Flickr/Al Ibrahim. CC BY-SA 2.0.The EU General Data Protection Regulation (GDPR) is one of the most important pieces of human rights and consumer protection legislation of the 21st century. It extends the rights we have as citizens and overhauls a framework developed in the 1990s that governs the way states and corporations can collect and use information about us. The GDPR also allows the free movement of personal data across the EU and the government’s decision to seek to implement the measure in full, regardless of the Brexit negotiations, is a mark of its importance.
However, the bill transposing the GDPR into UK law is complex and labyrinthine. As the GDPR must be applied by May next year, the government has set a tight legislative timetable for its passage, and the bill has already had its second reading in the Lords.
Yet to be raised is the significance of the exemptions set out in Schedule 2 to the Bill, which, as drafted, would potentially remove entire industries dedicated to vetting, profiling and blacklisting private individuals from the reach of the law. Whether intentional or not, the language it contains means that private companies that vet people on behalf of banks, employers and landlords could claim exemption.
Those actors who the bill proposes to exempt do not simply act on a ‘case-by-case’ basis; instead they compile large, pre-emptive and often highly speculative databases that result in de facto blacklisting.
The scope of the exemptions is striking, but one particular and apparently deliberate application stands out: vetting in the financial sector. Under UK and EU law, anyone trying to open a bank account, send money overseas or enter into various financial transactions must undergo an increasingly extensive risk assessment in accordance with anti-money laundering and counterterrorism conventions. These checks are now frequently outsourced to private companies who have created vast databases containing the names and profiles of individuals and organisations who might pose such a risk. One of the market leaders is World-Check, a UK based data-broker owned by Thomson-Reuters that has now amassed more than 3 million such records, and is featured regularly on the pages of Vice (see here, here and here).
Over the past few years, our work has highlighted both the lack of credibility in the data giving rise to some of these profiles and the adverse implications that being listed as a financial crime or terrorism ‘risk’ by companies like World-Check can have. Not only could you be refused financial services, you could be passed over for a job, or denied a visa, because employers and authorities also subscribe to these databases in large numbers.
We have represented dozens of individuals and organisations who suffered devastating consequences as a result of being falsely identified as posing a terrorism risk. We believe these cases represent the tip of the proverbial iceberg.
Under the exemption provisions in schedule 2 of the current bill, World-Check and its numerous competitors would ostensibly be exempt from the core data protection provisions that apply to other data controllers. They would be under no obligation to inform you that they hold your data – or consider you a crime risk – and would be free to share it across the world. You would have no right to access your records, object to the processing, or seek any form of redress in the event that the data they hold is false, inaccurate or misleading.
World-Check and its numerous competitors would ostensibly be exempt from the core data protection provisions that apply to other data controllers.
Crucially, it is only through individuals exercising these rights under the existing UK data protection framework that legal accountability has begun to be possible. We are concerned that these fundamental rights may fall by the wayside, particularly on such a tight timeframe for legislative scrutiny.
Also included in the Schedule 2 exemptions are profiling related to the provision of banking, insurance, investment or other financial services; to the health, safety and welfare of persons at work; to the maintenance of effective immigration control; and to the protection of charities or community interest companies against misconduct or mismanagement.
This means that as long as they can claim a vague, undefined, ‘public interest’ justification, credit reference agencies, employment agencies, letting agents, companies that profile charities and their staff, and private companies involved in the enforcement of immigration control could all seek to rely on these exemptions in the future – where none exist at present. We are unlikely to know whether those public interest justifications are validly applied unless they are challenged. Yet without the right to know what data is being processed, will such a challenge even be possible?
What should concern us most is that those actors who the bill proposes to exempt do not simply act on a ‘case-by-case’ basis; instead they compile large, pre-emptive and often highly speculative databases that result in de facto blacklisting. The Consulting Association scandal, the Equifax hack and today’s news about World-Check profiling trade unionists and animal rights activists demonstrate why the proposed exemptions are of such concern.
Back in 2011, lobbyists employed by World-Check had pushed for the inclusion of similar provisions in the EU proposals for the GDPR. Their efforts received short shrift from EU legislators. Last week in the Lords we were told that
“offerings such as World-Check [play] a key role in Europe and globally in helping many private sector firms and public authorities identify potential risks [and] will be needing a number of clarifications in the Bill so that it will be able to continue to provide its important services”
We should not be fooled. The only clarifications we need are to schedule 2, to ensure that the likes of World-Check have to respect the rule of law like everyone else.