Michelle Donelan, the Secretary of State for the Department of Digital, Culture, Media and Sport (DCMS), announced a new, British, approach to data protection at the October 2022 Conservative Party Conference. It seems the Johnson government’s new direction for data, which culminated in the Data Protection and Digital Information Bill introduced in Parliament in July, is to be revised through more consultation, though it appears not a public one.
GDPR isn’t perfect and it would be great if the UK could be bold in changing data protection laws to build on and move beyond GDPR. Unfortunately, the Bill as it stands takes backwards steps rather than confronting future – or even current – challenges. Its focus on simply reducing regulation, especially for small businesses, is misplaced and out of step with the kind of regulation the modern data economy needs.
Contemporary uses of data raise questions about the intuitive notions of individual data ownership and privacy at the heart of GDPR, not least because how we are treated depends on what is known about other people. Network analysis can be used to derive sensitive information, such as working out your politics or sexuality from your Facebook friends. Profiles are built from the behaviour of other people, and used to make significant decisions: for example, your credit rating can depend on the repayment histories of people who shop at the same stores. Predictions of what you will do are made based on what others have done, whether it’s recommending what film you might want to watch next, or for your parole to be refused because similar prisoners have reoffended.
The increasing dependence on data, by both the public and private sectors, can result in wider collective harms. Algorithms built on biased data embed and enhance existing inequalities – Ofqual’s algorithm in 2020 awarding higher grades to students from private schools is just one example. Targeted misinformation makes it harder to engage in meaningful democratic debate. Data-intensive companies leverage their privileged access to information to skew markets and compete with smaller businesses.
GDPR misses these group and collective harms that arise from contemporary big data processing and AI. Based on a 1970’s model of data processing, and designed around health and social science research, it focuses on the rights of “data subjects” – those represented in data being processed – not the interests of the people and communities who are affected by its use.
But the UK Government’s current data protection proposals do not address these group and societal impacts either, instead focusing on reducing the compliance burden on businesses by making it easier to ignore those risks and harms, and harder for us to have a say in how data about us, our families and communities, gets used.
It is still unclear the degree to which the next consultation will provide a significantly new new direction for the UK’s data protection regime, or simply make a few amendments to the current Bill. We can hope that their British approach to data protection will incorporate the latest approaches to data governance from around the world and build on the UK’s institutional strengths.
A British approach implies that the British values taught to school children – democracy, the rule of law, individual liberty, and mutual respect – should be built into our data protection regime. This should mean strengthening our individual and collective rights and power over the use of data by both the state and corporate interests. And it should mean recognising the important role of public participation, regulation and enforcement in building trust with the public around the use of data.
Instead, the British approach to data protection that Donelan is proposing appears to entail reducing it. In her speech, Donelan claimed that shortages of electricians and plumbers were due to the costs of GDPR compliance. There’s no denying that complying with the law can be burdensome. But small traders also know the importance of building trust with their customers, and the damage that cowboys can do. What applies to building standards also applies to handling customer data: we need to know data is not going to be leaked, misused or sold to data brokers and come back to bite us in unwanted marketing, increased insurance prices, or damage to our credit ratings.
Rather than lowering the data protection that small businesses provide us with, we should be supporting them to be more confident in using data well. Giving people a say in how data gets used is one way to improve data skills and literacy as well as building trust needed for long term success. We should be debating and negotiating the role data plays in our lives: not just with businesses large and small, but in parent-teacher associations, in unions, professional bodies, and local community groups.
Developing democratic debate over data – not removing regulation – is the way to build skills, confidence and trust in its use. That’s what will lead to increased innovation, technology adoption, improvements to productivity, and the kind of economic growth we need. Letting the cowboys loose with a bonfire of red tape will undoubtedly do just the opposite.