News focus: Liberalising data protection - neither straightforward nor popular

Cynics who question whether the government ever takes a blind bit of notice of public consultation responses may need to rethink. Nearly a quarter of all the reforms proposed in last year’s consultation on liberalising data protection law have been dropped, the Department for Culture, Media and Sport has revealed. Of the 92 proposals in the ‘Data: a new direction’ paper, the government has formally decided not to proceed with 21. Another six have been kicked in to touch to be considered further.

The attrition rate is significant because the UK’s ability to escape from the EU’s General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations has become totemic in the quest for ‘Brexit freedoms’. The GDPR figured strongly in last year’s attack on ‘Napoleonic, code-based’ regulation by the prime minister’s Taskforce on Innovation, Growth and Regulatory Reform.

But, as nearly 3,000 responses to the consultation showed, deregulation is neither simple nor, apparently, popular. One area where the government met an almost solid wall of hostility was the proposal to abolish the right not to be subject to significant decisions made by computer. This has become a particularly emotive issue amid concern about the employment of artificial intelligence algorithms in areas such as law enforcement and credit approval.

In truth, this so-called Article 22 right is not a particularly strong protection. It applies only to decisions based solely on automated data processing, so the addition of any human scrutiny beyond a mere rubber stamp would negate it. Nonetheless, the government apparently saw it as a barrier to the growth of the knowledge economy and the quest for efficient digital public services.  

Last week, however, the government said it would not pursue this proposal. The response concedes that the vast majority of respondents opposed removing Article 22, saying that the right to human review of important decisions taken by computer algorithm was a key safeguard. ‘Some respondents argued that the complete removal of Article 22 would damage the reputation of the UK as a trustworthy jurisdiction for carrying out automated decision-making,’ the response noted.

'The shadow of the EU GDPR will still loom large over UK businesses that operate across the EU and UK. Many will struggle to benefit from streamlined laws as a result and will need to juggle a twin-track regime'

Ross McKenzie, Addleshaw Goddard

Instead, the response states, reforms will ‘cast Article 22 as a right to specific safeguards, rather than as a general prohibition on solely automated decision-making’. Its proposals will be aligned with the approach to be taken in a forthcoming white paper on AI governance.

Other proposals that will not be taken forward include the creation of a new lawful basis of data processing for research purposes. This is unnecessary as evidence suggests that researchers are comfortable using the existing lawful bases for processing personal data, the response said. The suggestion of raising the threshold of when data breaches are notifiable to the Information Commissioner’s Office (ICO) has also been abandoned.

Meanwhile, some proposed changes to the governance of the ICO, including a new statutory objective for it to consider the government’s ‘wider international priorities’, have also bitten the dust. However the government is to press ahead with imposing a new duty on the commissioner to ‘have regard to economic growth and innovation’.

Elsewhere, despite opposition, the government is to remove the requirement for organisations to designate a data protection officer. Instead organisations will have to give the task to ‘a designated senior individual’.

Other changes in an upcoming Data Reform Bill will include:  increased fines for nuisance calls and texts and other serious data breaches; and measures to reduce the number of ‘user consent’ pop-ups and banners on websites. Web users will be able to set an overall approach to how their data is collected and used, rather than having to give consent every time.

Overall, the government claims that reforms to data protection laws could save UK businesses £1bn a year. However it is clear that ministers have not been able to go as far in cutting loose from EU law as some of the deregulation enthusiasts would like. Experts warn that even the watered down reforms could put the UK’s ‘data protection adequacy’ status with the EU at risk.

‘The shadow of the EU GDPR will still loom large over UK businesses that operate across the EU and UK,’ said Ross McKenzie, partner and data protection expert at international firm Addleshaw Goddard. ‘Many businesses will struggle to benefit from streamlined laws as a result and will need to juggle a twin-track regime. This means that for many international businesses the EU regime will trump UK reforms given the perceived higher standard.’