform Bill and the British Bill of Rights: a tragedy in two acts

The dust hasn’t settled since plans to undermine everyone’s right to data protection were announced, but the Government are at it again. Plans to ditch the Human Rights Act were just unveiled, in a combined effort to steamroll the rule of law and the freedoms we have always taken for granted.

Like the UK Data Reform Bill, the British Bill of Rights came after a nonsensical consultation document and a farcical consultation process. Like the Data Reform Bill, the Bill of Rights will diminish the protections it claims to strengthen. And like the Data Reform Bill, an honest assessment of the proposed changes reveals a coherent attempt to undermine legal standards in favour of arbitrariness, corruption and abuses. 

The Bill of Rights would impose a duty on domestic Courts to give “greater weight” to the views of Parliament on whether legislation that trumps the rights enshrined in the European Convention of Human Rights is compatible with it. This ultimately defeats the purpose of the ECHR — which is to oppose and hold lawmakers to account if they act in violation of these rights.

This also substantially lowers data protection: let’s see how the impact of this constitutional butchery reverberates in data protection, and why both reforms follow a common thread.

Legalise this Government

Concepts developed in the case-law of the European Court of Human Rights, such as “necessity” and “public interest”, also define boundaries concerning the extent and legitimacy of data uses. Changes in the Bill of Rights risk creating a loop where collecting or storing personal data will be “necessary” and “in the public interest” because Parliament deem these activities to be necessary or in the public interest — and not because objectively they are so.

Also, with the Data Reform Bill, the Government are asking to be given regulatory-making powers to introduce new “legitimate interest” grounds for processing, which would be deemed legitimate even if they trump the rights of others or they reuse data in a way which is incompatible with their original purpose.

Years ago, NHS digital had to stop handing over patients’ data to the Home Office for immigration purposes because this was illegal. With the Data Reform Bill, instead, the Government would have been able to introduce a purpose-built lawful ground to legalise what’s unlawful. In turn, the Bill of Rights would likely prevent you to challenge these grounds, because “Parliament have spoken”.

Dodginess by design and by default

The Data Reform Bill would scrap the UK GDPR accountability framework and replace it with “privacy management programmes”, a framework where organisations would be free to identify their own compliance requirements and mark their own homework. For instance, while Data Protection Impact Assessments will be scrapped, “organisations will still be required to identify and manage risks, but they will be granted greater flexibility as to how to meet these requirements.”

Thanks to the Government, we also don’t need to speculate about how this imaginative approach to accountability would work in practice.

During the Covid pandemic the Department of Health run their Test and Trace scheme without performing a DPIA. This is unlawful, but the Secretary of State was of a different opinion: he argued that three risk assessments had already been conducted, and these “covered all of the necessary”. This brilliant display of risk management skills didn’t prevent contact tracing volunteers from publishing confidential medical data on Facebook groups, hospitality staff from using phone numbers to harass women, and contact tracing data from being lost in excel sheets or leaked.

In other words: the Government will get away with harmful and negligent data processing activities thanks to privacy management programmes, just as they will get away with human rights violations thanks to the Bill of Rights.

Blackmailing the watchdog

With the Data Reform Bill, the Government are proposing to give the Secretary of State the power to issue a Statement of Strategic Priorities to the Information Commissioner’s Office. Contrary to what the Government claim, this statement would “sit below the ICO’s primary objective and duties under the UK GDPR and the DPA 2018” and therefore have legally binding force. The ICO would also have to formally respond to how they intend to follow these orders.

At the same time, the Bill will require the ICO to seek the approval of the Secretary of State for some of their regulatory functions, and it would empower the Government to unilaterally amend the salary of the Commissioner — thus exposing Commissioners who do not act as the Government want to retaliation.

Granted that the Bill of Rights does not go as far as to undermine the independence of the judiciary, both laws are pointing toward the same objective: allowing the Government to act against justice by avoiding independent scrutiny.

Digital rights are human rights

In the years preceding the Second World War, Parliaments had a pivotal role in bringing totalitarian Governments into power and legitimising their crimes. Lawmakers in Italy and Germany passed laws that undermined democracy and promoted discrimination, deportations and the arbitrary administration of justice. The same tragedy led to a greater understanding of the risks of State surveillance, and how information revealing someone’s health, religion or political views can expose individuals to discrimination and persecution.

The European Convention of Human Rights and the Right to Data Protection stem from that experience. However, behind the fig leaf of giving greater weight to lawmakers’ views, the British Bill of Rights will diminish human rights and democratic accountability. Just as behind the fig leaf of cutting red tape, the UK Data Reform Bill is poised to undermine data protection.

Data rights are human rights, and we at Open Rights Group will fight tooth and nail to preserve both of them. Get involved in our campaign, or join us, and help us protect our rights in the digital age.