On 10 September 2021 the UK government launched its consultation, ‘Data: a new direction’, writes Dr Nigel Houlden. This consultation was to gather opinion about government proposals to change UK law relating to the General Data Protection Regulation. We all know this better as the UK GDPR.
It’s important to understand that the UK government has already created a pure UK version of data protection, called the Data Protection Act 2018 (DPA18), so when they announce a data protection consultation on this topic to make changes to something that was passed into law less than five years ago, it begs the question, why?
One of the of the main talking points that has come from the government’s data protection consultation response is the proposal to remove the opt-in controls around cookies. In many respects the debate around this is justified: a cookie is a piece of code that, if allowed, can track your web browsing, storing information around what you do online. This should come up in the form of a cookie banner, asking what cookies you consent to – and apart from the necessary ones that make the website work – you have a choice. This seems very sensible.
What the government sought in ‘Data: a new direction’, were views on whether prior consent should be removed for all cookies. In the response, the vast majority disagreed with removing the consent requirement for all types of cookies, particularly more intrusive varieties which collect personal data for the purposes of real-time bidding and the micro-targeting of advertisements. However, and here’s the kicker, the government intends to (after consideration of responses) legislate to remove the need for websites to display cookie banners to UK residents and in the future move to an opt-out model.
But, what’s the point of asking a question if you’re going to ignore the answer? If we’re going to move to opt-out systems, why not stay with an opt-in system? Either way you’re still going to need a cookie banner of some sort, surely?
This, however, isn’t the ‘darkest’ part of this consultation; it is just the one that has had most coverage. There is something I find far more troubling, in the five sections, just shy of a 30,000-word response to the consultation, in section 4.3 (relating to questions 4.3.1 and 4.3.2) and this is verbatim from the response:
‘The consultation identified the under-reliance on the public task lawful ground (Article 6(1)(e) of the UK GDPR) as an area that would benefit from clarification, in particular when a non-public body is processing personal data in order to help a public body to deliver a public task or function. This might arise, for example, where a private body or a charity is asked by a public body to help it by providing information so that it can investigate a crime or deliver essential services to vulnerable people in a public health crisis.’
Again, maybe it’s me, but altering our privacy laws so that personal data can be passed to a private body so it can deliver essential services sounds very much like privatisation of health and social care.
After all, what defines a ‘public health crisis’? Would 6,482,063 people currently waiting across all health specialities constitute a public health crisis?
We should all be wary of these proposed changes to our privacy rights; the GDPR wasn’t created for organisations, it was created for people: it is citizens’ rights, it is our rights. It is there to prevent companies from misusing our data, it prevents companies from being cavalier with our data and it ending up being used by criminal organisations.