A ban on individuals being subject to automated decision-making could be abolished under plans to reform data protection laws published by the government today. The proposal is one of a wide range of changes which the government says will reduce burdens on science and business - while retaining data protection ‘adequacy’ in the eyes of the EU.
Cookie-warning pop-ups are also in the government’s sights, despite the information commissioner’s assertion earlier this week that the nuisance could be curbed within existing laws.
Several of the reform proposals will face a battle with privacy campaigners and critics of algorithmic decision-taking, especially in criminal law. They will also raise fears for the future of the UK’s data adequacy agreement with the EU. The consultation document stresses that the reforms 'deliberately build on the key elements of the current UK General Data Protection Regulation (UK GDPR), such as its data processing principles, its data rights for citizens, and its mechanisms for supervision and enforcement. These key elements remain sound and they will continue to underpin a high level of protection for people’s personal data and control for individuals over how their data is used'.
On adequacy, it states: 'The government believes it is perfectly possible and reasonable to expect the UK to maintain EU adequacy as it begins a dialogue about the future of its data protection regime and moves to implement any reforms in the future. European data adequacy does not mean verbatim equivalence of laws, and a shared commitment to high standards of data protection is more important than a word-for-word replication of EU law.’
Specific proposals in the consultation, entitled ‘Unleashing data’s power’ include:
- Removing requirements for organisations to designate a data protection officer. While 'there may be risks to removing the data protection officer role' organisations will still need to be compliant with data protection legislation and accountable for compliance, the document states.
- Changes to the threshold for reporting a data breach to the Information Commissioner’s Office.
- Removing the requirement for prior consent for all types of web cookies.
- Creating a new, separate lawful ground for the lawful use of personal data in research. 'A new lawful ground could help reduce the complexity for organisations undertaking research in identifying a legal ground', the document states, noting that new safeguards would be needed to prevent personal data from being used in 'unexpected ways'.
- Drawing up a 'limited, exhaustive' list of legitimate interests for which organisations can use personal data without applying a public interest balancing test. This could cover data processing necessary for reporting of criminal acts and delivering statutory public communications and public health and safety messages.
- A specific provision would allow the processing of personal data for the purposes of monitoring and detecting bias in AI systems. Concern about biases becoming hard-wired into AI software emerged as a major theme in the Law Society’s 2019 investigation into the use of algorithms in the criminal justice system.
The proposal likely to attract the most controversy is that of removing Article 22 of the UK GDPR, as recommended by the Taskforce on Innovation, Growth and Regulatory Reform. Article 22 states that a data subject 'shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her'.
A proposal to introduce fees for subject access requests is also likely to be bitterly opposed.
Announcing the proposals, Oliver Dowden, digital minister, said that aspects of the GDPR regime 'remain unnecessarily complex or vague… Our ultimate aim is to create a more pro-growth and pro-innovation data regime whilst maintaining the UK’s world-leading data protection standards.'