05 July 2022
The government recently published its updated proposal to reform data protection rules in the UK post Brexit. In November, 5Rights reacted sceptically to the original proposals, commenting that it was ‘hard to see how chipping away at newly won data rights is designed to benefit children, or indeed the wider public’ . This remains our overriding sentiment.
The government is seeking to reform data protection laws in the UK to capitalise on a potential ‘Brexit dividend.’ But in reality, the proposals offer little prospect of net economic benefit. The government claims that the proposed changes would bring a net benefit to the UK economy due to compliance costs of companies being reduced. Not only are these projected net benefits relatively small, representing less than 0.08% of GDP, but they also risk being undermined by the additional compliance costs to UK business of losing the data adequacy decision from the EU. This is because it risks fundamentally undermining the basis on which the UK was awarded data adequacy by the EU, which is key to the frictionless flow of data between the UK and EU. Many of the proposals in the data reform bill will jeopardise our data adequacy, and losing it could easily cost more than the net projected benefit . So at best, based on the picture drawn up by the government, the economic impact will be marginal. But in reality, we are likely to be faced with a real risk of a net economic loss for the UK economy and businesses.
While the economic case for this reform is weak, let us consider if it fares any better in its impact on our digital rights, and in particular those of children.
The short answer is no. As we outlined in our earlier post , proposals as currently formulated risk undermining key standards for the protection of children’s privacy and safety online, as established in law in the Age Appropriate Design Code. Nothing in the new data regime should undermine these requirements or indeed any aspect of the Code. Not only this, but it is particularly disappointing that the government, despite considerable opposition from many who responded to the consultation, is sticking with some of the most contentious proposed changes. We explore some of these changes below.
1. Cookie opt-out
The area of greatest concern is the decision by the government to switch to a system of opt-out for all cookies. This is despite the vast majority of respondents to the consultation rejecting the removal of the consent requirement for all invasive cookies. This will mean that websites will be tracking users by default with the onus put on individuals to manually opt-out.
In recognising that an opt-out system is highly problematic from a child rights perspective, the government notes that sites which are ‘likely to be accessed’ by children would have to continue to rely on opt-in consent. This would create a significant incentive for digital services to define themselves as not likely to be accessed, since this would allow them to benefit from the opt-out model, as well as ensure they are not bound by the AADC. It would also create an even more confusing environment for users, who would first have to work out whether the site is likely to be accessed by children in order to figure out how to set their privacy settings.
However, there is a silver lining to developments in this area: the government makes positive comments with regard to the need for automated signals, such as from a browser or plugin, to be given legal status. This would allow people to set their desired privacy settings once and have all digital services they interact with respect them, something children have consistently told us they want.
2. ICO reform
Another major area of concern was the changes to the Information Commissioner’s Office itself – the UK’s data regulator and enforcer of the Age Appropriate Design Code – as well as its relationship to government. While 5Rights continues to welcome proposals around regulatory cooperation and more transparency, we continue to be concerned about the obligation to have ‘regard to innovation and economic growth’ when enforcing our data rights, as well as giving the Secretary of State more powers to direct or approve of codes of practice or guidance. It is vital the government does not confuse the role of the ICO, nor interfere too much, especially in its work to ensure compliance with the Age Appropriate Design Code.
3. Legitimate interests
In its consultation, the government proposes to create a list of activities for which businesses could use personal data under the legitimate interest legal basis without having to balance the interests of the data subjects, even when the data subject is a child. Again, despite the vast majority of respondents arguing against this change and the government noting there was minimal disagreement that children’s rights should always be balanced, they are proceeding with a limited list of purposes that companies will be able to use. The proposed purposes are focused on public interest uses of data, which are arguably less problematic than the business purposes that were in the consultation. Although not enough, we do note that the government will ‘consider if any additional safeguards are needed for children’s data’ .
4. Subject Access Requests
We are pleased to note that the government has stepped back from allowing companies to charge users to access data held about them via a Subject Access Request. This would have represented an unjustifiable barrier to people, especially children, exercising a key data right.
The publication of the revised data reform proposals is an important milestone in the long journey towards new data protection laws being passed. The Appropriate Design Code and Data Protection Act 2018 are world-leading pieces of legislation that have significantly improved children’s experiences online. It would be a dramatic setback for children, and a government failure, if all the progress made is undermined by the future data reform bill.