.svg)
The devil will be in the detail of the government’s data protection reforms, the Information Commissioner’s Office (ICO) has said in response to the UK government’s push to overhaul the 2018 Data Protection Act.
"Innovation is enabled, not threatened, by high data protection standards,” said Elizabeth Denham, the UK’s Information Commissioner, in her institution’s response to the government’s General Data Protection Regulation (GDPR) reform package.
As a member of the European Union, the UK came into the scope of the GDPR and implemented its requirements.
However, on September 10, the Department for Digital, Culture, Media & Sport (DCMS) unveiled new plans to reform the UK’s data regime.
Within the document, Oliver Dowden MP, the then secretary of state responsible, described his plans as "bold" and the existing EU-inspired regime as "unnecessarily complex or vague" in parts.
The proposals for reform took the form of a consultative exercise, and members of the public have until November 9 to submit responses.
The government wants to lower the compliance burdens that come with the GDPR and has also touted the removal of Article 22, which deals with automated individual decision-making, including profiling.
This is an area that has come under scrutiny from the ICO. “Resolving the complexity by simply removing the right to human review is not, in our view, in people’s interests and is likely to reduce trust in the use of AI [artificial intelligence],” the regulator said.
Rather, the ICO has suggested that the government should consider the extension of Article 22 to cover partly, as well as wholly, automated decision-making.
According to the ICO, this would better protect people, given the increase in decision-making where there is a human involved but the decision is still significantly shaped by AI or other automated systems.
The consultation response also raises alarm bells about clarifying the scope and substance of fairness in the data protection regime as applied to the development and deployment of AI systems.
“When people’s data is processed, including when it is used to make decisions that affect their lives, both the process and the outcomes should be fair,” the regulator said.
“We would be deeply concerned about any clarification or changes to the data protection regime that removed the centrality of fairness in how people’s data is used,” the ICO said, adding that data protection legislation should continue to ensure that when people’s data is processed, they are treated fairly.
The ICO supports the intention of the proposals to make innovation easier for organisations, confirmed Denham.
“I agree there are ways in which the legislation can be changed to make it simpler for companies to do the right thing when it comes to our data,” she said, continuing to stress that it is vital that the regulatory and administrative obligations of legal compliance are proportionate to the risk an organisation's data processing activities represent.
For example, the ICO’s response endorses the government’s plans to make it easier to use, share and re-purpose data for research. “We recognise the significant public benefit research can bring when conducted with appropriate safeguards,” the document says, continuing that enhanced and sustained transparency and taking data protection by-design approaches are key to achieving this.
The ICO has also thrown its weight behind proposals to reform cookie consent mechanisms, stating that they do not provide effective transparency for people.
The information, and the processing to which it refers, is complex and most users click to accept without reading it, the ICO said, stating that this is a consequence of the way in which the ecosystem has developed, with limited consideration of data protection requirements and underpinned by complex infrastructure.
“We would like to see a friction-free online experience, in which users’ preferences about how their information is used and shared are respected,” the ICO said.
The regulator has also backed government plans to crack down on fraudulent calls through increasing the fines available to the ICO via the Privacy and Electronic Communications Regulations (PECR).
However, the ICO urged the government to go further and bring the whole enforcement kit into alignment with that of the GDPR.
Meanwhile, proposals to ensure the ICO's powers are effective are also welcome. “My office will be engaging closely with the government to ensure we have the resources we need to fulfil our role," Denham continued.
Among the proposals that the government has made is one that would introduce a more commonly used regulatory governance model for the ICO. This would include a statutory supervisory board with a separate chair and chief executive, similar to that of the UK’s Financial Conduct Authority.
According to Denham, this will be better suited to the ICO’s role as a whole economy and public sector regulator with extensive domestic and international responsibilities.
However, Denham also noted the importance of the ICO being able to hold the government to account on data protection matters. “The current proposals for the Secretary of State to approve ICO guidance and to appoint the CEO do not sufficiently safeguard this independence. I urge the government to reconsider these proposals to ensure the independence of the regulator is preserved,” she cautioned.
