British Lawmakers Concerned About Potential Loss of EU Adequacy Status

On Tuesday, British lawmakers expressed apprehension regarding proposed legislation aimed at reforming data use and access in the United Kingdom. Their primary concern is that the changes could jeopardize the U.K.’s ability to share data with the European Union, a critical component of international data regulation. Additionally, there are cautions against potential risks posed by artificial intelligence related to this bill.

The legislation, introduced by the U.K. government last month, seeks to amend the current data regulatory framework, which closely mirrors the European Union’s General Data Protection Regulation (GDPR). This regulatory alignment was established prior to the U.K.’s exit from the EU.

The Labour government contends that its proposed modifications could inject £10 billion into the economy and free up significant hours for police and National Health Service personnel by addressing inefficiencies within the existing U.K. GDPR. The preceding Conservative administration had suggested more extensive reforms, which raised fears of the EU potentially restricting data transfers vital for commercial activities and law enforcement (see: UK Parliament Receives Reassurances on GDPR Adequacy).

In 2021, the EU recognized the U.K.’s data protection laws as ‘adequate’, a designation that will lapse next June unless precautionary measures are taken. The U.K. stands among 15 countries that can legally process European data without additional contractual agreements and is one of three nations whose law enforcement can efficiently use personal data in criminal inquiries, which accentuates the importance of maintaining this status (see: Retaining EU Adequacy is Vital for the U.K. Economy: Lawmaker).

During a recent session of the House of Lords, lawmakers raised alarms that potential modifications to the U.K. GDPR could infringe on the existing EU adequacy decision. The proposed bill introduces a new legal basis called “recognized legitimate interest,” permitting data controllers to bypass certain administrative assessments when processing data for purposes like national security or protecting vulnerable individuals. This provision could lead to ambiguity about legitimate interests, causing further concerns among lawmakers.

Moreover, the bill empowers the Secretary of State to facilitate transfers of personal data to third countries or international organizations. Richard Gilbey, an independent hereditary peer, articulated his unease regarding the possibility that the Secretary may alter established definitions of ‘legitimate interests’, which could trigger an adverse reaction from the EU regarding data adequacy standards.

John Bassam, a Labour life peer, requested assurances from the U.K. government that the bill will not compromise the U.K.’s standing during the forthcoming 2025 assessment of data adequacy. In May, the U.K. government estimated that data-driven trade with European nations reached £161 billion in 2022, showcasing the economic stakes involved.

John Edwards, the U.K. Information Commissioner, offered a preliminary evaluation stating that the new data use bill appears to strike a “positive balance” and does not pose a risk to the U.K.’s adequacy status. However, the ongoing discourse underlines the critical nature of the proposed changes as they relate to future commercial and data protection relations with the EU.

Potential Risks Associated with AI Decisions

In addition to the concerns regarding data sharing, lawmakers expressed trepidation over provisions in the bill that enable automated decision-making. There is apprehension that these changes may lead to increased instances of biased AI outcomes due to diminished oversight.

The bill seeks to remove previous requirements for obtaining consent from individuals when their data is processed through automated means. Given the accelerated integration of AI technologies in the private sector, critics, including Liberal Democrat life peer Timothy Clement-Jones, caution that such a shift could yield biased and discriminatory practices in data usage, thus necessitating robust safeguards and regulatory measures to ensure fairness.