Problematic data protection practices

Commenting on the DUAB proposals – which “would represent a systematic weakening of privacy and data protection safeguards” – the civil society groups noted the bill will diminish the right not to be subject to automated decision-making; delegate “extensive” legislative power to UK ministers that would allow them to circumvent Parliamentary scrutiny when making decisions around the legality of data processing or transfers; and otherwise grant government and law enforcement agencies “expansive access” to personal data.

They added that the DUAB would also allow organisations to transfer data to jurisdictions with clearly lower data protection standards, potentially turning the UK into a “data laundering hub”.

The groups also highlighted further legislative initiatives with negative data protection implications outside of the DUAB. This includes the forthcoming Border Security, Asylum and Immigration Bill, which they argue is “incompatible with the fundamental principles” of the GDPR and LED because it would subject the data of European citizens to UK intelligence services and counter-terrorism legislation.

They also noted how the upcoming Fraud Bill would place millions of benefit claimant’s bank accounts under constant algorithmic surveillance, with banks being compelled to disclose people’s sensitive financial information at the “speculative discretion” of ministers. They said such bank account monitoring can happen regardless of whether an individual is based in the UK.

However, the concerns shared were not limited to upcoming legislative proposals, and include issues around current data protection practices. Regarding the independence of the Information Commissioner’s Office (ICO), for example, the groups highlighted its reticence to take regulatory actions that carry the full force of law.

“In 2024, the ICO published statistics which revealed that they had only taken regulatory action on one complaint out of the 25,582 which they had received, favouring actions that lack the force of law when they did respond,” they wrote.

“We are concerned that the ICO’s overreliance on [these] actions … is a symptom of the political pressure the ICO is receiving to not obstruct innovation or growth for UK businesses at the expense of UK data subjects’ effective right of redress.”

They also highlighted the data regulator’s decision not to formally investigate clear data protection concerns around UK policing’s use of hyperscale public cloud infrastructure, after Computer Weekly revealed in June 2024 that Microsoft could not guarantee the sovereignty of policing data hosted on its Azure platform.

They noted that despite calls from the Scottish Biometrics Commissioner to investigate the problems identified by Computer Weekly, “the ICO refused to intervene … citing concerns that ruling on the legality of the police cloud infrastructure would frustrate the operation of the UK-US Cloud Act Agreement”.

While Computer Weekly’s previous reporting on police hyperscale cloud use has identified major problems with the ability of these services to comply with the UK’s law enforcement-specific data rules, the government’s DUAB changes to police processing are seeking to solve the issues identified by simply removing the requirements that are already not being complied with.

Other serious concerns raised by the civil society groups include the growing use of live facial-recognition (LFR) technology by police, which is progressing “without effective oversight, transparency or mechanism to assess necessity and proportionality”, and the use of secretive Technical Capability Notices (TCNs) to compel service providers to remove encryption at the government’s behest, as the Home Office recently did with Apple.

“Adequacy isn’t a courtesy, it’s a legal guarantee that people’s fundamental rights are protected when their data is sent abroad,” said Itxaso Domínguez de Olazábal, a policy adviser at EDRi.

“The UK is systematically rolling back those protections, and in doing so, it is putting at risk not just EU people’s data, but the principle of rights-based governance itself. If the Commission extends adequacy despite clear divergence, it sends a troubling signal: that data protection is negotiable when trade or geopolitics are at stake.”

Commenting on the letter, Mariano delli Santi, a policy officer at the Open Rights Group, described the DUAB as “the latest in a series of attacks on data protection and privacy in the UK”.

He added: “Successive governments are not only harming the British public with these attacks, but are undermining our relationship with the EU. Losing our adequacy status at a time when the UK is trying to improve its economic outlook would be a costly self-inflicted wound that must be avoided at all costs.”

Computer Weekly contacted the Department for Science, Innovation and Technology (DSIT) about the letter, but received no response by time of publication. Both the department and ministers have previously and repeatedly said the DUAB has been crafted with data adequacy in mind.

Computer Weekly also contacted the EC, but similarly received no response by time of publication.