Last week, the Prime Ministerial Taskforce on Innovation, Growth, and Regulatory Reform (known more catchily as TIGRR) published a 130-page report setting out a “new regulatory framework” for the UK. It offers a possible glimpse of the future of data regulation.
The report is ambitious in scope, covering space and satellites, nutraceuticals, clinical trials and Fintech, energy, transport, agriculture, and the environment. Its authors (a triumvirate of MPs led by Sir Iain Duncan Smith) argue for a fresh approach in light of the UK’s “new-found regulatory freedom” having left the EU.
Many of the recommendations will be uncontroversial. The suggestion that regulation should be “simple” and “adaptable”, for instance, is unlikely to send anyone to the barricades.
The main theme of the report is that the regulatory state should not merely protect us from harm, but foster innovation, either by stimulating economic activity or “getting out of the way”. Though the report disavows a “simplistic ‘bonfire of red tape’”, its approach can fairly be characterised as deregulatory. The authors worry that the UK economy could be growing more vigorously – and that the law is holding it back.
What does the report have to say about the regulation of data?
Well, it is critical of the present regime: too prescriptive, too inflexible, too burdensome, too many “onerous compliance requirements”, particularly for smaller companies. But the report gets into a muddle when it tries to imagine a post-GDPR future.
The big idea is a new “UK Framework of Citizen Data Rights”. But the scheme is painted only in broad strokes: “give people greater control of their data while allowing it to flow more freely and drive growth across healthcare, public services and the digital economy”. There’s not a great deal to go on here. It is unclear, for instance, how data would both “flow more freely” while also being subject to “greater control” by individuals.
Likewise, one section stresses the need for “greater emphasis…on the legitimacy of data processing” rather than “a legalistic version of consent”. Fine. But what about the concurrent desire to give individuals “more control over their use of their data”? Is consent the problem or the solution? And if substantive legitimacy ought to be the test, it is puzzling that the report attacks Article 5 GDPR for holding back the development of machine-learning systems.
The report also calls for Article 22 GDPR (on automated profiling) to be scrapped on the grounds that it is “burdensome, costly, and impractical”. It would be replaced with a “legitimate or public interest” test and ICO Guidance such that “proper consideration to the interests of the data owner had to be given in all instances of automated decision-making”. Though no one would argue that Article 22 is perfect, this proposal rather overlooks the mischief it addresses – a deficit in accountability – and would arguably exacerbate it by removing the machinery of oversight.
Lawyers reading the report will have questions about the legal basis of a future Framework. Reform of the present regime would need legislative intervention, but the report argues for an “approach to data based more in common law”. Should parliament set the direction of digital reform, or the courts?
Overall, the report does not make it easy to advise clients on the future of data regulation. The only consistent theme is a desire to emphasize the positives of data and worry less about the negatives. This is consonant with the recent announcement of the Secretary of State for DCMS as he launched the competition for the new information commissioner:
“…I want to set a bold new approach that capitalises on all we’ve learnt during the pandemic, which forced us to share data quickly, efficiently and responsibly for the public good. It is one that no longer sees data as a threat, but as the great opportunity of our time.”
The TIGRR report feels like a missed opportunity. Many of the knotty challenges of data regulation – striking a balance between individual and social needs, between commerce and privacy, between innovation and public protection – have not been carefully considered. Perhaps it needed more time: the foreword notes that it was produced to “a very tight deadline”.
It is possible that the TIGRR report could precipitate a move toward deregulation across the board. Equally, with the EU Commission due to issue its adequacy decision on the UK’s data regime any day now, it is possible that the proposals will be quietly filed away and forgotten. We will have to wait and see.
Jamie Susskind
@jamiesusskind