UK data guardian challenges government proposals on automated decision-making

The UK's National Data Guardian (NDG) has warned the government against watering down individuals' rights to challenge decisions made about them by artificial intelligence.

The independent healthcare data rights watchdog also said the government's consultation on changes to data protection law following the UK's departure from the EU makes proposals that would represent a "significant departure" from the General Data Protection Regulation (GDPR), potentially jeopardising data-sharing arrangements.

The UK's current implementation of the GDPR, the Data Protection Act 2018, stipulates in Article 22 that people have a right not to be made subject to a solely automated decision-making process if that decision has significant effects.

These rights should be reviewed, according to the consultation launched by the Department for Digital, Culture, Media and Sport (DCMS) in September. The proposals state that the need "to provide human review [of AI decisions] may, in future, not be practicable or proportionate."

In her response to DCMS's consultation, Data: a new direction, NDG Dr Nicola Byrne said: "The NDG has significant concerns about proposed reductions to existing protections and the ability of professionals, patients, and the public to be actively informed about decisions that can have significant impacts for them.

"Further, it may negatively impact people's trust in decisions made about them by solely automated means if the safeguards in Article 22 are not retained. In the health and care context, any removal of the ability to contest or ask for human intervention in relation to a decision could significantly affect the quality of care.

"As elements of healthcare become more efficiently managed through AI, the importance of the human nature of the relationship through which care is provided must not be lost."

Dr Byrne also said that government proposals – such as amendments to research provisions, rules on automated decision making, and changes to data subject rights – would represent a significant departure from EU data protection law.

The opinion gives weight to the view that changes to data protection law risk the EU's "adequacy" decision, which allows continued data sharing between the trading bloc and the UK.

The UK's previous digital secretary, Oliver Dowden, said the UK would continue to align with the GDPR and that Britain would set a "gold standard" in data regulation, "but do so in a way that is as light touch as possible."

• CIOs across Europe add their VOICE to chorus of calls to regulate cloud gatekeepers
• Belgium watchdog reckons online advertisers should be data controllers under GDPR
• UK data spillers fined, but enforcement slows: £5m in ICO penalties not yet paid
• Data transfers between the EU and the US: Still unclear on what you're supposed to do? Here's an explainer

Lawyers have pointed out that there is no specific end date to the adequacy decision and the EU could choose to review it at any time.

Other opinions slammed the whole consultation process. A blog from legal training firm Amberhawk said the consultation provided no evidence for most of the legislative changes it claims were needed.

It pointed out the consultation asks respondents to answer the same question many times. "Roughly speaking, this question goes: 'We know that controllers find the following data protection elements a right pain in the arse; please explain your answer, and provide supporting evidence where possible'.

"The consultation is largely drafted from a position where the controller becomes entitled to process the data subject's personal data without consideration of how the data subject's wishes or interests are protected."

Meanwhile, the UK's outgoing Information Commissioner has said there were reasons to be concerned about proposed changes to data regulations in the UK.

"Despite... broad support for the proposals to reform the ICO's constitution, there are some important specific proposals where I have strong concerns because of their risk to regulatory independence," Elizabeth Denham said in a statement in July.

DCMS is examining feedback on its consultation, which closed on 19 November. ®