The proposed new UK data protection regime & the continuing UK surveillance regime
In the Short Note below and its two attachments, I reach the following conclusions (reference to the relevant sections etc. in brackets):
Conclusions re the Data Protection and Digital Information Bill (Short Note, section 3):
If the Bill is adopted as proposed, the UK data protection regime will be significantly less strict than – i.e., not “essentially equivalent” to – the EU GDPR regime, and undermine the EU regime, including in these respects:
- it narrows the definition of “personal data”, and thus the scope of data protection, to less than provided for in the EU GDPR (sub-section 3.1 & Attachment 2);
- It enables data disclosures and data sharing between private and public bodies that would not be allowed under the EU GDPR (sub-section 3.2 & Attachment 2);
- It weakens data subject rights to less than required under the EU GDPR (sub-section 3.3 & Michael Veale’s note);
- It enables the taking of automated decisions and profiling in circumstances in which this would not be allowed under the EU GDPR (sub-section 3.4 & Michael Veale’s note);
- It reduces the requirements re DPOs and DPIAs, leading to less accountability than required under the EU GDPR (sub-section 3.5 and Michael Veale’s note);
- The extra-territorial application of the UK GDPR to EU/EEA-based companies will lead to serious conflicts, in particular where UK data protection law would require such companies to disclose data to UK authorities where the EU GDPR would not allow it (sub-section 3.6);
- The rules on “adequacy” and data transfers in the Bill, if adopted, would pose a direct threat to the EU data protection regimes (sub-section 3.6) (see Overall conclusion, overleaf); and
- The independence of the UK data protection regulator (which is in any case weak on enforcement) is seriously undermined (sub-section 3.7).
Conclusions re the UK surveillance laws and practices (Short Note, section 4):
It is highly doubtful whether the processing of personal data by UK intelligence agencies, especially its bulk collection of communication data, is in line with the EU Charter of Fundamental Rights. In particular, the UK’s indiscriminate bulk collection of communications metadata (“related communications data”) from selected “bearers” in the underseas communication cables would appear to be contrary to principles established by the European Court of Human Rights (Big Brother Watch v. the UK) and the CJEU (Tele2/Watson, Digital Rights, Schrems II, Privacy International and La Quadrature du Net), as reflected in the EDPB’s European Essential Guarantees for Surveillance Measures.
Overall conclusions:
The UK should not have been granted a positive adequacy decision under the EU GDPR in June 2021. But that aside, the proposed changes would move the UK data protection regime considerably further apart from the EU regime: it would move even further from “essential equivalence” with the EU GDPR.
Moreover, the UK surveillance laws and practices, which did not meet the standards of the EDPB’s European Essential Guarantees at the time the positive adequacy decision was issued (which should in itself have stopped the Commission from issuing the decision) continue to fall foul of those standards.
On both these grounds, the EU Commission’s adequacy decision on the UK should be rescinded, if not rightaway then certainly if the UK government proceeds to adopt the DPDI Bill in its present form.
In the light of my earlier conclusions, I conclude in particular that if the EU adequacy decision on the UK is not rescinded when the Bill becomes law:
- EU companies will be able to “launder” personal data through the UK in lightly pseudonymised form; and
- The UK would become an offshore “data haven” through which data that cannot be sent from the EU/EEA to “inadequate” third countries such as the USA can be routed.