Privacy International makes recommendations to strengthen UK Data Protection Bill

Press release
 Press Notice: Privacy International makes recommendations to strengthen UK Data Protection Bill

While welcoming the objective of the Bill, Privacy International has sent a briefing to the House of Lords and a letter to Minister of State for Digital, Matt Hancock MP, outlining key concerns and recommendations. The Bill's stated aim is “to create a clear and coherent data protection regime”, and to update the UK data protection law, including by bringing the EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) - into the UK domestic system. We've summarsised our concerns below.

Our full briefing: https://privacyinternational.org/node/39

Head of Privacy International Advocacy and Policy team Tomaso Falchetta said:

"Privacy International welcomes the aim of the Data Protection Bill, which is to introduce a data protection regime in the UK that is ‘fit for the digital age’. However this aim risks being frustrated. Where the UK government could depart from the requirements imposed by European data protection standards, it has done so. It has made little attempt to re-consider and restrict the conditions for collection and use of people's personal information, such as our political opinions, or to introduce adequate safeguards against decisions made by a system independent of human intervention, such as in credit rating.

Further, we regret that the government is seeking broad exemptions to the data protection regime on national security grounds. While we are pleased that intelligence services are coming under the rules of data protection, the agencies are being given unfettered freedom to share people’s personal information with other countries’ governments, which is unacceptable."

Our key areas of concern include:

1. Clarity and accessibility of structure: The Bill is overly and unnecessarily complex in its design and structure, which makes it opaque and inaccessible for organisations that cannot afford expensive lawyers.  We recommend ways that structure can be simplified.

2. Delegated powers: The Bill has many regulation making powers, and grants an unacceptable amount of power to the Secretary of State to introduce secondary legislation,  bypassing effective parliamentary scrutiny.  We recommend that the Bill is  amended to limit such broad powers.

3. Representation of living individuals: The Bill does not provide for qualified non-profit organisations to pursue data protection infringements of their own accord, as provided by EU General Data Protection Regulation in its article 80(2).  We, along with UK digital rights and consumer organisations strongly recommend that the Bill is amended to include this provision.

4.Conditions for processing special categories of personal data: There is no definition in the Bill of what constitutes “substantial public interest” when processing sensitive personal information, or why the 17 conditions for processing such information constitute such interest. This will result in lack of adequate safeguards to protect such sensitive data in all cases. We recommend that this concept is better defined and narrowly interpreted.

5. Automated decision-making: Profiling and other forms of decision-making without human intervention should be subject to very strict limitations. The Bill provides insufficient safeguards for automated decision making.  We recommend the Bill to be amended to include further concrete safeguards.

6. National Security Certificates: Provisions in the Bill mirror those in the current Data Protection Act, but include even wider exemptions.  Privacy International’s concerns include the timeless nature of the certificates, lack of transparency, no means to challenge, and wide powers exempt from data protection principles. We make a number of concrete obligations to be included in the Bill.

7. Intelligence Agencies, cross-border data transfers: The Bill provides for almost unfettered powers for cross-border transfers of personal data by intelligence agencies without appropriate levels of protection; this is an infringement of the requirements of Council of Europe’s modernised Convention 108. We recommend that rules for such transfers are brought into line with those required in the Bill for law enforcement purposes.