Shifting power and sovereignty. Please don’t spaff our data laws up the wall.

Duncan Green’s book, How Change Happens reflects on how power and systems shape change, and its key theme is most timely post the General Election.

Critical junctures shake the status quo and throw all the power structures in the air.

The Sunday Times ran several post-election stories this weekend. Their common thread is about repositioning power; realigning the relationships across Whitehall departments, and with the EU.

It appears that meeting the political want, to be seen by the public to re-establish sovereignty for Britain, is going to come at a price.

The Sunday Times article suggests our privacy and data rights are likely to be high up on the list, in any post-Brexit fire sale:

“if they think we are going to be signing up to stick to their data laws and their procurement rules, that’s not going to happen”.

Whether it was simply a politically calculated statement or not, our data rights are clearly on the table in current wheeling and dealing.

Since there’s nothing in EU data protection law that is a barrier to trade doing what is safe, fair and transparent with personal data it may be simply be politically opportunistic to be seen to be doing something that was readily associated with the EU. “Let’s take back control of our cookies”, no less.

But reality is that either way the UK_GDPR is already weaker for UK residents than what is now being labelled here as EU_#GDPR.

If anything, GDPR is already too lenient to organisations and does little especially for children, to shift the power balance required to build the data infrastructures we need to use data well. The social contract for research and other things, appropriate to  ever-expanding technological capacity, is still absent in UK practice.

But instead of strengthening it, what lies ahead is expected divergence between the UK_GDPR and the EU_GDPR in future, via the powers in the European Union (Withdrawal) Act 2017.

A post-Brexit majority government might pass all the law it likes to remove the ability to exercise our human rights or data rights under UK Data protection law.  Henry VIII powers adopted in the last year, allow space for top down authoritarian rule-making across many sectors. The UK government was alone among other countries when the government created its own exemption for immigration purposes in the UK Data Protection Act in 2018. That removed the ability from all of us,  to exercise rights under GDPR. It might choose to further reduce our freedom of speech, and access to the courts.

But would the harmful economic side effects be worth it?

If Britain is to become a ‘buzz of tech firms in the regions’, and since  much of tech today relies on personal data processing, then a ‘break things and move fast’ approach (yes, that way round), won’t protect  SMEs from reputational risk, or losing public trust. Divergence may in fact break many businesses. It will cause confusion and chaos, to have UK self-imposed double standards, increasing workload for many.

Weakened UK data laws for citizens, will limit and weaken UK business both in terms of their own positioning in being able to trade with others, and being able to manage trusted customer relations. Weakened UK data laws will weaken the position of UK research.

Having an accountable data protection officer can be seen as a challenge. But how much worse might challenges in court be, when you cock up handling millions of patients’ pharmaceutical records [1], or school children’s biometric data? Save nothing of the potential implications for national security [2] or politicians when lists of millions of people could be open to blackmail or abuse for a generation.

The level playing field that every company can participate in, is improved, not harmed, by good data protection law. Small businesses that moan about it, might simply never have been good at doing data well. Few significant changes have been of substance in Britain’s Data Protection laws over the last twenty years.

Data laws are neither made-up, bonkers banana-shaped standards,  nor a meaningful symbol of sovereignty.

GDPR is also far from the only law the UK must follow when it comes to data.  Privacy and other rights may be infringed unlawfully, even where data protection law is no barrier to processing. And that’s aside from ethical questions too.

There isn’t so much a reality of “their data laws”, but rather *our* data laws, good for our own protection, for firms, *and* the public good.

Policy makers who might want such changes to weaken rights, may not care, looking out for fast headlines, not slow-to-realise harms.

But if they want a legacy of having built a better infrastructure that positions the UK for tech firms, for UK research, for citizens and for the long game, then they must not spaff our data laws up the wall.


Duncan Green’s book, How Change Happens is available via Open Access.


Updated December 26, 2019 to add links to later news:

[1]   20/12/2019 The Information Commissioner’s Office (ICO) has fined a London-based pharmacy £275,000 for failing to ensure the security of special category data. https://ico.org.uk/action-weve-taken/enforcement/doorstep-dispensaree-ltd-mpn/

[2] 23/12/2019 Pentagon warns military members DNA kits pose ‘personal and operational risks’ https://www.yahoo.com/news/pentagon-warns-military-members-dna-kits-pose-personal-and-operational-risks-173304318.html