ENABLING CREEPY USES OF DATA

1.3 Further Processing

The Government propose to amend the legal definition of the “compatibly test”, that prohibits organisations from reusing personal data for reasons that are incompatible with their original purposes. The Government also propose to allow the incompatible use of personal data for reasons of substantial public interest.

These proposals would undermine the principle of purpose limitation, and risk exposing individuals to irresponsible or malicious uses of their personal data. Allowing “incompatible” uses of personal data for reasons of substantial public interests would give unprecedented power to the Government or private actors to interfere with the private life of UK residents. Migrants would be particularly affected.

Impact on Migrants

Under the National Fraud Initiative, the Cabinet Office has been matching datasets from public records (death records, benefits claimants, employment and pension lists, credit reference data, immigration datasets) to detect fraud. They are now looking to expand this power to crimes other than fraud, thus likely to encompass immigration control.

Liberalising the further use of data for reasons of “substantial public interest” would give the Government unprecedented power to apprehend records and data being stored by public or private organisations and look for “suspect” activities. Migrants are likely to be incredibly affected by such a regime, as they routinely hand over bank statements, utility bills and other documents to prove their right to work, to reside, or to rent in the UK.

This data would then be used to subject individuals to:

  • police investigations, arrests and prosecutions;
  • evictions;
  • employment dismissals;
  • suspension of benefits payments;
  • fines

Other egregious attempts by the Government to break purpose limitation principle to apprehend and reuse migrants’ data against are, for instance:

Impact on Workers’

Workers’ data are likely to be used by their employers for the purpose of fulfilling their employment contract. Easing the compatibility test would make it easier for employers to justify the further use of this data for reasons that are not necessary for that purpose. For instance, this would make it easier to legitimise workers’ surveillance in a manner that is disproportionate to the fulfilment of the employment relationship (see also on Section 1.4: Legitimate Interests).

Impact on BAME, LGBTQIA+, other vulnerable groups

The ICO found that data being collected by Credit Reference Agencies (CRAs) for “statutory credit referencing” were later resold to advertisers for direct marketing. Advertisers used this information to exclude individuals from commercial offers based on their creditworthiness or other “undesired” characteristics being revealed by credit referencing data. Data brokers and CRAs stopped these practices following the ICO investigation, and an enforcement notice was issued against Experian for their failure to comply.

Government plans could end up legitimising the reuse of data in an underhanded manner by easing the compatibility test. In turn, this would affect one’s ability to enter or being offered a variety of commercial offers and in particular

  • tenancy contracts;
  • gas, electricity, internet or mobile phone contracts;
  • loan, mortgages and credit cards.

Credit reference data has been known to perpetuate race and class-based discrimination. It can also lead to exclusion of individuals who suffered hardship or were victims of fraud.

(see also on Section 1.4: Legitimate Interests).

Our draft response to Section 1.3: Further Processing

In our answer to Q1.3.1, Q1.3.3, and Q1.3.4, we explain how:

  • The compatibility test was first introduced in 1995 and clarified in 2013. The Government cannot rationally claim that rules are still not being understood, nor there is reliable evidence to support it.
  • The compatibility test already strikes the right balance between protections to individuals and responsible use of data. Thus, there is no need to amend it.

In our answer to Q1.3.2, we explain how:

  • The UK GDPR already allow to introduce legislation that allows the incompatible use of personal data in the public interest. However, it provides essential safeguards that prevent abuses.
  • Allowing the incompatible use of data in the substantial public interest would circumvent essential safeguards enshrined in the UK GDPR, and give unprecedented power to the Government or private actors to interfere with the private life of UK residents. Migrants would be particularly affected.

The government proposes to clarify that further processing for an incompatible purpose may be permitted when it safeguards an important public interest. The government is considering whether it would be useful to clarify the circumstances, if any, in which further processing can be undertaken by a controller different from the original controller, while ensuring fairness and transparency. The government considers that a clarification in law may be helpful to confirm that further processing may be permitted, whether it is compatible or incompatible, when it is based on a law that safeguards an important public interest.

Q1.3.1 To what extent do you agree that the provisions in Article 6(4) of the UK GDPR on further processing can cause confusion when determining what is lawful, including on the application of the elements in the compatibility test?

Q1.3.3. To what extent do you agree that the Government should seek to clarify when further processing can be undertaken by a controller different from the original controller?

Q1.3.4. To what extent do you agree that the Government should seek to clarify when further processing may occur, when the original lawful ground was consent?

We strongly disagree that “the provisions in Article 6(4) of the UK GDPR on further processing can cause confusion when determining what is lawful” (Q1.3.1). Likewise, we strongly disagree “that the Government should seek to clarify when further processing can be undertaken by a controller different from the original controller” (Q1.3.3). Finally, we strongly disagree “that the Government should seek to clarify when further processing may occur, when the original lawful ground was consent” (Q1.3.4).

The law already allows further processing for activities (purposes) that are different from what originally envisaged, provided that it is done fairly and that suitable safeguards are in place. However, it prohibits incompatible (exceptionally different) and unlawful ones. This is a reasonable balance that benefits the responsible use of data while preventing irresponsible or malicious organisations from harming individuals or trumping their data rights.

Furthermore, guidance that clarify the meaning of the compatibility test was released in 2013. Responsible organisations ought to have assimilated this concept, almost 9 years after this guidance was released.

Q1.3.1a. Please explain your answer, and provide supporting evidence where possible.

Q1.3.3a. Please explain your answer and provide supporting evidence where possible, including on: How you envisage clarifying when further processing can take place; How you envisage clarifying the distinction between further processing, and new processing; What risks and benefits you envisage; What limitations or safeguards should be considered

On the one hand, the compatibility test for further processing was introduced by the EU Data Protection Directive in 1995, and has been clarified in a Working Party Article 29 guidance on purpose limitation that was issued in 2013.1 Nine years after this guidance was released, we can safely assume that the concept was assimilated. Indeed, the first review that took stock of the implementation of the GDPR found no evidence that the compatibility test, now under article 6(4) of the UK GDPR, is an obstacle to the responsible use of data.2

On the other hand, the law already allows further processing for activities (purposes) that are different from what originally envisaged. However, it requires suitable safeguards, and prohibits incompatible (exceptionally different) and unlawful uses. This is a reasonable balance that benefits the responsible use of data while preventing irresponsible or malicious organisations from harming individuals or trumping their data rights. Therefore, we strongly oppose its amending.

Q1.3.2. To what extent do you agree that the Government should seek to clarify in the legislative text itself that further processing may be lawful when it is a) compatible or b) incompatible but based on a law that safeguards an important public interest?

We strongly disagree that the Government legalises the further processing of personal data for incompatible purposes when it is based based on a law that safeguards an important public interest (Q1.3.2). This would circumvent essential protections to the rights of individuals, exposing them to harms and abuses.

We also stress that modifying provisions around compatible purposes to allow the further processing for incompatible purposes does not “clarify” the meaning of the law but subverts it. We find the misleading framing of this question to be unacceptable for a Department that works in the public interest.

Q1.3.2a. Please explain your answer and provide supporting evidence where possible, including on: what risks and benefits you envisage; what limitations or safeguards should be considered

Individuals usually share personal data for a reason, and they expect this is how their personal data will be used. Honouring these expectations is an important safeguard against “mission creep” and unfair, irresponsible uses of data. This is why the prohibition to use personal data for reasons that are incompatible with their original purpose is one of the most fundamental safeguards provided by data protection. Derogating from this principle will, therefore, need to be exceptional and surrounded by exceptional safeguards and counterweights.

The incompatible use of data would lack essential safeguards

Article 23(1)e of the UK GDPR already allows to introduce legislation that derogates from any consideration regarding the compatibility of data uses for “important objectives of general public interest”. However, this law must be a “necessary and proportionate measure in a democratic society”, and must implement additional safeguards, such as:

  • The requirement to exhaustively define the scope of the law and the kind of data that would be used under these conditions (Article 23(2) letters a, b and c).
  • Safeguards to prevent abuse or unlawful uses, as well as limits over how long data can be stored (Article 23(2) letters d and g).
  • Limits over what organisations can access or use the data in this manner Article 23(2)e).

However, amending the rules governing the further use of data for incompatible purposes would allow the Government to bypass the limits enshrined in Article 23 of the UK GDPR, and introduce laws that lack suitable safeguards for the rights and freedom of individuals. These laws could be very far-reaching, as they wouldn’t need to be “necessary and proportionate measure in a democratic society”. Indeed, Schedule 1 Part 2 of the UK Data Protection Act lists 23 “substantial public interests”, spanning from “statutory and Government purposes”, to “standards of behaviour in sport”. Furthermore, there is no legal definition of “substantial public interest”, and the Government could effectively expand this list as they please.

The incompatible use would have a huge impact on UK residents rights

A working example of how such laws could impact individuals’ rights in practice is given by the National Fraud Initiative, which empowers the Government to “match personal data” for the detection and prevention of fraud. For instance, comparing tax records with the recipients of public benefits may allow to spot individuals who are claiming unemployment allowances but are instead employed. The Government is seeking to expand this power beyond fraud detection,3 to include

  • Prevention and detection of crime (other than fraud).
  • Apprehension and prosecution of offenders.
  • Prevention and detection of errors and inaccuracies.
  • Recovery of debt owing to public bodies.

Liberalising the further use of data for incompatible purposes in the context of the National Fraud Initiative would give the Government unprecedented power to look for “suspect” activities within any database they please. Information that individuals provided to banks and credit institutions, utility providers, employers, landlords, shops, travel agencies, as well as to the information that credit reference agencies and data brokers may hold about these individuals could all be repurposed even in the absence of the safeguards enshrined in Article 23 of the UK GDPR.

While this broad power to liberalise incompatible uses of data would affect UK residents as a whole, the impact on migrants would be even more pronounced. Documents such as tenancy contracts, bills, and bank statements are routinely handed over by migrants for a variety of life necessities. Documents that were provided to prove one’s right to reside, right to work, or right to rent could then be reused without restrictions, either within the National Fraud Initiative or because of a law that authorises it for reasons of substantial public interest.

1Working Party Article 29, Opinion 03/2013 on purpose limitation, available at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf

2COM(2020) 264 final, Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation. Available at: https://ec.europa.eu/info/sites/default/files/1_en_act_part1_v6_1.pdf

3Cabinet Office, Consultation on the expansion of the National Fraud Initiative (NFI) Data Matching Powers and the new Code of Data Matching Practice. Available at: https://www.gov.uk/government/consultations/consultation-on-the-expansion-of-the-national-fraud-initiative-nfi-data-matching-powers-and-the-new-code-of-data-matching-practice