Convenience Is Not The End-Goal Of Privacy Legislation—In The UK Or Anywhere

Introduction

On June 17, the UK government announced its next steps after consultation made on the provisions of the upcoming Data Reform Bill. In short, the post-Brexit UK government is planning to modify data privacy rules to remove current requirements inherited from the EU’s General Data Protection Regulation (GDPR). The changes to UK law would, as its proponents claim in the press release and throughout the full response, greatly stimulate innovation while rooting out inconvenience.

I want to examine several of the proposed reforms through the lens of convenience and see how they miss the forest for the trees. Then, I’ll look at the broader connections between business, convenience, and meaningful privacy protections that benefit us all. Privacy should not be inconvenient, but convenience is no excuse for lower privacy standards when we collectively have the tools to do better by consumers without putting undue burdens on businesses.

Summary of Reforms Proposed

For Individuals: Fewer Pop-ups, Stricter Penalties for Nuisance Calls

I notice the coverage of UK data reforms focuses on the proposed removal of dreaded cookie consent banners. These windows are a means to request and document individuals’ consent preferences when it comes to various forms of website tracking. Instead of implementing a GDPR-style request for affirmative consent, cookies for non-intrusive purposes will be set without consent—but users will be given clear instructions on how to control their consent signals within the browser. In the longer term, there would be an established opt-out model of consent, where consent is assumed unless the user actively configures their settings otherwise.

I have yet to meet someone who loves cookie banners, so I can see how this move might seem like an improvement to users’ experience. Consent fatigue is real, and an overwhelming set of privacy controls does not provide control in a meaningful way. At the same time, presuming users’ consent does not address unscrupulous practices of tracking and targeting. These practices raise privacy risks that are granted legal coverage—or are at least nominally compliant—because they occur under supposed consent.

If there is a secondary topic pulled into the headlines alongside “no more cookie pop-ups,” it is nuisance calls. The reforms include a significantly higher ceiling for penalties issued for “unsolicited direct marketing communications,” or nuisance calls. While the current rules enable fines of up to £250,000, the government proposes an increase to £17.5 million or 4% of a business’s global revenue, whichever is greater.

Again, I have yet to meet someone who loves nuisance calls. This proposal met the strong support of the governments’ thousands of consultants. I do wonder if the proposal on nuisance calls should really be a PR focal point for data privacy legislation in 2022, when our defining privacy problems seem orders of magnitude more complex: algorithmic bias, re-/de-identification, semantic policy enforcement. Nuisance calls are a significant issue. I think the international privacy community can reach for higher-hanging fruit. It’s alarming that this constitutes a core point of the public messaging around these proposed privacy reforms.

For Organizations: Removing Rules for Privacy Personnel and Documentation

The government plans to remove a trio of requirements inherited from GDPR: appointing data protection officers (DPOs), conducting Privacy Impact Assessments (PIAs), and maintaining Records of Processing Activities (RoPAs). Amidst the acronyms, the common thread is the ostensible burden that these requirements place on businesses. All of this, despite the majority of the nearly 3,000 respondents disagreeing with the government’s plans to remove each of these requirements (see: responses to questions 2.24-2.2.8, 2.2.11, 2.2.16).

First, the reforms would not require businesses to appoint a DPO, an individual who manages the compliance and operations of the privacy program. Instead, the government plans to require that a “senior responsible individual” oversee the privacy program, in a sparsely defined capacity that can be adapted to organizations’ particular governance structures. I would like to raise this note from the consultation response:

“Respondents mainly cited concerns that removal of the data protection officer requirement would result in a loss of data protection expertise and that the lack of independence could lead to a potential fall in trust and reassurance to data subjects.”

Trimming administrative bloat is one thing; reducing privacy expertise as the landscape will only get more complex and high-stakes: that is something far different.

Privacy Impact Assessments and Data Maps

The reforms also would remove requirements for PIAs, saying that they can be redundant. In place of PIAs, the government would require a more flexible approach. A very similar rationale and proposal accompanies the stated intention to lift requirements on RoPAs.

At Ethyca, we work with dozens of companies in creating and maintaining dynamic inventories of personal data to meet RoPA requirements, and I can say from experience that these exercises are demanding but necessary to meet global privacy requirements. Put bluntly, if there is not an agreed-upon standard for a company to know what PII it holds, and where the PII lives at any given time, it is difficult to argue that company is positioned to respect privacy on an ongoing basis. I’m particularly concerned about the ramifications for international data flows. Without PIAs and RoPAs that match EU standards, UK adequacy with the EU might be in jeopardy. And the estimated cost of losing the adequacy agreement exceeds the projected savings brought by all these reforms.

Privacy Beyond Convenience

Let’s return to the reforms’ focus on inconvenience. To be clear, I do not think that privacy should be inconvenient; meaningful protections for personal data should be empowering to individuals, and should be viable for businesses to implement at scale. Yet these reforms seem to set convenience as the goal, rather than effective consumer protection. This focus on convenience is superficial, distracting from the deeper benefits yielded by true respect for user PII.

To frame privacy in terms of convenience is to stack the deck against ourselves before the game has even begun. Ease-of-use and clarity should be characteristics of systems for end-users and businesses alike, but convenience for businesses should not be the ultimate goal in itself. It should support the broader outcomes of privacy.

On the topic of outcomes, the UK government references “privacy outcomes” numerous times throughout their comments, as in:

“The UK’s data protection regime will be future-proofed, by enabling organisations to focus on investing time and effort in delivering what matters – important privacy outcomes – rather than ticking boxes. This will enable our laws to keep pace with changes to the technological landscape without disrupting regulatory certainty.”

I agree that future-proofing is important to ensuring our systems support privacy in the longer term, and that empty box-ticking is not what effective privacy looks like. But after reading the consultation response, I still am unsure what their intended “privacy outcomes” are. Those outcomes should be explicit, and they should go beyond convenience for businesses.

Yes, limiting nuisance calls is important. But so are building privacy expertise, inventorying personal data, assessing privacy risk, and supporting reliable international data flows that depend on the previous three activities’ robustness. There are plenty of compelling business-specific and society-wide arguments in favor of ‘doing the work’ on privacy, and the UK reforms repeatedly mention the need to cultivate innovation rather than stifle it. I am concerned that the focus on convenience in these reforms will ultimately hamper innovation by relaxing the requirements that undergird international data agreements and meaningful data innovation, and by just plainly confusing UK consumers.

Conclusion

I appreciate this clear-eyed section of the consultation, regarding privacy-enhancing technologies (PETs):

“The government also noted that some respondents advised caution about overpromising on what PETs can achieve. They suggested PETs could be promoted as part of a holistic privacy management programme, but should not be seen as a substitute for wider organisational measures that can help reduce privacy risks. The government will continue to engage with the ICO to ensure the adoption of PETs is encouraged as part of organisations’ approach to privacy management.”

PETs are no replacement to companies’ human commitments to respecting data and upholding privacy requirements. It is ironic, then, that the reforms seem to loosen the standards for businesses precisely when, from my standpoint, PETs are enabling us to achieve the requirements that the UK government says are too burdensome.

Nevertheless, a diligent community across industry and academia are advancing PETs to augment—not replace—human expertise in data privacy, so that higher-order privacy needs like impact assessments can be fulfilled efficiently and effectively. When companies meet these higher-order privacy needs, they tend to also reduce the lower-order inconveniences to end-users.

Convenience to businesses should not come at the expense of meaningful protections to individuals whose privacy is at stake, particularly when that convenience is used to justify relaxed business procedures that don’t need to be inconvenient. If we focus on convenience for businesses when framing privacy requirements, the convenience to users will be short-lived. We should focus on consumer protection, develop means to achieve those outcomes, and design systems that are low-friction for the different stakeholders—and in that order, not the reverse.