UK Data Bill Undermines Rights Over Personal Data

Posted on 25th August 2023

The UK data protection and digital information bill has had its wording changed under a post-Brexit bill, undermining individuals’ control over and access to their data while favouring big business and “shady” technology companies, a digital rights group claimed.

The changes to the bill include updates regarding the rules on subject access request (SARs), which are designed to allow an individual to ask an organisation for copies of personal information that it holds about them, however, the change is suggested to weaken control over person data.

The use of SARs is said to have soared in recent years because of the 2018 EU GDPR which meant organisations could reject a request or charge a fee only if it was “manifestly unfounded or excessive”, now being changed to “vexatious or excessive”, which is believed to lower the threshold for refusals, leading to a significant increase.

The news follows the recently announced EU-US Data Privacy Framework which aims to ease European concerns over any personal information that is shared with US intelligence, designed to ensure control over personal data.

Sridhar Iyengar, Managing Director of Zoho Europe, commented:
“The role of data within businesses is becoming increasingly important. However, safe and ethical data practices must be developed for it to be used successfully, and this means including open and transparent data policies. Data acts as a central business tool across many sectors and is a valuable and lucrative resource that can help to inform strategic decision making, from forecasting, to addressing operational inefficiencies to customer preferences, and more.”

“While it offers huge benefits, concerns exist around the exploitation of personal data, meaning businesses should ensure that individuals have control and insight into how their data is being collected, what data is being held on them and how it is being used. SARs offer the public the opportunity to ask an organisation what data it holds on them. However, businesses should develop their own data policies to reflect the wants and needs of their customers, to ensure transparency around what data is collected, ensuring it is ethical, as well as compliant.”

Abigail Burke, the policy manager for data protection at Open Rights Group (ORG), commented: “There’s already a huge power imbalance between large corporations and the government, and individuals, so when everyday workers or other people are trying to get an understanding of how companies or their employer are using their data, subject access requests are critical,” she said.

“You can’t really exercise your data rights if you don’t even know what data is being held and how it’s being used, so the changes are very concerning to us. Subject access requests to the police and other national security bodies have been really important for allowing people to understand how their data is being shared.”