UK data reforms: ORG meeting with members of EU Parliament

The UK data reform is gaining international attention: Members of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament are visiting London from 2-4 November to meet with UK Government representatives, civil society and other interest groups.

Open Rights Group are participating in these meetings, with the aim of briefing members of the LIBE committee on the latest developments concerning the UK Data Protection and Digital Information Bill (aka the Data Discrimination Bill). Although the Bill was withdrawn from Parliament, a common thread runs through the reform process, starting from the National Data Strategy, the TIGRR report and the Data: a new direction consultation.

In this blog post, we take stock of these main trends, explaining why they are raising the alarm in the European Union, and why the new, upcoming DCMS consultation will likely exacerbate the issues we identified in our analysis of the Data Discrimination Bill.

Diverging from a human-rights framework of data protection

The UK Government have long advocated for “freeing up” the use of data as a way to grow the economy and improve the efficiency of public services. In the Bill, this is reflected by the provision of discretionary regulatory-making powers, which would allow the Secretary of State to designate data uses and reuses that are always considered legitimate under UK data protection law. On top of that, these new regulatory-making powers would override primary legislation, thus allowing the Government to define the boundaries of what is a legitimate interference with our right to a private life instead of abiding by the standards enshrined in legislation.

This approach would punch holes at the essence of European data protection law, which stems from the European Convention on Human Rights and the understanding that data processing can affect our rights and personal autonomy. Thus, their use should be proportionate and underpinned by a legal framework against which private organisations, as well as the Government, can be held accountable.

Also, this Data Discrimination Bill would introduce 50 distinct regulatory-making provisions, thus delegating legislative powers to the Government throughout the entire UK data protection framework. Among the most relevant ones, the Government would be empowered to exempt research processing from legislative safeguards; exempt cookies from consent requirements; (further) restrict the right not to be subject to solely automated systems; approve international data transfers; define regulatory priorities of the UK Data Protection Authority (the ICO); veto the adoption of code of practices and issue instructions as to what the ICO would need to change in their codes of practice do overcome this veto.

The impact of new UK data laws on EU citizens and organisations

In its current iteration, the Bill includes provisions that would always legitimise data processing from a private organisation for disclosures to a public authority, as well as for law enforcement and national security purposes. These provisions would also give UK public authorities the unilateral power to determine what data they need, and then compel any private organisation to disclose this data to them.

The impact of this mechanism would be significant on European and UK citizens alike, since personal data would fall under this framework regardless of their origin. In turn, personal data crossing the UK for any reasons — including the provision of commercial services, research purposes, or judicial and law enforcement cooperation — could later be repurposed under the clauses mentioned above. Further, the Secretary of State could always exercise their powers to legitimise more data uses under similar conditions.

Finally, the UK data protection framework would have extraterritorial application, meaning that the reach of the decisions made by the UK Secretary of State would extend to organisations based in the EU. As the UK is currently recognised as an “adequate jurisdiction” by the European Commission, EU companies may lack standing to refuse data-sharing requests issued by a UK public authority under any of the grounds provided under UK regulations.

International data transfers and impact on digital trade

Alongside the aim to deregulate and “free up” personal data uses, the UK Government also intend to make the United Kingdom a “bridge across the Atlantic and operate as the world’s data hub”. These aspirations are reflected in the new regime for international data transfers that replaces the adequacy determination system under the GDPR.

In the new regime, adequacy determinations would be scrapped and replaced by “transfers by regulation”, authorised by the Secretary of State at their own discretion and after carrying out a “data protection test”. Contrary to the “essentially equivalent level of protection” required by the GDPR, the new UK data protection test does not require judicial redress in the jurisdictions where personal data transfers are authorised, and it does not require to consider the impact of legislation “concerning public security, defence, national security and criminal law and the access of public authorities to personal data” on the level of personal data protection afforded by such jurisdiction.

On top of that, the Secretary of State would have the discretion to approve such regulations not only based on this data protection test, but on “any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom”. These regulations could also identify entire geographic areas where personal data transfers are authorised, specific recipients inside a given area, or give discretion to a third party to make such determinations.

Thus, the UK international data transfer system would significantly depart from the GDPR, where adequacy decisions are strictly regulated and subject to the judicial oversight of the Court of Justice of the EU. Indeed, it is unlikely that a UK Court would challenge an international data transfer regulation, as the facts and judgement over whether such regulation is desirable are left to the appreciation of the Secretary of State. In turn, the UK could become a gateway to circumvent the adequacy system and transfer EU personal data to any other third jurisdiction via the UK, at the discretion of the Secretary of State or a “delegated person”. Also, nothing would prevent international data transfer regulations from being embedded in any international trade agreements the UK means to enter.

The UK data reforms going forward

The UK Government have announced their intention to table more radical reforms in order “to form a truly bespoke, British system of data protection”. This is not all: legislation was tabled in Parliament to expunge any retained EU law or derived legislation by the end of 2023, and to forbid UK courts from referring to the case law of the Court of Justice of the EU. Plans to scrap the Human Rights Act, and to “liberate” UK courts from the decisions of the European Court of Human Rights, are also being revived under the new Cabinet.

These plans would also remove much of the foundational elements of the UK adequacy decision, granted by the European Commission in June 2021. Although the UK Government purports that adequacy will be “at the heart” of the new UK data protection framework, facts do not corroborate their statements. Instead, the UK Government seem to be pressing further ahead in their attempt to diverge from European laws, human rights and rule of law standards.