Are proposed data protection changes a threat to UK citizens’ privacy?

Government proposals to liberalise the UK’s data protection regime in support of increased innovation, research and economic growth, alongside an expansion of the remit held by the Information Commissioner’s Office (ICO) to support these goals, have prompted discussion among data privacy and infosec experts, with some concerned that Boris Johnson’s government means to gut the General Data Protection Regulation (GDPR) and open the door to an unstoppable grab of personal and private data.

Westminster stated its intention to make changes to data regulation in a major announcement on 26 August 2021, in which it also detailed an enhanced role for the new information commissioner and plans to pursue data adequacy agreements with a number of countries that the government is targeting as a focus of British trade, now that it has successfully cut the UK off from its European partners.

Digital secretary Oliver Dowden talked up the still nebulous changes, describing them in interviews with national media as a means to put an end to some of the consent mechanisms that have been core to how the GDPR works, such as pop-up cookie consent tick-boxes, an issue that will play well to the average voter.

But data privacy experts are already warning that the government is setting itself up for trouble in more ways than one. Some argue that the government’s ambition to create more freedoms for how organisations can make use of data, while still retaining citizens’ ability to control their data and make decisions about it, is not going to be an easy ask.

Mishcon de Reya data protection partner Adam Rose was one who raised this as an issue, saying: “Squaring the circle of giving citizens and consumers more control over how their data is used, while also giving business and government greater freedoms to use that data, will be the big challenge.”

Chris Waynforth, Imperva’s area vice-president for Northern Europe, also expressed concern. “The GDPR was introduced to safeguard citizen rights and privacy, helping to protect data, and while there are certainly always improvements that can be made, the government will need to be careful that these hard-won rights are not diluted when making changes,” he said.

“It’s already becoming harder and harder to guarantee data security. According to Imperva Research Labs, the number of data breaches is growing by 30% annually, and the number of records compromised is increasing by exponentially more. At the same time, 15% of breaches still happen because sensitive data is left publicly available. Unless changes take account of these risks, and organisations take action to protect increasingly vulnerable data, we could still find that the damage to privacy and security outweighs the benefits.”

Collision course
Moreover, with the UK having only recently achieved a data adequacy agreement with its former European Union (EU) partners at the end of June, any proposed changes to how the UK regulates data will raise eyebrows in Brussels, given the UK’s multiple attempts to unilaterally change parts of the Brexit deal that it negotiated and signed.

And you can rest assured that the EU will be watching the consultation like a hawk, with a huddle of lawyers ready to spring into action if needed.

During negotiations with the UK, members of the European Parliament (MEPs) pressurised the European Commission (EC) to take an even tougher line on exemptions in UK data protection regulation in some areas, such as national security and immigration. When the data adequacy agreement was signed, the EC’s vice-president for values and transparency, Věra Jourová, said: “We are talking about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards, and if anything changes on the UK side, we will intervene.”

Mishcon de Reya’s Rose said: “Coming just a couple of months after the EC granted the UK an adequacy decision in relation to its post-Brexit data protection regime – on the basis that the UK law was essentially equivalent to the EU GDPR regime – today’s announcements put the UK on a collision path with the EU, but also more widely with civil society organisations, with the likelihood of serious domestic data litigation in the future.”

By: Alex Scroxton