Privacy International Comments on UK GDPR Implementation Law

Privacy International lived up to its reputation for defending and promoting the right to privacy when it proposed several recommendations meant to strengthen the United Kingdom Data Protection Bill recently.

Privacy International is a charity organization that recognizes the crucial role the UK bill plays in safeguarding the interests of the citizens and creation of a digital age data protection regime. Consequently, it forwarded a briefing to the House of Lords and a letter to Matt Hancock MP,  UK Minister of State for Digital , outlining fundamental issues and recommendations that would make the data protection Bill strong.

The new UK Data Protection Bill aims to create a clear and coherent data protection regime while updating data protection legislation including by incorporating GDPR and DPLED. Privacy International felt that the Bill’s aim would be achieved if some key aspects of the Bill could be amended. According to this organization, the government has done little to re-examine and regulate the conditions for collection and utilization of personal information such as political opinion. Privacy International feels that the authorities failed to introduce enough protection against decisions made by automatic processes (computerized) such as credit rating. In addition, the Government seems to prefer a broad exemption to data protection on the grounds of national security. This might grant intelligence agencies unlimited freedom and could infringe people’s privacy.

Privacy International had several areas of concern and came up with certain recommendations for considerations.

  1. Clarity and Accessibility of Structure

Privacy International observed that the Bill has a complex design and structure. Its design and structural complexity make it difficult to understand and inaccessible for organizations. Many individuals would need to hire experts such as lawyers to simplify it for their consumption. This might pose significant challenges for many people who cannot afford to meet the cost of expensive lawyers. The charity recommended that the current bill’s structure should be simplified.

  1. Delegated Powers

The Bill consists of many regulation-making powers and vests a lot of authority to the Secretary of State to introduce a secondary law that bypasses the input of the parliament. Privacy International recommends that there should be amendments to limit the broad powers and possibly reduce the scope of the regulation-making powers.

3, Representation

The new Bill does not have provisions for qualified non-profit organizations to pursue data protection breaches voluntarily. The charity notes that such a provision exists in the EU General Data Protection Regulation in article 80(2). Consequently, it recommends that the Bill should be amended to include a similar provision.

  1. Processing Special Categories of Data

Privacy International is concerned that the Bill lacks a definition of what constitutes “substantial public interest” when processing sensitive data. The Bill also lacks explanations why the 17 conditions for processing special categories of data constitute such interest. It notes that this could lead to lack of sufficient protections to safeguard such sensitive data in various cases. The charity recommends that the concept should be defined and narrowly interpreted.

  1. Automated Decision-making

There are inadequate protections for automated decision making in the Bill. Privacy International believes that profiling and other forms of computerized decision-making should be subject to strict limitations. It recommends that more concrete safeguards should be included in the Bill. Such provisions would ensure human participation in all serious decisions that affect a person.

  1. National Security Certificates

It is noted that the Bill contains provisions that match the current Data Protection Act. However, the Bill includes wider exemptions. Privacy International raises concerns about the timeliness nature of the certificates, lack of legal means to challenge, lack of transparency and exemptions of wide powers from data protection principles. This organization recommends re-examination of these areas. There should be several concrete obligations to be added to the Bill.

  1. International Data Transfers The Bill lacks provisions for safeguarding the cross-border transfer of personal data. It grants the intelligence agencies unchecked powers for international data transfers. This is a violation of the requirements of Council of Europe’s modernized Convention 108. This convention is a binding global instrument that safeguards people against mismanagement of personal during processing and also regulates the trans-frontier flow of personal data. Privacy International recommends that regulations for cross-border data transfers should be synchronized with the ones required in the Bill for law enforcement purposes.