The United Kingdom is at a crossroads. On the verge of Brexit, it has to decide where it stands in relation to privacy: will it loosen data protection regulation, moving more towards China’s model, or will it guarantee its citizens’ right to privacy, moving more towards a Californian approach and securing a data adequacy agreement with the EU? It would be a mistake to choose the former.
Last month, the UK published its national data strategy. Oliver Dowden, the digital secretary, wrote that under the UK’s strategy, “Data and data use are seen as opportunities to be embraced, rather than threats against which to be guarded.” No one doubts there are welcome opportunities in data, but to overly focus on the potential benefits of data and neglect the threats that the collection and use of personal data entail would be unwise.
One might reasonably start to worry about the UK opting for too insecure an approach when the strategy refers to tackling barriers to data, which, it states, range from “legal barriers (real and perceived) through to cultural blockers and risk aversion”. The worry might magnify in light of No 10 chief adviser Dominic Cummings’ views on data. Not only did he support the vast collection of personal data for the purposes of the Vote Leave campaign; he has also described the EU’s general data protection regulation (GDPR) as “horrific” and “idiotic”.
Countries with poor data protection laws typically fall into two categories: underdeveloped or authoritarian. Given its hard-won reputation of being on the side of progress and anti-authoritarianism, it would be unfortunate if the UK was associated with either of those. But there is a third possibility when it comes to bad data practices that is just as unpalatable. The UK could develop into a data haven, in the way some countries are tax havens.
A data haven would be a country involved in “data washing”, being willing to host data acquired in unlawful ways (eg without proper consent or safeguards) that is then recycled into apparently respectable products. Data washing would be something a host country would do for those engaging in “ethics dumping”, a term used to describe the malpractice of exporting unethical research activities to countries with poor regulation. Data hosted in data havens, in addition to being used for seemingly acceptable products, could also be used for illegitimate or questionable purposes (eg training spyware, such as facial recognition algorithms, which then gets sold to the highest bidder, including authoritarian regimes). Data washing would involve the UK allowing companies and governments the world over to do their dirty data work under its protection in exchange for money. Allowing the UK to develop into a data haven could turn into a privacy catastrophe with huge financial and reputational damage to Britain.
The future is heading towards more privacy, not less. Europe and California are on the right side of history regarding this. The United States is discussing privacy bills and will likely soon develop more stringent federal privacy laws. After many years of unhinged optimism in Silicon Valley and the data economy, we are realising that trading in personal data is much more dangerous than we could ever have imagined. Personal data is poisoning individuals, by exposing us to data harms such as public humiliation, identity theft and discrimination. It is also poisoning societies by undermining equality, autonomy and democracy.
We are not being treated as equal citizens when we are treated on the basis of what our personal data says about us. Privacy is what can blindfold the system to ensure we are treated impartially. Through personalised content and ads, and the trade in personal data, loose privacy laws are enabling algorithms to predict and influence our behaviour, and to make crucial decisions about our life with little if any oversight or accountability. There are good reasons why we have spent centuries developing privacy norms and laws; these are not “unnecessary” barriers. The erosion of privacy in the past two decades has created profound asymmetries of power that are tugging at the seams of our societies.
If the UK doesn’t take privacy seriously, it will fall behind the rest of the developed world, much like it did with its first disastrous try at a contact-tracing app that was not protective enough of privacy. Contrary to what the national data strategy might seem to suggest, being pro-privacy is being pro-tech, because there is no future in tech that is privacy unsafe. Technology that does not respect privacy will only lead to a loss of trust and collaboration on the part both of citizens and international partners. Furthermore, we don’t have to choose between privacy and cutting-edge tech. There are ways to develop AI and other tech that are privacy-friendly.
The national data strategy sets out to position the UK “as a global champion of data use”, as well as “the safest place in the world to go online”. For those two desirable objectives to be compatible, privacy must be protected. Public data should indeed be shared more easily and widely – but not personal data. The UK has everything going for it to become a world leader in data ethics and ethical AI. Let’s hope it seizes the opportunity to walk towards that goal and not away from it. The UK government didn’t listen to privacy experts when they warned that the design of the first contact-tracing app was a bad idea. Will it take privacy seriously going forward?
• Carissa Véliz is associate professor in philosophy at the Institute for Ethics in AI, a fellow at Hertford College, University of Oxford, and the author of Privacy Is Power (Bantam Press, 2020)