UK Data Protection Act 2018 – 339 pages still falls short on human rights protection
While the worlds’ attention, the world’s humour, including a dedicated playlist of 89 songs on Spotify, were on the coming into force of EU’s General Data Protection Regulation (GDPR) on 25th May, the UK’s Data Protection Act 2018 (DPA 2018) that received Royal Assent only two days previously had barely received a few column inches in the mainstream press.
However, the substance of the debates in parliament during the passage of this Act has received wide attention in the UK, linking the right to privacy and data protection to some of the most important political and heart-searching questions of our time: how does the UK treat its immigrants who bring key skills and prosperity to the country (the Windrush scandal)? Will the UK respect its human rights obligations, including the right to data protection, post Brexit, when it is likely no longer bound by the EU Charter? What safeguards are there against potential corruption of the democratic process by new technologies and unscrupulous politicians (the Cambridge Analytica scandal)? Do State security measures justify unfettered, unaccountable and non-transparent mass surveillance? How do you achieve the right balance between freedom of the press and some of its representatives’ tendencies to invade private lives without public interest justification? (This last, re Leveson 2 inquiry, has taken up most of the debate time during the Commons Report Stage of the Bill, to the detriment of all the other important issues!)
The massive 339-page and very complex Act, extolled by the government as one of the world’s most progressive data protection regimes, opens the way for the application of the GDPR in the UK, though the Regulation itself is not incorporated in the Act, as it is EU legislation with direct effect in the UK. The GDPR, however, contains many articles which allow EU countries to set various rules and exceptions to suit their own needs and regimes, and the UK government took full advantage of these flexibilities in drafting this legislation, by, for example, setting special rules on the processing of personal data in the employment and health sectors, or for insurance purposes.
The DPA 2018 also implements the new EU Law Enforcement Directive, as well as regulates data processing of the Intelligence Agencies, such as GCHQ: in the latter case by applying the Council of Europe newly updated Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, or Convention 108 for short.
In short it is a quite comprehensive (in that it covers a range of processing, not that it is easy to understand!). The Data Protection Act 2018 regulates the collection and processing of individuals’ personal information by the private and public sectors, law enforcement entities and intelligence agencies. Privacy International has been calling for such an all-in-one package right from the start and welcomes that it has come into being. However, as highlighted below we have ongoing serious concerns regarding exemptions and loopholes that undermine this overall protection, including fundamental rights.
The other addition, over and above GDPR, in the DPA 2018 that we also particularly welcome are the enhanced powers of the Information Commissioner (ICO), granted following the Cambridge Analytica scandal, which revealed certain shortcomings in her enforcement capabilities. These powers include an obligation on organisations to respond to urgent information requests from the ICO within 24 hours, the ability to obtain court orders to require disclosure when entities refuse to hand such information over, as well as making it an offence to destroy, falsify or conceal evidence.
The bad and the ugly – key issues for Privacy International
However, what has been extolled as one of the “world’s most progressive data protection regimes” also contains some very retrograde steps which we have been consistently drawing to the attention of parliamentarians, and fighting against for the whole of the passage of the Bill in both Houses of Parliament.
Most of our key concerns, outlined briefly below, relate to the significant extent of the exceptions to data protection and privacy built into the Act; exceptions that raise serious questions under current UK obligations under the EU Charter on Fundamental Human Rights and Freedoms and national and regional human rights legislation, which will be in place even when the UK exits the EU.
Henry VIII clauses (delegated powers)
The Act is peppered with provisions giving an unacceptable amount of power to alter the application of GDPR, including conditions for processing sensitive personal data, to the Secretary of State, and bypassing effective parliamentary scrutiny. The government has justified this as giving it the “flexibility” to deal with changing circumstances. Severe concerns were raised both in the Lords and the Commons, and the government has watered down some of its powers, but the improvement is very limited.
The immigration exemption (Schedule 2, para 4 of the Act)
Despite strong and wide-ranging opposition from civil society organisations, opposition parties in the Lords and Commons, the Information Commissioner and the Deputy Counsel of the parliamentary Joint Committee on Human Rights, which stated that “It is not clear why this exemption is “necessary in a democratic” society”, the government went ahead and embedded this deeply concerning clause in the Act. There was no such provision in the former DPA 1998, and furthermore it has implications for EU Citizens too in the future – putting UK on a straight collision course with the EU and with strong potential to impact on any adequacy provisions for data transfers with the EU that the UK may seek post Brexit. This, one of the most controversial, provisions of the DPA 2018 is already threatened with legal action.
Political parties (Schedule 1, para 22 of the Act)
The Act includes a provision – sadly, but not surprisingly, little contested by all parties in Parliament - which permits political parties to process personal data ‘revealing political opinions’ (without the individual’s consent), for the purposes of their political activities. There is nothing in the provision to prohibit delegation of such activities to a third party specialising in profiling for example and modern technologies make it possible to infer political inclinations of people from a wide variety of sources of information. This provision is open to abuse and will facilitate targeted and exploitative political advertising. To add insult to injury, in the final Act there is a further, even wider, provision inserted in clause 8, adding “democratic engagement” activity to the list of examples of processing activities that can be undertaken lawfully in the public interest (Clause 8 (e)), prompting strong concerned comments from the ICO, that this particular provision could be used to legitimise some of the political campaigning techniques that she is currently investigating. We have now written to the main UK political parties asking for a commitment not to use profiling and targeting techniques in their future political campaigns; we are still awaiting responses.
The Act contains insufficient safeguards in relation to the exceptions to the prohibition in GDPR (Article 22) to automated decision-making without human intervention. In particular our concerns regarding the need for transparency about automated decisions to the individual, and the ability to challenge a decision have not been addressed in the final Act. These concerns were supported by opposition parties in both Houses.
National Security Certificates
The provisions in the draft Bill around the broad and indefinite nature of national security exemptions (including the introduction of a ‘defence’ exemption) have been of grave concern to Privacy International throughout the passage of the Bill. In particular the regime of national security certificates to exempt a wide range of bodies from data protection have insufficient oversight, lack transparency, limited judicial remedy, and due consideration is not given to whether they are necessary and proportionate. We asked for concrete safeguards to be included, and we were supported by opposition parties in these demands in both Houses and our concerns were echoed by the Deputy Counsel of the Joint Committee on Human Rights and by the ICO. There have been modest improvements to these provisions in the final Act, as a result of our advocacy, in terms of transparency, and a requirement to share certificates with the Information Commissioner. These changes are welcome, though not sufficient.
The Act provides for almost unfettered powers for cross-border transfers of personal data by intelligence agencies without appropriate safeguards. We asked that similar safeguards by imposed as apply to law enforcement bodies. We believe that this fails to meet the standards required by the Council of Europe modernised Convention 108, which the Act purports to follow. The provision in the Act allows for non-transparent, unfettered and unaccountable intelligence sharing. We believe that this is another provision that will come back to haunt the UK when negotiating data transfers provisions with the EU post Brexit.
Last but not least: collective redress
Together with digital rights and consumer organisations, we have been advocating throughout the stages of the Bill for implementation of Article 80.2 of GDPR which allows qualified non-profit organisations to take independent action when they consider that there has been a failure to comply with data protection law. While the GDPR provides for individuals to mandate NGOs to take legal action on their behalf, the provision for collective redress was left to EU member countries decision, and the UK decided not to implement it, despite this issue being one of the most hotly debated at all stages of the Bill. And rightly so as many illegal data-related activities are hidden from individuals, including children. Left in the dark about how their data is abused individuals cannot mandate an organisation to act on their behalf. As a result of the pressure by NGOs and some politicians, a small concession was made by the government to review this provision in 30 months’ time. In the meantime, revised consumer rights legislation is being currently considered by the EU institutions which includes provisions for collective redress for all consumer rights infringements, including those related to data protection. Given the government’s commitment to maintain highest standards of consumer protection post Brexit and consumer groups strong advocacy for collective redress, we could see further developments in this policy area before the 30 months are over.
Conclusions, going forward
Despite consistent support for our concerns and suggested amendments at all stages and by all opposition parties, as well as in the Note from the Deputy Counsel of the Joint Committee on Human Rights, government closed ranks and the amendments were, in most part, defeated. Hence, severe concerns remain for most of the 7 issues we have raised throughout the passage of the bill. Even the further evidence of the UK government mis-treatment of Windrush immigrants, or the evidence of tampering with voter profiles for political influence did not act as a wake-up call for this government.
The GDPR will remain the legal framework for the private sector, but in a complex data world there are many interactions between private and public, law enforcement and intelligence agencies and they cannot be considered entirely in isolation. There are human rights concerns, and disputable articles providing exceptions from GDPR that will no doubt be tested in the Courts – and some actions are already on the cards.
Further, data transfers between the EU and the UK are worth billions of pounds in trade: 75% of UK’s cross border data flows are with EU countries. The GDPR has clear provisions on data transfers to third countries and granting states ‘adequacy’ status to allow unconditional transfers of personal data. Given the importance of data flows with the EU, it plays an important part in Brexit negotiations, and the UK Prime Minister has stated that the UK will seek an ‘adequacy plus’ arrangement with the EU post Brexit, a ‘bespoke’ arrangement for the UK and a place for the UK ICO on the new European Data Protection Board. The EU chief negotiator has rejected this, stating that “the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision”
We believe that some of the provisions in the DPA 2018, as outlined above, will come back to haunt the UK, and prove to be a serious stumbling block towards getting adequacy status.
 The DPA 2018 also has provisions to allow for the continuation in the UK post-Brexit