A special taskforce commissioned by the UK Prime Minister has recommended to replace the existing data protection rules with a new framework for data protection. The taskforce comprises of three senior Conservative MPs. Following the recommendations, UK could abolish the existing UK data protection laws and replace them with the new framework.
After Brexit, the UK Parliament amended its Data Protection Act, 2018, and passed the Data Protection, Privacy Electronic Communications (Amendments etc.) (EU Exit) regulations on 14th October, 2020.
Basically, these amendments absorbed the GDPR into domestic law (UK GDPR) to the Data Protection Act, 2018. These laws mirror the GDPR to a great extent, but deviate in some areas.
Reportedly, the taskforce has termed GDPR as “prescriptive and inflexible”. Hence, it’s recommending a data protection regime that doesn’t stifle growth and innovation.
Highlights of the Report
In its report, the taskforce contends that the UK has a prime opportunity to reform data protection rules and cement its position as a world leader. It says that existing compliance obligations for are cumbersome, consent mechanisms are impractical and the rules also limit how companies can develop artificial intelligence systems.
The report says:
“The EU’s General Data Protection Regulation (GDPR) aims to give people protection over their data privacy and confidence to engage in the digital economy, but in practice, it overwhelms people with consent requests and complexity they cannot understand, while unnecessarily restricting the use of data for worthwhile purposes.”
It is also their contention that the current regime benefits tech giants, who can afford the data compliance burden, while small businesses suffer great costs relative to their revenues. The report goes on to add that consent mechanisms are ineffective and easily bypassed.
Ultimately, the taskforce proposes to give stronger rights and powers to consumers and citizens, place proper responsibility on companies using data, and free up data for innovation and in the public interest.
Article 5 and 22 of the GDPR limit the use of Artificial Intelligence systems. Article 5 mandates that a business shall collect data only for specific, explicit, and legitimate purposes. On the other hand, Article 22 lays down that “the data subjects have a right not to be subject to a decision based solely on automated processing, including profiling…”
The report says that both provisions should be scrapped as they make automation of routine processes “burdensome, costly, and impractical.” If removing Article 22 is too radical, then the requirement of human review of algorithmic decisions shall be done away with.
It suggests that a new framework should be put in place, which places the emphasis on legalistic version of consent and legitimacy of data processing and whether it would benefit society, often bypassing user input.
Effects on the Data Adequacy Status
Since the UK in no more a part of the European Union, it is effectively a third country. And the GDPR restricts transfer of personal data to third countries, unless similar levels of data protection are in place in the country in question. However, the European Commission has the power to determine if a third country has such an adequate level of data protection. The UK government is seeking an adequacy decision which will allow for free flow of personal data to the UK from the EU.
In February, 2021, the European Commission granted a provision ‘data adequacy’ status to the UK. Under this agreement, the EU will review the adequacy agreement at most every four years and monitor developments in the UK. In case UK tones down its data protection law which the EU no longer deems as equivalent to GDPR, it may revoke the formal agreement at any time in the future.
Academic models show that if the data adequacy agreement is not finalised, it could cost businesses between £1 billion and £1.6 billion.