A UK-based digital rights organization has argued that a post-Brexit measure that favors large corporations and "shady" technology businesses threatens people's ability to own and access their own data.
SARs and Automated Decision-Making Changes
Changes to the laws around automated decision-making and subject access requests (SARs), in which an individual may obtain a copy of the personal information held about them by a company, are included in the Data Protection and Digital Information.
According to The Guardians, politicians' use of SARs has garnered media attention recently, such as Nigel Farage's in his battle with Coutts and the Green MP Caroline Lucas' in discovering that a government disinformation unit had flagged her. The EU's general data protection regulations (GDPR) of 2018 are often credited for driving a surge in demand for them. Under the new rules, businesses may only refuse a request or levy a fee if it was "manifestly unfounded or excessive."
The policy manager for data protection at Open Rights Group (ORG), Abigail Burke, has said that the bill's modification of that criteria to "vexatious or excessive" will lower the bar for refusals, resulting in a substantial rise.
Also Read: India Resurrects Data Privacy Bill After Year-Long Hiatus
Can People Really Exercise Their Data Rights?
She said SARs are essential for regular employees or anyone who want to see how companies are using their data since there is already a significant power imbalance between giant firms and the government and citizens.
"You can't really exercise your data rights if you don't even know what data is being held and how it's being used, so the changes are very concerning to us. Subject access requests to the police and other national security bodies have been really important for allowing people to understand how their data is being shared."
Burke continued by saying the law also made it far more difficult to oppose or comprehend the use of artificial intelligence (AI) and other forms of automated decision-making while also greatly expanding the contexts in which they were authorized. Moreover, the Information Commissioner's Office has been given additional authority, and the collection and reuse of data have had more restrictions imposed on them without the approval of parliament.
She also pointed out that a new set of "extremely vague" exemptions has been established to reuse data obtained for mundane things like housing or social assistance for national security and crime prevention purposes, allowing for more monitoring.
Burke believes it greatly weakens people's control over and access to their own data, making it impossible to grasp when and how automated decision-making is being utilized to make key judgments about one's own life.
The government, meanwhile, does not anticipate a major uptick in rejected SARs. A representative for the bill claimed ORG's assertions were deceptive and, in some instances, factually false and that the law would bring more transparency about how businesses treat customers' private information.