The UK government data protection reforms - good for business, but are they good for you?

This is a guest post by Computer Weekly security editor Alex Scroxton, which features in the 21 September issue of the Computer Weekly digital magazine as its leader column.

It is hard to sum up quite how transformational the government’s proposals to reform the UK’s data protection regulations could be, but Mariano delli Santi, legal and privacy policy officer at the Open Rights Group, has tried. In a Twitter thread posted on 10 September, he said: “You won’t believe how bad it is.”

Before anything else, we must acknowledge that, as tech advocates, the proposals contain much to please the IT leaders, businesspeople, digital innovators and startup founders that Computer Weekly has long championed.

But this is about more than being pro-business. This is about changes to citizen rights and freedoms by a government that has exhibited a worrying authoritarian streak, detailed in a 146-page consultation document written in language so dense as to be in parts impenetrable.

Alarm bells rang when, at a media briefing ahead of the consultation, government officials spoke of changes to requirements for data protection officers, an end to mandatory data protection impact assessments, and changes to rules on breach reporting, while insisting this was not a bonfire of red tape.

One proposal guts transparency obligations, potentially making it legal for businesses to reuse data collected for research purposes without telling people, if it would require “a disproportionate effort” to do so. Another proposal to introduce fees to make a data subject access request could cut down on spurious requests, but it would also discourage many people from making legitimate enquiries.

Then, chillingly, there is the proposal to remove Article 22 of the GDPR, which ensures people can seek a human review of an algorithmic decision. The government believes this rule holds businesses back from implementing artificial intelligence. However, it also serves to safeguard citizens from algorithmic bias – based on factors such as gender, race or health – in automated decision-making. Why would any reasonable person surrender such protections?

It is true there is much about the GDPR to fix, but it can’t be done through unilateral changes to obligations the UK helped design when an EU member. Altering our regulations puts us on a collision course with the EU, and puts at risk our hard-won data adequacy settlement, the retraction of which would be hugely damaging to our business interests. There is everything to be gained from working hand in hand with the EU to address any concerns.

So if you choose to take part in this consultation, when you formulate your responses, as IT leaders, technologists, scientists, and businesspeople, set aside what these proposals mean for your business or research interests, and consider also what they mean for you as a member of our free, civil society.