Post-Brexit data protection laws are coming, and we should all be concerned about it

The UK Government are expected to reveal their Post-Brexit data protection bill on 10 May.

The idea to set aside the General Data Protection Regulation (GDPR) was first outlined by a deregulatory task force that framed “consumer data” as a “highly profitable currency” and blamed the GDPR for being prescriptive, inflexible, and an obstacle to innovation. This led to a public consultation known as “data: a new direction”, a set of proposals that would scrap the rights-based framework of the GDPR in favour of a corporate-friendly rulebook meant to “unleash the value of data across the economy”.

In other words, the UK Government are proposing a framework that frames personal data in terms of economic assets and aims to “cut red tape” to promote their commercial use. These ideas draw considerable support among corporate lobbyists and large technology companies, which would no doubt leverage the “UK example” to advocate for weaker data protection standards in Europe. In turn, understanding and opposing these changes should not be seen as a domestic issue, but as a major threat for digital rights advocates across the globe. 

While we wait for the outcomes of this consultation, it is then useful to review its key proposals, and their impact on the right to data protection.

Data protection and data subjects’ rights

In “data a new direction”, the UK Government depicts the reuse of personal data beyond its original purpose as a cornerstone of their plan to “unleash the value of data across the economy”. Thus, they propose to

• enable the use of personal data across different research projects, regardless of transparency obligations or research subjects’ consent;
• ease the compatibility test for further processing in the “substantial public interest”, or when based on the legal ground of consent;
• disregard the rights and freedom of data subjects when processing is based on legitimate interest and fulfils a wide range of purposes, such as “improving customers’ services”, “de-biasing AI”, or “detecting crimes and other safeguarding interests”;
• lower safeguards for international transfers of personal data.

Furthermore, the UK Government builds on the accusation that individuals have been abusing their rights under the GDPR, for instance by targeting organisations with vexatious access requests or by lodging frivolous complaints to the UK Data Protection Authority. Thus, they propose to:

• restrict the right of access by imposing a monetary fee on those making a request and allowing controllers to judge in the first instance whether such requests are reasonable;
• either scrap the right to human review or raise the threshold for its applicability;
• require that complainants try to resolve their complaint with the controller before contacting the authority.

Accountability and oversight

In “data a new direction”, the UK Government believe that the GDPR accountability framework is “generating a significant and disproportionate administrative burden”. Thus, they propose scraping it entirely and allowing organisations to self-assess their compliance obligations.

Furthermore, the UK Government propose to bring the UK Data Protection Authority under the control of the minister for digital, who would be given the powers to

• periodically dictate strategic priorities of the Supervisory Authority,
• reduce the salary of the head of the SA,
• approve or reject regulatory guidance issued by the SA.

What about the adequacy decision?

Unsurprisingly, the consultation raised questions over the future of the EU-UK adequacy decision: these proposals would disempower individuals, make data processing less transparent and unpredictable, and undermine the independence of the Data Protection Authorities. However, it is no secret that some in the British Government see radical regulatory divergence and incompatibility as a desirable outcome, which would prevent the UK from ever rejoining the European Union.

(Contribution by: Mariano delli Santi, Legal and Policy Officer, EDRi member Open Rights Group)