28 October 2021
The UK government is consulting on wide-ranging changes to data protection law that include a proposal to facilitate “joint operational activity between law enforcement and national security partners.”
In September the government announced a public consultation on creating “an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data,” a move inspired by a report (pdf) produced by the ‘Taskforce on Innovation, Growth and Regulatory Reform’ (TIGGR).
The TIGGR report, written by three Conservative MPs upon the request of the Prime Minister, takes aim at a vast array of legal and regulatory measures, including data protection.
It says that the General Data Protection Regulation (GDPR):
“…overwhelms people with consent requests and complexity they cannot understand, while unnecessarily restricting the use of data for worthwhile purposes… GDPR is already out of date and needs to be revised for AI and growth sectors if we want to enable innovation in the UK.”
Open Rights Group commented that the report “signals the Government’s desire to gut GDPR and your privacy rights,” and is “riddled with blatant lies and an obtuse interpretation of the few facts presented.”
From “innovation” to intelligence
While the “taskforce” was largely concerned with deregulation as a way to “accelerate growth in the digital economy,” it seems that somewhere in the machinery of government, deregulation is also viewed as a way to advance the powers of the security agencies.
Under the heading ‘Public Safety and National Security’, the government’s consultation paper says that it is “vital that this reform agenda can enhance the work of our law enforcement bodies and UK Intelligence Services in the interest of public safety.”
This is to be done by removing certain distinctions between the general, law enforcement and intelligence data protection regimes – currently set out in parts two, three and four of the Data Protection Act 2018, which was passed to implement EU data protection rules.
The consultation paper says the government will “explore whether it is possible to align key terms that are used across these different data processing frameworks.”
The only concrete example given of what this could involve is amending “the provisions for joint controllership to enable controllers operating under Part 3 [law enforcement] and Part 3 [intelligence agencies] of the Data Protection Act 2018 to collaborate better.”
This would make it possible for the police and intelligence agencies to jointly determine where, how and by whom personal data should be processed. Currently, entities designated as data controllers under different parts of the act are not able to act as joint controllers.
The private sector also seems to be a key part of the plans: the consultation paper refers to standardizing “terminology and definitions used across UK GDPR [Part 2], Part 3 (Law Enforcement processing) and Part 4 (Intelligence Services processing) of the Data Protection Act 2018.”
This would facilitate greater cooperation on data processing by the police, intelligence agencies and what are referred to as “national security partners”.
The government's impact assessment (pdf) places the proposed changes under the heading of 'Boosting trade and removing barriers to data flows' and asserts that they will lead to "improved consumer outcomes", but there is no further mention of the plans in the document.
In a 2018 paper looking at data protection law and the use of public-private partnerships (PPPs) against cybercrime, Nadezhda Purtova of Tilburg University remarked that there is a “significant grey area” in EU data protection law “when situations of joint control occur, e.g. in case of information sharing among PPP members.”
Purtova noted that “the absence of a clear legal framework of such collaborations weakens the case for the legitimacy of PPPs.”
The UK government consultation paper does not state directly whether the aim of the proposed reforms is to facilitate the increased use of public-private partnerships.
However, given the intention to remove many of the protections offered by the existing data protection regime – in particular, the plan to “eliminate human review from automatic-decision making” by ending the application of Article 22 of the GDPR – there is significant cause for concern about what these changes may mean.
Questions are also likely to be raised about whether the proposed changes would invalidate the EU’s adequacy decisions, signed off earlier this year, that approved the UK’s data protection standards as essentially equivalent to the EU’s – despite the mass surveillance programs run by GCHQ. The government's impact assessment states that "we firmly believe there to be no incompatibility between our proposed package of reforms and our adequacy status with the EU."
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: c/o MDR, 88 Fleet Street, London EC4Y 1DH, UK. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.