The U.K. government has reintroduced their new version of the European Union GDPR, the Data Protection and Digital Information Bill. The Conservative administration sees the newly proposed regulation GDPR’s more ‘burdensome requirements’.
Chris Denbigh-White, Security Strategist at data loss prevention firm Next DLP has been assessing the U.K. data privacy bill being proposed by the government.
Denbigh-White begins by considering the new bill alongside the established data privacy regulation of the European Union. He finds: “GDPR was originally created to “to protect the data of European Union (EU) citizens residing within the member states.” What is notable to me is that the UK Privacy Bill appears to convey a more nuanced sentiment than GDPR does.”
As to wat this means, Denbigh-White continues: “Where GDPR was relentless in the protection of personal data and empowering data subjects to ‘control their data destiny,” the UK Privacy Bill ( well at least the UK GOV press release) speaks of “reducing the burden on business.””
As to the actual content of the legislation, Denbigh-White reveals: “Elements in the Bill such as switching online tracking cookie requirements from “opt-in” to “opt -out” are obvious examples of this; however revisions in the handling of Data Subject Access requests (DSARs) also show a slight favouring of the data processors over the data subjects.”
As to whether this is a good idea, Denbigh-White’s assessment is: “Whilst safeguards around “vexatious” and “abuse of process” data requests are a sensible step to take, their introduction does include a certain layer of uncertainty as to the threshold of can be determined as “vexatious” and who sets that threshold could serve to weaken data subjects rights to data access.”
In terms of other aspects, Denbigh-White says: “Another interesting development is the clarification (and in many ways the loosening) of controls around automated data processing and decision making technologies using artificial intelligence.”
Is AI a good thing? According to Denbigh-White: “The UK Government is keen to stress the potential benefits of AI driven decision making especially in areas such as healthcare and fraud prevention, however, there have long been concerns around bias risk in the use of AI decision-making that could compound existing biases to which healthcare users are subject.
Here there could a weakness, says Denbigh-White: “The protections included within the UK Privacy Bill which enable a person subject to an automated decision to challenge the decision and have it reviewed by a human may not be enough. Marginalised groups who may be subject to AI related bias may not feel empowered to call upon these legislative protections leaving them potentially worse off.”
For an overall assessment, Denbigh-White concludes: “In any event the UK Privacy Bill loosens a lot of the controls that were established under GDPR. An interesting question would be whether the UK can maintain a defensible real-terms “adequacy status” in light of this.”
