BY:
Lawyer Reporter
PROJECT COUNSEL MEDIA
17 June 2021 – As it has said for the last 3 years, the U.K. government will diverge from the EU standards on data-protection and privacy law and gut the General Data Protection Regulation (GDPR), claiming that a “less-European approach” could help drive economic growth. Most privacy experts said the government’s proposals will weaken individual rights and could put EU trade at risk.
Which is rather interesting because earlier today the EU policy experts approved a draft EU decision to allow personal data of Europeans to be exported to the U.K. using a new data transfer deal. The deal, officially called an “adequacy decision,” means the European Union would consider the U.K.’s privacy laws to be as protective of people’s privacy as the rules that apply across the bloc, through its own GDPR. National governmental experts “have voted unanimously in favor” of the European Commission’s draft decision, a Commission spokesperson said. “This enables us to move soon forward” on adopting the decision, the spokesperson added.
The experts were asked to approve the Commission text in what’s called the Article 93(2) committee, an administrative “comitology” procedure that gives capitals the right to weigh in on such data transfer deals before they’re adopted. The Commission could adopt its decision as soon as next week.
The UK government decision is part of the “Taskforce on Innovation, Growth and Regulatory Reform” which was written in May but only released to the public late yesterday. You can read it by clicking here and the GDPR bits start on page 49, “Replace GDPR with a new UK framework for data protection”.
The taskforce, comprising three senior Conservative MPs, has branded GDPR “prescriptive and inflexible” and has urged Boris Johnson to replace the rules with a new framework for data protection that doesn’t stifle growth and innovation. In their report, the MPs said the UK has a prime opportunity to reform data protection rules, following withdrawal from the EU, and “cement its position as a world leader in data”. They’ve also blasted the level of compliance obligations businesses must adhere to, consent mechanisms for being impractical, and critiqued rules that limit how companies can develop artificial intelligence (AI) systems:
“The EU’s General Data Protection Regulation (GDPR) aims to give people protection over their data privacy and confidence to engage in the digital economy,” the report said, “but in practice, it overwhelms people with consent requests and complexity they cannot understand, while unnecessarily restricting the use of data for worthwhile purposes.
“We propose reform to give stronger rights and powers to consumers and citizens, place proper responsibility on companies using data, and free up data for innovation and in the public interest. GDPR is already out of date and needs to be revised for AI and growth sectors if we want to enable innovation in the UK”.
The report suggests the data protection status quo benefits tech giants, which are able to afford the compliance burden due to their business models, which involve profiting from processing personal data. Small businesses, meanwhile, suffer greater costs relative to their revenues.
The report also criticised the way that Article 5 and Article 22 of GDPR pose restrictions that limit AI systems because they impose barriers on organisations collecting new data, and reusing existing data for novel purposes. Article 5 requires data to be collected for specified, explicit, and legitimate purposes, while Article 22 stipulates that individuals shouldn’t be exposed to decisions made solely based on automated processing, including profiling. Both provisions should be scrapped, the report suggests, especially Article 22 because the requirement “makes it burdensome, costly and impractical” for businesses to use AI to automate routine processes.
None of this is news, if you have been following our Brexit coverage over the last few years. The Brexiteers have been doing everything in their power to make the UK more tempting for organisations which see data protection as a barrier to business. If implemented, it would be a case of the UK government treating all of the population as a huge data resource to sell to large corporates – with, potentially, no right to opt out. I asked Paul Stroud, a data protection officer at a UK company who was keyed into an early version of the “Taskforce” report and he said:
“It’s a concern, and the report given to the government is full of inaccuracies. Well, Duncan Smith was involved, wasn’t he? I think part of this is just playing to the gallery, a move which may or may not actually go anywhere. But with this government you just never know. Read the details and it isn’t a complete roll back but a deviation – but in some (rather important) aspects which have caused the U.K. government to shoot themselves in the foot over the last year or so (just refresh yourself on the algorithms deciding exam results and ignoring the individual’s right to human intervention and to not be adversely impacted).
But my big thing is that it is framed in such a way that companies may rethink leaving the UK – maybe being based in the UK alieves us of all that data privacy stuff. And given all the briefings and chatter about Brexit giving us the opportunity to take advantage of the data economy (earn some £) I think the government will go forward and gut the GDPR”.
Executive director of the Open Rights Group, Jim Killock, described the proposals as “enormous” and even if not final the report was commissioned by people that Boris Johnson trusts, and is being publicised with staged photographs, also means the proposals may have already won the prime minister’s seal of approval:
If Jim and Paul are correct, the people who are going to be really angry are the ones who set up GDPR compliance and advisory businesses.