Vandalising data rights

Anything you say and do can and will be used against you. With ‘Data: a new direction’, the UK Government is proposing a bonfire of information rights that will open the floodgates to weaponising personal data against British residents.

Every day, we produce vast amounts of information. All these data trails can be temporary, or they can go down on your permanent record. They can be used for what we intended (buying something, watching a video) — or they can be exploited for commercial interests, disclosed to the authorities, and used to discriminate against us. Whether it goes one way or the other is a matter of policy and of practice.

The proposed UK data protection framework would give unprecedented freedom to reuse personal data against the will of the individuals concerned, for good and bad purposes alike. The few remaining legal boundaries would be undermined in practice by watered down accountability rules, weaker supervision, and increased bureaucracy for individuals seeking redress.

Last week we focused on the UK Government failure to articulate a good reason to water down UK data protection rules. In this blog, we focus on the policies that would make distrust and exploitation the price to pay for using UK digital services.

The freedom to use your data against your will

“Purpose limitation” is the principle that provides the cornerstone of trust in GDPR. If you go to a pub and place an order with your credit card, this information will be used to process your payment and serve you a beer, nothing else.

The GDPR also provides some flexibility under the legitimate interest clause: organisations may reuse data for their own benefit, provided that they do not trump the rights and interests of the individuals involved.

This is known as a balancing test, and it is just as common sense as it sounds: keeping track of your orders to draw statistics about how many beers are sold at peak hours will pass the test, but disclosing your drinking habits to your insurance company will certainly not.

However, the UK Government propose “to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test”.

This change would fundamentally subvert the nature of legitimate interest. It is very easy to claim an interest in doing something, and introducing your rights into the equation is the thin line that separates legitimate uses for abuses.

Furthermore, the Government would apply this exception to a variety of broad-ranging, easy to misinterpret catchphrases. For instance, “we process your data to improve our services” is likely to be the single, most abused buzzword to justify the unjustifiable. Yet, this would become legal under UK law, thanks to a new legitimate interest clause “aimed at improving services for customers.”

The same exception would apply to “reporting criminal acts or safeguarding concerns to appropriate authorities.” You may think this provision it’s for the criminals alone, until you realise that crimes are ascertained in courts of law. Data being shared under this clause will then refer to alleged crimes or to the suspicion of crimes: being an honest citizen won’t necessarily cover your back.

Paywalls and increased bureaucracy to exercise your rights

We’ve seen how the new rules will allow unprecedented freedom to share and reuse your data. Insurers, landlords, employers, the police, anyone will be able to collect and use your information for their own self-interests. Anyone except you: unbelievable as it sounds, “the government is considering whether to introduce a fee regime […] for access to personal data held by all data controllers”.

This proposal is outrageous for a number of reasons. Information rights aren’t commodities, but human rights that ought to be guaranteed regardless of your economic well-being.

Furthermore, Data Subjects Access Requests (SARs) are one of the most important tool to investigate and uncover malpractices: imposing fees will have a clear chilling effect and represents an hypocrite attempt to curb scrutiny and accountability, to the detriment of law-abiding businesses and organisations.

Finally, victims of data abuses will be asked “to attempt to resolve their complaint directly with the relevant data controller before lodging a complaint with the ICO”. After paying to gather evidence of misconduct, you may find out that your complaint has been dismissed because you didn’t follow a procedure laid down by the organisation that committed the offence.

Weak accountability and lack of independent supervision

This may not surprise you, but the UK Government considers accountability “a key driver of unnecessary burdens”. Therefore, they propose “to implement a more flexible and risk-based accountability framework which is based on privacy management programmes”.

Here, the Government fails to mention that the GDPR already provides for risk-based accountability rules. Instead, the new accountability framework would remove the duty to keep records and conduct Data Protection Impact Assessments across the board. Further, it introduces an unreasonably high threshold to notify data breaches. In its place, organisations will have to self-assess and identify compliance requirements that they believe are necessary to keep themselves in check — what could possibly go wrong?

Icing on the cake, the UK Government is considering to undermine article 22 of the GDPR — the “human in the loop clause” —, a move that would allow automated decisions with life-chaning effects to be taken in a black box. Computer says no would become everything a organisation needs to deny you employment, credit, or benefits.

This proposal fundamentally introduces uncertainty and leeway for abuses where there used to be clear requirements tailored to the size of an organisation and the risks involved. On the other hand, these changes will make it harder for the Information Commissioner’s Office to conduct audits, scrutinise data practices, and collect evidence of wrongdoings. Furthermore, the ICO:

• Will be tasked with the statutory duty to “have regard for economic growth and innovation” and “the government’s wider international priorities”. In other words, the ICO will have to put profit and Government international trade agendas before your data rights when discharging their function.
• Will be asked to inform his strategy according to “a statement of strategic priorities’ given by the Secretary of State for Digital, who will also have the power to amend the Information Commissioner’s salary” without Parliamentary approval.

In effect, this will give the UK Government the power to control the agenda of the ICO. They would also have the option to cut the salary of those Commissioners who do not please Government. This is a very bad position for a watchdog to be in, and is fundamentally incompatible with the notion of having independent supervision over Government use of data.

Welcome to the Hostile Digital Environment

First,they came with “nothing to hide, nothing to fear”, the all-watching surveillance state doctrine that justified harms and prevarication from pervasive surveillance. Today, the UK is presenting a grand vision for a hostile digital environment: a jungle where big tech and rogue businesses will be free to harass you in the name of growth and innovation.

Open Rights Group will be fighting tooth and nail against this disgraceful proposal. Please consider subscribing to our newsletters to get our updates, or join us in our fight.