The UK Data Reform Bill and the British Bill of Rights: a tragedy in two acts
The dust hasn’t settled since plans to undermine everyone’s right to data protection were announced, but the UK Government are at it again. Plans to ditch the Human Rights Act in the UK were just unveiled, in a combined effort to steamroll the rule of law and the freedoms we have always taken for granted. EDRi member Open Rights Group explains how the impact of this constitutional butchery reverberates in data protection, and why both the Data Reform Bill and the Bill of Rights follow a common thread.
Legalise this Government
Concepts developed in the case-law of the European Court of Human Rights, such as “necessity” and “public interest”, also define boundaries concerning the extent and legitimacy of data uses. Changes in the Bill of Rights risk creating a loop where collecting or storing personal data will be “necessary” and “in the public interest” because UK Parliament deem these activities to be necessary or in the public interest — and not because objectively they are so.
Also, with the Data Reform Bill, the Government are asking to be given regulatory-making powers to introduce new “legitimate interest” grounds for processing, which would be deemed legitimate even if they trump the rights of others or they reuse data in a way which is incompatible with their original purpose.
Years ago, NHS digital had to stop handing over patients’ data to the Home Office for immigration purposes because this was illegal. With the Data Reform Bill, instead, the Government would have been able to introduce a purpose-built lawful ground to legalise what’s unlawful. In turn, the Bill of Rights would likely prevent you to challenge these grounds, because “Parliament have spoken”.
Dodginess by design and by default
The Data Reform Bill would scrap the UK GDPR accountability framework and replace it with “privacy management programmes”, a framework where organisations would be free to identify their own compliance requirements and mark their own homework. For instance, while Data Protection Impact Assessments will be scrapped, “organisations will still be required to identify and manage risks, but they will be granted greater flexibility as to how to meet these requirements.”
Thanks to the UK Government, we also don’t need to speculate about how this imaginative approach to accountability would work in practice.
During the Covid pandemic the Department of Health run their Test and Trace scheme without performing a Data Protection Impact Assessment (DPIA). This is unlawful, but the Secretary of State was of a different opinion: he argued that three risk assessments had already been conducted, and these “covered all of the necessary”. This brilliant display of risk management skills didn’t prevent contact tracing volunteers from publishing confidential medical data on Facebook groups, hospitality staff from using phone numbers to harass women, and contact tracing data from being lost in excel sheets or leaked.
In other words: the UK Government will get away with harmful and negligent data processing activities thanks to privacy management programmes, just as they will get away with human rights violations thanks to the Bill of Rights.
Blackmailing the watchdog
With the Data Reform Bill, the UK Government are proposing to give the Secretary of State the power to issue a Statement of Strategic Priorities to the Information Commissioner’s Office. Contrary to what the Government claim, this statement would “sit below the ICO’s primary objective and duties under the UK GDPR and the DPA 2018” and therefore have legally binding force. The ICO would also have to formally respond to how they intend to follow these orders.
At the same time, the Bill will require the ICO to seek the approval of the Secretary of State for some of their regulatory functions, and it would empower the Government to unilaterally amend the salary of the Commissioner — thus exposing Commissioners who do not act as the Government want to retaliation.
Granted that the Bill of Rights does not go as far as to undermine the independence of the judiciary, both laws are pointing toward the same objective: allowing the Government to act against justice by avoiding independent scrutiny.
Digital rights are human rights
In the years preceding the Second World War, lawmakers had a pivotal role in bringing totalitarian governments into power and legitimising their crimes. Lawmakers in Italy and Germany passed laws that undermined democracy and promoted discrimination, deportations and the arbitrary administration of justice. The same tragedy led to a greater understanding of the risks of state surveillance, and how information revealing someone’s health, religion or political views can expose individuals to discrimination and persecution.
The European Convention of Human Rights and the Right to Data Protection stem from that experience. However, behind the fig leaf of giving greater weight to lawmakers’ views, the British Bill of Rights will diminish human rights and democratic accountability. Just as behind the fig leaf of cutting red tape, the UK Data Reform Bill is poised to undermine data protection.
Data rights are human rights, and Open Rights Group will fight tooth and nail to preserve both of them. Get involved in their campaign, join their actions, and help them protect our rights in the digital age.
The article was first published here.
(Contribution by: , Legal and Policy Officer, EDRi member Open Rights Group)