The independence of data watchdog the Information Commissioner’s Office (ICO) could be threatened by measures in the upcoming Data Reform Bill, civil rights campaigners have warned. But fears the changes proposed in the legislation, which will replace the EU’s GDPR in UK law, will impact the flow of data between Europe and the UK are likely to prove unfounded.
This morning the government published its response to the consultation, Data: a new direction, on which the new laws will be based. The bill itself is likely to follow in the next few weeks, and the government says it will take a less prescriptive approach than GDPR, meaning UK businesses will save up to £1bn over ten years. Neil Ross, head of policy at tech trade organisation techUK told Tech Monitor the changes proposed were to “help make GDPR clearer and more flexible without entirely ripping up the system”. But other groups are less impressed.
‘Codifying cronyism’: the role of the ICO under the Data Reform Bill
As reported by Tech Monitor, the Open Rights Group has been critical of the consultation process around the Data Reform Bill, publishing a letter signed by 30 other civil society groups describing the process as “rigged” and saying that their views had not been taken into consideration when drawing up the new laws.
Today the group expressed concern about changes to the governance of the ICO, who they say will face greater parliamentary scrutiny and control as part of the changes. “The UK Data Reform Bill will codify cronyism into law,” argues Mariano delli Santi, legal and policy officer at the Open Rights Group. “The secretary of state is being given the power to arbitrarily amend the Commissioner’s salary, issue ‘a statement of priorities’ to their office, and vetoing the adoption of statutory codes and guidance, thus exposing the ICO to political direction, corporate capture and corruption.”
The government says the changes will bring the ICO into line with other regulators. The Information Commissioner himself, John Edwards, has lent his support to the new bill. “The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms,” he said.
Does the Data Reform Bill threaten the EU-UK data adequacy agreement?
There have been fears that moving away from GDPR could threaten the data adequacy agreement struck between the UK and the EU last year. This allows data to flow freely between Europe and Britain on the basis that it receives the same level of protection on both sides of the channel. The EU has said it will review the data adequacy agreement as Britain changes its data laws to ensure the personal information of European citizens is safeguarded.
But Pete Church, counsel in the data team at law firm Linklaters, says the fact that the government has moved away from some of its previous “radical suggestions, such as replacing the GDPR with an entirely new framework of citizen data rights,” means the data agreement is likely to be preserved.
The government has “instead opted for incremental reform of the current framework,” Church says. “This is hardly a surprise given data protection laws are now a global norm and the GDPR is the template upon which many of those laws are based,” he adds. “This is good news for data flows between the EU and the UK, as these more modest reforms mean the EU Commission is less likely to revoke the UK’s adequacy finding, which would have caused significant disruption.”
Health data reform: devil in the details
The bill proposes to remove the GDPR requirement for researchers to obtain specific consent to use patient data in research. It is likely to replace this with a broad consent process, where researchers would have to get consent for data to be used in a wider category of research.
For Phil Booth, co-ordinator of medConfidential, a non-profit which monitors the way medical data is stored, the NHS data strategy, announced on Monday, represents a “positive direction of travel”, and nothing in the Data Reform Bill consultation response contradicts this.
But, he says, the wording of the final legislation will be important, particularly when it comes to data sharing between different departments and institutions.
“There’s nothing radically new that they are proposing,” Booth says. “But the detail will matter, and if they broaden things by changing definition, or create a situation around data reuse then that could cut across that positive direction of travel.”
He believes the government’s ultimate ambition is to be able to share data more widely across departments. “You look at the work Palantir is doing across health and other departments, and you can see these platforms are predicated on collecting data in one public service and making it available to the rest of government,” he says. “Clearly that’s their ambition, and that is the thing where there is potentially going to be some ambiguity.”