Reforms in UK Data Protection Law: Potential Impacts on Individuals’ Rights Protection and AI Transparency

by | Apr 23, 2024

author profile picture

About Jinghe Fan

Jinghe Fan is a DPhil in Law candidate at the University of Oxford. Her research focuses on the intersection of law and digital technologies.

The Data Protection and Digital Information Bill (DPDI Bill) was re-introduced into the UK Parliament in March 2023 and is currently being debated at the Committee stage in the House of Lords. Since Brexit, the UK can unilaterally decide to reform its legal framework on personal data regulation so that data power can be further unlocked. This objective is also tightly related to the pro-innovation approach aimed at spurring AI development in the UK. The DPDI Bill seeks to provide organisations with greater flexibility and stability in data processing while maintaining high standards of data protection. Nevertheless, there is considerable debate whether proposed changes in the DPDI Bill may dilute essential rights to data protection for individuals and undermine transparency in data processing related to AI.

The right of access to personal data plays a significant role in ameliorating information asymmetry between tech giants and individuals. Despite enabling the public to challenge misuses of digital technologies based on personal data, the DPDI Bill intends to reduce burdens on organisations for utilising data.

The DPDI Bill seeks to amend the threshold for refusing data access requests from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’ (see Clause 9). In explaining the meaning of ‘vexatious or excessive’, the DPDI Bill follows the multi-factor analysis adopted by the guidance from the Information Commissioner’s Office (ICO), which was formulated before the release of the DPDI Bill. According to ICO guidance, ‘manifestly’ means that there must be an obvious or clear indication of unfoundedness and excessiveness, such as repetitions of previous requests during short intervals, or targeting a particular individual with a personal grudge, etc. It is not sufficient for data controllers to refuse access requests only with presumptions of unfoundedness or excessiveness. However, it is unknown how the removal of ‘manifestly’ from the text may affect the probability of refusing requests of personal data. As some have argued, the proposed change in the DPDI Bill may pose more difficulties to data subjects when they request data from controllers whom they are litigating against (e.g., in the context of employment).

The potential lowering of the bar for refusing data access requests may also influence the right to obtain information related to solely automated decision-making. The DPDI Bill intends to replace the current UK GDPR Article 22 and lift the general prohibition of solely automated decisions (i.e., those made without meaningful human involvement) based on personal data, unless they pertain to special categories of personal data (see Clause 14). The DPDI Bill provides data subjects with certain safeguards against solely automated decisions which may have legal or similarly significant effects on them, including the right to obtain information about decisions related to the data subject. However, this right may also be subject to exemptions for ‘vexatious and excessive’ requests.

Meanwhile, the Bill plans to exempt data controllers from their obligations to inform data subjects before collected personal data is ‘further’ processed for the purposes of scientific or historical research, archiving or statistics when disproportionate effort is needed (see Clause 11). The purpose of scientific research could be construed in a broad manner (see Recital 159 GDPR), which may include the development of AI conducted by both public and private parties. Research of AI conducted in commercial settings also falls within this purpose. However, the boundaries between AI research and the commercial development/deployment of AI are often blurred. Improvements to existing programming language, system, or applications may be considered as research as long as they contribute to ‘an increase in the stock of knowledge’. Additionally, the number of data subjects is proposed by the Bill to be taken into consideration when assessing ‘disproportionate effort’. This would indicate that the exemption from informing data subjects about further processing is more likely to be used as AI research and development is frequently conducted based on large-scale datasets which are initially collected for varying purposes.

The DPDI Bill remains amidst debate within the UK Parliament. All uncertainties above await careful consideration drawing from different perspectives. As discussions continue, it is crucial to recognise that the reform of personal data protection law should aim at enhancing transparency instead of casting shadows on it. More concrete rules on protection of personal data could significantly contribute to, rather than undermine, the responsible innovation of AI.

Share this:

Related Content


Submit a Comment