Data Wars: Return of the DPDI (Episode II)
The government recently brought an updated version of the Data Protection and Digital Information Bill to parliament, and it will soon enter a phase of scrutiny by committee. This much anticipated sequel will reportedly save British businesses billions of pounds in unnecessary paperwork, and people will apparently no longer be bothered by so many annoying cookie popups when browsing the web.
These are laudable aims, but there is more to this Bill than meets the eye, and there may be dark forces lurking within.
It is very often the case that when the government introduces a new Bill to Parliament, it contains a real mixed bag of policy odds and ends from more than one team or even multiple departments. This is because parliamentary time and capacity to scrutinise and ultimately pass new legislation is limited, whereas good (and sometimes bad) ideas coming through government departments and parliamentarians is near infinite. There is just no way of meeting all of the government’s priorities at once.
Often the solution that officials and ministers look to is joining forces and lumping vaguely related things together into a combined Bill. If it works, it can mean you get more bang for your parliamentary buck. But if it goes badly, it can mean derailing some or all of the policies, well-thought-out or otherwise.
This appears to be what has happened with the Data Protection and Digital Information Bill (the DPDI from here on in). It covers all manner of tricky issues from trying to reduce cookie banners and paperwork for business from data protection law, new frameworks for digital ID verification, schemes for increased data portability, governance changes for the data protection authority (the ICO), artificial intelligence, and national security.
These are all challenging and potentially emotive issues to combine in a single story, which has inevitably resulted in a slightly confused narrative. Through its amendments the government appears to have responded to feedback in good faith, but by charting the middle course you can risk upsetting everyone.
The (British) Empire Strikes Back
There has so far been a strong hint of Brexit in the government’s synopsis of the DPDI. Its announcements have referred to vast cost savings to businesses and a reduction in annoying cookie banners. In doing so, there have been a few thinly veiled swipes at the EU’s ‘top-down’ and ‘one-size-fits-all’ approach to regulation and the associated ‘pointless paperwork’. As the new DPDI Bill will reportedly follow a ‘common-sense-led’ approach, the inference for the EU’s approach is less complimentary. These will be popular issues, and an opportunity to champion the benefits of taking back control of our laws.
There may be some validity to this, but at first glance it appears that the benefits may also be overstated. As the government is so keen to mention, we will be diverging in some senses from EU law, but importantly not so much that we lose our Adequacy status with the EU. But as companies that trade within the EU will still need to meet EU standards for that market, they may just stick with what they are doing to avoid running two different processes. This may be particularly acute for changes affecting websites, which aim to serve potential customers all around the world. In this sense some of these headline grabbing, EU bashing benefits might be a bit of a red herring.
Inflating benefits and spinning headlines that land well with the supporter base are unsurprisingly standard fare in Westminster. In truth, the main crime the government has committed through this Bill is its paradoxical approach to data portability.
A New Hope for Data Portability
The unsung hero within the DPDI is undoubtedly the new powers for the government to introduce Smart Data schemes. In practice, this could lead to new schemes in a range of sectors such as finance, communications, and energy that unlock the flow of consumers’ personal data from their providers to trusted third parties.
As has now proven to be the case with Open Banking, this could revitalise competition in sectors where the game has for too long been rigged towards a small number of large incumbents (think energy, telecomms, insurance, online platforms), and at the same time unleash a wave of innovation with brand new services and markets not currently possible.
As I wrote previously, I foresee that one of the most powerful candidates for such a scheme would be Open Digital, through which consumers could (if they wish) seamlessly provide continuous real-time access for accredited third parties to their online data generated by web browsing, app downloads, online shopping, music and video streaming, and travel etc.
Personal Information Management Services (PIMS) have for decades been an academic pipe dream, but Smart Data schemes like this will make them a reality. In parallel, as we are observing rapid advancement of AI capability and its potential ability to learn and add value from large volumes of information, the case for releasing data from the shackles of its holders has never been stronger.
The government has been working on Smart Data for some time, having consulted on initial proposals back in 2019, and has subsequently run workshops with regulators and conducted various pieces of research. In its final impact assessment, it championed the potential benefits of ‘new innovative services, stronger competition in the affected markets, and better prices and choice for consumers and small businesses, including through reduced bureaucracy. Competitive data-driven markets can reduce friction for established market players, and drive start-ups, investment, and job creation’.
I agree. This is good policy making with no political agenda. But after more than four years of thinking, we are likely still several years away from a new scheme being implemented. For now, we must hope that the newly created Smart Data Council can inject some urgency into proceedings.
The dark side
You simply cannot reduce burdens on business from data protection law without reducing protections for individuals and without increasing the risks to privacy. They might be small, and they might be deemed socially acceptable for the greater good, but there are costs here that are not being acknowledged. For example, the planned amendments to the law regarding ‘legitimate interests’ could lead to a rise in spam emails and tracking across the web, just at a time when consumer sentiments and industry-led changes are going in the other direction.
Now I’m not saying that necessarily makes the changes to the law a bad idea, I just think the government ought to be much more transparent about the tradeoffs. Bizarrely, the only mention of this potential downside that I could find in the government’s impact assessment was located within in its assessment of the benefits of the Bill, where it said:
‘The proposed measures are designed to maintain key safeguards and high standards of data protection, while shifting to more outcomes-based requirements and therefore we do not expect the proposals to lead to worse outcomes for individuals. For example, we propose making accountability more flexible and risk-based while still maintaining the accountability framework itself. Data subjects would maintain their rights to a SAR and those that wish to access their data would still be able to.’
So there you have it – the government is confident there will be no negative outcomes for individuals from this Bill, so there is no need to discuss it any further.
Despite the statement that people will still be able to make subject access requests and access their data, the government’s impact assessment attributes substantial financial savings to a change to the SAR rules, with assumptions of significant reductions in costs responding to requests. Lower costs, because the government is lowering the threshold for companies to not respond at all, or alternatively to charge a fee for doing so.
Data portability rights as established through subject access requests in the GDPR are already extremely flimsy from an individual’s perspective, and the user experience is extremely clunky and slow. The government admitted as such in justifying the Smart Data proposals, stating that ‘UK GDPR created a right to data portability but does not enable data sharing as envisaged for Smart Data, lacking strong standards and secure data sharing requirements.’ Rather than directly addressing this problem, the government is proposing to make it worse.
There are circumstances where organisations with limited resources may be disproportionately affected by the current regime for subject access requests, and I can understand why the government might wish to address this situation and allow for a bit more flexibility with response times in targeted circumstances. But on the other hand there are some very large firms with near-limitless resources for which the existing rules are far too lax. This is one area of the rule-book that is crying out for a departure from the ‘one-size-fits-all’ approach.
In my view this element of the Bill sends a strong message from government that data portability is the enemy of businesses. Rather than make it easier for people to access their data, it is making it even easier for companies to resist. This is a harmful and backward step, in contrast with the broader direction of travel in the online ecosystem, and risks undermining the positive progress towards Smart Data schemes.
A possible trilogy in the making
There are plenty of reasons to think this Bill will struggle to make it through the Parliamentary process in its current form. The extensive debate and scrutiny will highlight the somewhat contradictory plot line, while parliamentarians will pick up on the negative reviews from a range of key stakeholders.
Amendments could go two ways. They could help to refine the Bill, iron out any contradictions, and ensure that tradeoffs are adequately recognised. Or, they could derail the whole thing to the point that the Bill is abandoned, or brought back for a third time with a streamlined new look.
Gener8 looks forward to engaging proactively with parliamentarians to help support the Bill’s progress, but at this stage I would not rule out a threequel.