UK government to consider gutting GDPR rules
Radical proposals suggest removing provisions on consent and the need for human oversight on AI decision-making
Plans to scrap existing UK data protection rules and replace them with an altogether new regime are on the horizon following recommendations made by a special taskforce commissioned by the prime minister.
The taskforce, comprising three senior Conservative MPs, has branded GDPR “prescriptive and inflexible” and has urged Boris Johnson to replace the rules with a new framework for data protection that doesn’t stifle growth and innovation.
In their report, the MPs said the UK has a prime opportunity to reform data protection rules, following withdrawal from the EU, and “cement its position as a world leader in data”. They’ve also blasted the level of compliance obligations businesses must adhere to, consent mechanisms for being impractical, and critiqued rules that limit how companies can develop artificial intelligence (AI) systems.
“The EU’s General Data Protection Regulation (GDPR) aims to give people protection over their data privacy and confidence to engage in the digital economy,” the report said, “but in practice, it overwhelms people with consent requests and complexity they cannot understand, while unnecessarily restricting the use of data for worthwhile purposes.
“We propose reform to give stronger rights and powers to consumers and citizens, place proper responsibility on companies using data, and free up data for innovation and in the public interest. GDPR is already out of date and needs to be revised for AI and growth sectors if we want to enable innovation in the UK.”
Removing human review from automated decisions
Although GDPR applied to British organisations when it came into force in May 2018, the UK passed its own law in the form of the Data Protection Act (DPA) 2018, which mirrored the majority of GDPR but deviated in some areas. For instance, the DPA cites a higher number of lawful bases for processing sensitive data.
Following Brexit, the DPA is seen as a partner that complements GDPR rather than replaces it, with the Withdrawal Act 2018 absorbing GDPR into domestic law. The report doesn't mention how the new framework, touted to replace UK GDPR, would be positioned in the broader regulatory landscape. It also doesn't suggest how the changes outlined would affect any data adequacy arrangements with the EU.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The report suggests the data protection status quo benefits tech giants, which are able to afford the compliance burden due to their business models, which involve profiting from processing personal data. Small businesses, meanwhile, suffer greater costs relative to their revenues.
IT Pro 20/20: What the EU's new AI rules mean for business
The 17th issue of IT Pro 20/20 considers the effect of new regulations on the IT industry
Consent mechanisms, too, are described as being ineffective and easily bypassed, with the report citing cookie banners as a key example.
The report also criticised the way that Article 5 and Article 22 of GDPR pose restrictions that limit AI systems because they impose barriers on organisations collecting new data, and reusing existing data for novel purposes.
Article 5 requires data to be collected for specified, explicit, and legitimate purposes, while Article 22 stipulates that individuals shouldn’t be exposed to decisions made solely based on automated processing, including profiling.
Both provisions should be scrapped, the report suggests, especially Article 22 because the requirement “makes it burdensome, costly and impractical” for businesses to use AI to automate routine processes.
Under the new framework, less emphasis would be placed on the “legalistic version of consent” and more on the legitimacy of data processing and whether it would benefit society, often bypassing user input.
Should removing Article 22 “be deemed too radical”, GDPR should allow all automated decision-making and remove human review from algorithmic decisions, the report said. Businesses should also be allowed to give only a brief overview of how decisions are made, rather than detailing complex information about their systems and the logic involved.
Reopening the data adequacy agreement
Executive director of the Open Rights Group (ORG), Jim Killock, described the proposals as “enormous”. The fact that the report was commissioned by people that Boris Johnson trusts, and is being publicised with staged photographs, also means the proposals may have already won the prime minister’s seal of approval, he added.
Changing the data protection regime so radically, as these proposals suggest, could also threaten the UK’s data adequacy agreement with the EU, and disrupt data flows between borders.
The UK, now deemed a 'third country' following Brexit, was granted provisional data adequacy in February, meaning the EU saw the UK’s laws as roughly in keeping with its own. This allowed data to continue to flow from the EU to the UK uninterrupted post-Brexit, without the need for specialised transfer mechanisms.
The decision, however, hasn’t been finalised. The agreement also includes provisions for the EU to review the UK’s data adequacy every four years, with any radical deviations from GDPR threatening to annul the agreement.
“If a new UK framework does not comply with the EU GDPR, or the EU considers such changes inconsistent, the UK may be deemed a third country for data transfers,” said associate at Payne Hicks Beach, Sian Stephens. “This means that data transfers will be more difficult to carry out between the EU/UK.
“However, it is likely to enable data to be shared with countries that do not currently have an EU adequacy decision such as the US, Canada, Australia, and Singapore. Opportunities to share data with these countries could boost productivity, encourage competition and stimulate innovation and growth in the UK economy.”
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.