Reform of UK Data Protection Law

Back in September 2021, the UK government launched a public consultation on the planned reform of its data protection law. My research group at the University of Oxford has formulated a response to this consultation ā€“ a heroic team effort.

UK data protection law is currently modelled on EU requirements, particularly the GDPR from 2016 and the 2009 ePrivacy Directive. Following the UK’s withdrawal from the bloc, the government sees a wealth of new opportunities in the reform of the current legal requirements around the protection of personal data.

Overall, as a research group, we welcome the initiative of the UK government to help researchers in handling personal data, and to spur innovation within the UK.

At the same time, we are concerned about potentially harmful consequences for individuals residing within the UK, as a result of a potential weakening of UK data protection standards and rights.

The keypoints of our document are (direct quotes):

  • Data intermediaries and institutions: Lack of clarity regarding data intermediaries, institutions, and practices put in place to safeguard individuals and support technological growth.
  • AI and responsible innovation: The opportunities for AI innovation in the UK depend on a robust regulatory regime that encourages highly context-specific risk management. This will be best promoted through maintaining existing measures like Data Protection Impact Assessments, Data Protection Officers, record keeping, and prior consultation, amongst others.
  • Erosion of trust in online tracking: Excessive box-ticking in the form of consent banners is not a necessary feature of existing data protection and privacy law, but rather a symptom of non-compliance with it.
  • Removal of the balancing test: The removal of the balancing test for pre-approved legitimate interest purposes will create disproportionate risks for UK citizens, and a false sense of certainty for controllers.