Individuals’ control over and access to their data is being undermined by a post-Brexit bill that favours big business and “shady” technology companies, a digital rights group has claimed.
The data protection and digital information bill includes changes to rules on subject access requests (SARs), which allow an individual to ask an organisation for copies of personal information that it holds about them, and automated decision-making.
SARs hit the headlines recently because of their use by politicians, including Nigel Farage in his dispute with Coutts, and the Green MP Caroline Lucas, who used one to find out that she had been flagged by a government disinformation unit. Their use is believed to have soared in recent years as a result of the 2018 EU GDPR (general data protection regulations), which meant organisations could reject a request or charge a fee only if it was “manifestly unfounded or excessive”.
The bill changes that condition to “vexatious or excessive”, and Abigail Burke, the policy manager for data protection at Open Rights Group (ORG), said the effect would be to lower the threshold for refusals, leading to a significant increase.
“There’s already a huge power imbalance between large corporations and the government, and individuals, so when everyday workers or other people are trying to get an understanding of how companies or their employer are using their data, subject access requests are critical,” she said.
“You can’t really exercise your data rights if you don’t even know what data is being held and how it’s being used, so the changes are very concerning to us. Subject access requests to the police and other national security bodies have been really important for allowing people to understand how their data is being shared.”
She said the bill also:
Greatly expanded the situations in which AI and other automated decision-making was permitted and made it even more difficult to challenge or understand when it was being used.
Granted vast powers to the secretary of state to direct the Information Commissioner’s Office and more controls over how data is collected and re-used without proper parliamentary oversight.
Created “extremely vague” exemptions for re-use of data – collected for routine things such as housing or social benefits – for “national security” and “crime prevention purposes”, which would expand surveillance.
“It greatly weakens your control over and access to your own data, making it very difficult to understand when and how automated decision-making is being used to make important decisions about your own life,” said Burke.
“And it reduces some of the safeguards and the mechanisms that you have to make complaints, or try to challenge decisions that you think are unfair. It’s basically the government choosing big business and shady technology companies over the interests of everyday people.”
However, the government does not believe there will be a significant increase in SARs being refused. A spokesperson said ORG’s claims about the bill were “misleading and in several cases factually inaccurate”, and that it would “provide greater clarity about how companies handle people’s personal data”.
The spokesperson added: “It will also enshrine a new right for people to complain directly to an organisation about how their data has been handled – providing even more protection for customers and users. It will strengthen the enforcement powers of the independent regulator to hold companies of any size to account.”