UK: Plans to ease joint data processing by intelligence agencies, police and “national security partners”

The UK government is consulting on wide-ranging changes to data protection law that include a proposal to facilitate “joint operational activity between law enforcement and national security partners.”


In September the government announced a public consultation on creating “an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data,” a move inspired by a report (pdf) produced by the ‘Taskforce on Innovation, Growth and Regulatory Reform’ (TIGGR).

TIGGR paper

The TIGGR report, written by three Conservative MPs upon the request of the Prime Minister, takes aim at a vast array of legal and regulatory measures, including data protection.

It says that the General Data Protection Regulation (GDPR):

“…overwhelms people with consent requests and complexity they cannot understand, while unnecessarily restricting the use of data for worthwhile purposes… GDPR is already out of date and needs to be revised for AI and growth sectors if we want to enable innovation in the UK.”

Open Rights Group commented that the report “signals the Government’s desire to gut GDPR and your privacy rights,” and is “riddled with blatant lies and an obtuse interpretation of the few facts presented.”

From “innovation” to intelligence

While the “taskforce” was largely concerned with deregulation as a way to “accelerate growth in the digital economy,” it seems that somewhere in the machinery of government, deregulation is also viewed as a way to advance the powers of the security agencies.

Under the heading ‘Public Safety and National Security’, the government’s consultation paper says that it is “vital that this reform agenda can enhance the work of our law enforcement bodies and UK Intelligence Services in the interest of public safety.”

This is to be done by removing certain distinctions between the general, law enforcement and intelligence data protection regimes – currently set out in parts two, three and four of the Data Protection Act 2018, which was passed to implement EU data protection rules.

Control state

The consultation paper says the government will “explore whether it is possible to align key terms that are used across these different data processing frameworks.”

The only concrete example given of what this could involve is amending “the provisions for joint controllership to enable controllers operating under Part 3 [law enforcement] and Part 3 [intelligence agencies] of the Data Protection Act 2018 to collaborate better.”

This would make it possible for the police and intelligence agencies to jointly determine where, how and by whom personal data should be processed. Currently, entities designated as data controllers under different parts of the act are not able to act as joint controllers.

The private sector also seems to be a key part of the plans: the consultation paper refers to standardizing “terminology and definitions used across UK GDPR [Part 2], Part 3 (Law Enforcement processing) and Part 4 (Intelligence Services processing) of the Data Protection Act 2018.”

This would facilitate greater cooperation on data processing by the police, intelligence agencies and what are referred to as “national security partners”.

The government's impact assessment (pdf) places the proposed changes under the heading of 'Boosting trade and removing barriers to data flows' and asserts that they will lead to "improved consumer outcomes", but there is no further mention of the plans in the document.

Grey areas

In a 2018 paper looking at data protection law and the use of public-private partnerships (PPPs) against cybercrime, Nadezhda Purtova of Tilburg University remarked that there is a “significant grey area” in EU data protection law “when situations of joint control occur, e.g. in case of information sharing among PPP members.”

Purtova noted that “the absence of a clear legal framework of such collaborations weakens the case for the legitimacy of PPPs.”

The UK government consultation paper does not state directly whether the aim of the proposed reforms is to facilitate the increased use of public-private partnerships.

However, given the intention to remove many of the protections offered by the existing data protection regime – in particular, the plan to “eliminate human review from automatic-decision making” by ending the application of Article 22 of the GDPR – there is significant cause for concern about what these changes may mean.

Questions are also likely to be raised about whether the proposed changes would invalidate the EU’s adequacy decisions, signed off earlier this year, that approved the UK’s data protection standards as essentially equivalent to the EU’s – despite the mass surveillance programs run by GCHQ. The government's impact assessment states that "we firmly believe there to be no incompatibility between our proposed package of reforms and our adequacy status with the EU."

Did you find this article useful?

We can only produce work like this with stable, independent support. Become a Friend of Statewatch and help us continue!

Documentation


Image: jthornett, CC BY NC-ND 2.0

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error