New data protection laws – do they really protect us?

Today, MPs will debate a new data protection framework, the Data Protection Bill, which will govern how the UK Government, companies and individuals can access, use, and protect personal information.

This is an extremely important Bill; in the digital and information age we live in, personal data and information are essential and unavoidable part of our lives. More data has been created in the past two years than in the entire previous history of the human race. While it might seem abstract or even irrelevant, this Bill provides us with crucial rights and protections with wide-ranging consequences

Data is generated by our use of health and public services as well as our phones, apps, and other digital devices, our use of social media and the internet, our bank and travel cards, and in many other ways.

This data can provide an intimate picture of our lives; it details who we are, where we live, what we do, and how we live our lives: what food we buy, where we travel, where we work and much more. It can also contain very sensitive information about our ethnic origin, political opinions, religious or other beliefs, our physical and mental health, and our sexual preferences.

Ensuring that our personal information is used fairly and making sure it is protected, is crucial.

The Bill

An EU regulation called the General Data Protection Regulation (the GDPR) will provide the bulk of data protection rights for individuals. In combination with the GDPR, the Data Protection Bill will update the current data protection framework (the Data Protection Act 1998), providing a wide range of rights for individuals addressing how they can access their data, how their data is used and shared, and who else can access it.

However, the Bill currently contains some worrying exemptions which remove these crucial data protection rights in certain circumstances. Here we summarise our concerns, and the changes we are working hard to get Government to bring in the final Act.

Automated decisions

The Bill removes individual’s rights not to be subject to purely automated decision-making – even allowing police and intelligence agencies to make purely automated decisions affecting members of the public. This means that an entirely automated decision could be made about you, and you would not be able to know the reasons for that decision – even if, the Bill explicitly states, the decision had adverse legal effects..

  • We want the Bill to protect people, so that where human rights are engaged by automated decisions, there are always ultimately human decisions;
  • We also want a safeguard that prevents authorities and companies swerving basic safeguards around automated processing by using human tick-boxes to claim automated processes aren’t ‘automated’. They must be able to demonstrate that there is meaningful human input to claim that such a decision-making system is not entirely automated.

Immigration data protection

The Bill also removes a wide range of data protection rights in relation to un-defined and frequently politicised concept of ‘immigration control’ – an entirely new blank cheque exemption from the current data protection framework. There is absolutely no reason for this new and insidious removal of rights from the Bill.

  • We want the Government to roll back on this power grab for big data processing and remove the blank cheque exemption from basic rights for ‘immigration control’ from the Bill..

Removal of data protection rights in relation to national security

We are also concerned by the process of removing people’s data protection rights under a ‘national security certificate’. The current process is significantly lacking in oversight and accountability, and certificates can last indefinitely.

  • We would like to see oversight of the certification process, and time-limitation of certificates.

Adequacy

There is a real possibility that our data protection regime under this Bill will not be sufficiently protective to enable the UK to achieve data ‘adequacy’ under EU law after Brexit – i.e. to have a modern system recognised to meet the basic protections required by EU law.

Big Brother Watch is working hard in Parliament to see these basic protections to automated decision-making, ‘immigration’ data processing, and national security certifications brought into the Bill.