UK's proposed alt.GDPR will turn Britain into a 'test lab' for data harvesting
EU citizens' info could be at risk over new rules
The UK is expected to adopt a new data protection bill this Autumn. If that happens, more than two dozen civil society groups and privacy experts want the European Commission to cancel its 2021 data sharing agreement with the UK.
The Data Protection and Digital Information (DPDI) Bill, proposed last year then amended and re-introduced to Parliament on March 8 is billed by the UK government as a local version of the EU's General Data Protection Regulation, but which applies more common sense and requires less paperwork.
The draft legislation, according to 28 civil society organizations, would turn the UK into a "leaky valve" that would undermine the data protection rights of European citizens.
- Meta's data-hungry Threads skips over EU but lands in Britain
- UK's GDPR replacement could wipe out oversight of live facial recognition
- UK government set to extract hospital data to Palantir system without patient consent
- Brexit dividend? 'Newly independent' UK will be world's 'data hub', claims digital minister
"If passed, the Bill would mean a wholesale deregulation of the UK data protection framework, allowing private companies to seek shelter in the UK to circumvent European data protection standards, and turning the UK into a 'test lab' for experimental and abusive uses of data," the groups said in an open letter to European lawmakers published Tuesday.
In a statement, Mariano delli Santi, legal and policy officer for Open Rights Group, said the DPDI, if adopted, will damage privacy protections for UK citizens and Europeans and risks jeopardizing the 2021 adequacy decision that allows personal data to flow between the EU and UK.
The adequacy decision is based on the UK offering data protection that's more or less equivalent to the EU's GDPR. The groups, including Amnesty International, Open Rights Group, Privacy International, and many others, contend that DPDI will be significantly less protective.
The DPDI, they claim, would give the UK government new powers [PDF] to override data protection principles by changing the law – with perfunctory scrutiny – after it becomes an Act of Parliament, through a legislative provision known as a Henry VIII clause [PDF].
US vendor accused of violating GDPR by reputation-scoring EU citizensREAD MORE
It would authorize the UK government to issue political directions to the UK data protection body, the Information Commissioner’s Office, the groups say. And it would enable the sharing of European personal data to other countries with reduced protections.
The UK, the groups observe, has already applied to join the US-backed Cross-Border Privacy Rules Declaration, which allows international data transfers under the arguably weak Asia-Pacific Economic Cooperation (APEC) Privacy Framework.
"The Commission must urgently take stock of these changes, which directly contradict key elements of data protection adequacy as defined in article 45(2) of Regulation (EU) 2016/679, and provide European citizens with assurance that it would repeal the adequacy decision if these proposals were to become law," the groups said. ®