The new UK government must ensure stronger protection of its citizens’ data

As the artificial intelligence (AI) revolution accelerates, governments need to do more to protect their citizens from its risks. In the UK, we haven’t done enough. In fact, the former Conservative government wanted to weaken UK data protection rights, with its proposed Data Protection and Digital Information (DPDI) Bill.

Although it was expected to receive Royal Assent and be passed into law, it was one of the bills scrapped due to the dissolution of parliament before the general election. But other legislation – the Retained EU Law (Revocation and Reform) Act 2023 is already on the statute book and will create uncertainty for UK data protection standards and other areas such as employment law.

Now, the new government must restore certainty for data protection rights and ensure that citizens are properly protected from harmful new technologies. With AI evolving at an extraordinary pace and permeating social, governmental, business and workplace interactions, those in charge need to find solutions that comprehensively address the challenge.

Free flow of data

DPDI had several concerning implications – not least putting EU-UK data flows in jeopardy. The free flow of personal data across borders is essential to the globalised economy. The International Chamber of Commerce has said that the benefits of trade depend on the trusted flow of data between countries.

Indeed, data transfers are estimated to contribute $11 trillion to global GDP by 2025, which exceeds the global trade in goods. The finance, banking, retail and hospitality sectors all depend on them.

In this context, the free flow of data between the UK and its biggest trading partner, the EU, is of crucial importance. Currently, there is a free flow for both general and law enforcement data processing. This is how we maintain close trade ties and co-operate effectively in the fight against crime.

The free flow of data has continued post-Brexit because the EU conferred data adequacy decisions on the UK, because the UK’s data protection regime – the UK GDPR and the Data Protection Act 2018 – mirror EU frameworks.

The free flow of data continued because the EU assessed the UK’s frameworks as providing an essentially equivalent standard of personal data protection to its own. UK data adequacy will be reviewed in 2025, when the EU will decide if UK standards are still sufficient.

Lowering of UK standards

The proposed DPDI bill would have lowered UK data protection standards. In the name of cutting ‘red tape’, it would have eroded people’s data protection rights and freedoms.

It diverged from certain key elements of EU GDPR, such as protections from automated decision-making, the tests applicable when the UK conferred its own data adequacy findings on third countries and the legal basis for the processing of personal data. Ministers would also have gained extensive powers to water down protections.

If it had become law, the DPDI bill would have created headaches for the European Commission in renewing data adequacy for the UK. Before the proposed UK law was ditched, EU politicians were voicing their concerns about potential threats to law enforcement co-operation frameworks.

The DPDI Bill would also have made the UK’s data adequacy decisions vulnerable to challenge before the CJEU. The CJEU has twice invalidated US adequacy decisions because they did not ensure an essentially equivalent level of protection of personal data to the EU. The watering down of UK data protection standards created a clear risk.

Consequences for UK

A loss of data adequacy would stop the free flow of data from the EU to the UK. Previous estimates have put the cost of ending the free flow of data from the EU to the UK at up to £1.6 billion for UK businesses. As a result of provisions set out in the EU-UK Withdrawal Agreement, the loss of data adequacy would also create different tiers of data protection standards in the UK depending on where the data being processed originated. This would create significant, costly operational problems.

A loss of data adequacy could also lead to the suspension of the law enforcement co-operation mechanisms in the EU-UK Trade and Cooperation Agreement, which would make citizens on both sides of the Channel less safe.

Lower data protection standards in the UK compared to the EU would also create barriers to trade, further hampering the growth the new Labour government is keen to encourage.

The Retained EU Law (Revocation and Reform) Act 2023

One area where the previous government has lowered standards of protection and legal certainty across a wide swathe of the statute book is through the Retained EU law (Revocation and Reform) Act 2023 (REULA). REULA has created damaging uncertainty about how to interpret the law that came from the EU and was saved into the UK statute book on the UK’s departure from the bloc. The problems created by REULA also affect the UK’s data protection frameworks. The new Labour government should deal with this issue as a priority.

The uncertainty created by REULA can be illustrated by two examples: first, REULA has effectively turned the statute book on its head. Domestic law (whenever enacted) now takes precedence over any law that was previously EU law (including over the UK GDPR). This is the opposite of what the Parliamentary draftsman intended – previously in a conflict between the UK GDPR and the Data Protection Act 2018 the UK GDPR would have taken precedence.

Now the opposite is true. An example of the unintended outcomes of this policy is in the area of exemptions from data subject rights. The Open Rights case (brought before REULA came into force) required the government to provide EU-standard protections for migrants when exercising data subject rights. But because of the reversal of the relationship between the UK GDPR and the Data Protection Act 2018 every other group in society has a lower standard of protection for their data subject rights, compared with migrants.

This outcome was clearly not anticipated and illustrates the anomalies that REULA has the potential to create. Second, REULA deleted the EU general principles (including the right to the protection of personal data) from the statute book. This is particularly problematic in data protection law, given that the UK GDPR is in essence a detailed working out of the EU fundamental right to the protection of personal data. The deletion of EU fundamental rights has made the application of domestic and saved CJEU case law on data protection rights uncertain.

The courts have yet to grapple with the changes that REULA has made given that it is so new the true extent of the effects have yet to be felt. But in order to ensure that data protection standards in the UK remain high the new Labour Government should bring forward legislation. It could use the powers in REULA to reintroduce deleted principles to bring clarity and legal certainty. Alternatively, the best course of action may be to bring forward primary legislation to ensure that the UK statute book is stabilised. Powers to update our data protection frameworks should also be considered to ensure it continues to be current and tracks accepted EU and international standards.

This would support growth and avoid the risk of losing the UK’s data adequacy decision which is due to be reviewed next year. The new government will hopefully take steps to strengthen data protection rights, ensuring that they are equivalent to those in the EU by mitigating the uncertainties created by REULA.

AI and automated decision-making: a new approach

Another area where the law is simply being ignored (or alternatively misunderstood) is automated decision-making. For example, trade unions are already reporting stories of postal workers being tracked and having their walking speed dictated by an algorithm that doesn’t factor in their age, health and propensity to stop and help their customers.

Likewise, AI software decided that certain delivery drivers were not driving efficiently and getting to their destinations on time, because they stopped at red traffic lights. The UK GDPR already contains protections from solely automated decision-making where those decisions have significant implications for individuals (ie where the result would mean losing their job or being turned down for insurance, for example). But the law in this area is being flouted on a significant scale.

The Labour Party manifesto pledged AI regulation to “Ensure the safe development and use of AI models by introducing binding regulation on the handful of companies developing the most powerful AI models.” It is far from clear that this legislative agenda would deal with the issues highlighted by trade unions.

Further, the temptation to bring forward new legislation to deal with technological innovation may not solve the issues: protections from automated decision-making may simply need stronger enforcement. Gargantuan pieces of legislation such as the Online Safety Act 2023 supplemented by hundreds of pages of guidance are simply too complex for most organisations to understand. The EU AI Act which is also hundreds of pages long is extremely complex. The answer may be to legislate in a different way based on established human rights principles, complemented by detailed regulatory guidance which can be changed at pace to reflect rapid technological change and give practical support to ensure that the principles are met.