UK government sets out ambitious proposal for reforming the UK data protection landscape.
On 17 June 2022, the Department for Culture, Media and Sport (DCMS) published its response to its consultation “Data: a new direction” (the Consultation), setting out the government’s plans to reform the UK data protection regime.
These reforms are part of the UK’s National Data Strategy, which seeks to shift focus from prescriptive requirements to a risk-based approach, thereby making data protection less burdensome for businesses and enabling them to protect personal data in a proportionate and appropriate way. The DCMS has indicated, in comments at a recent conference, that the intention and direction of travel is to build on, improve, and clarify the approach that the UK will take with the UK GDPR in a way that benefits businesses whilst maintaining the same level of data protection for individuals.
This blog post scrutinises some of the Consultation’s key takeaways. For a full list of proposals that are being taken forward pursuant to the Consultation, see this response Annex.
Processing Personal Data
The UK government has accepted a range of proposals that clarify issues around processing data in a lawful, fair, and transparent manner. These include:
- Clarifying rules on further processing, such as whether a change in controllership constitutes further processing, and the limits to such processing if the lawful basis relied upon is consent.
- Creating a limited and exhaustive list of legitimate interests for which organisations can process personal data without applying the third limb of the legitimate interests assessment (LIA), i.e., the “balancing test”, such as installing security updates on a device, internal R&D and for business innovation aimed at improving customer services.
- In relation to use of artificial intelligence (AI) systems: (i) clarifying how the “fairness” principle would apply; (ii) introducing AI bias monitoring and correction as a legitimate basis for processing special categories of personal data under Schedule 1 of the UK Data Protection Act (DPA) 2018 Schedule 1; and (iii) amending legislation to clarify circumstances in which data subject rights in relation to automated decision-making and profiling will apply.
- Clarifying the test for data to be considered “anonymous” and outside the scope of data protection legislation; such test will be connected to the concept of identifiability being relative and based on the wording set out in the explanatory report to the Council of Europe’s Convention 108+.
The UK government’s acceptance of these proposals will be welcomed by organisations, and clarifies common issues when undertaking complex or novel forms of data processing. For example, scaling back on the LIA content will simplify data processing compliance burdens for virtually all organisations relying to a greater or lesser extent on legitimate interests for certain processing activities, and will liberate significant resources for privacy teams and business stakeholders alike.
The Consultation proposes to introduce a requirement for organisations to implement a risk-based privacy management programme, based on the level of processing activities and the volume and sensitivity of personal data processed. This will replace a number of current accountability obligations under the UK GDPR, such as:
- The need to designate a statutory data protection officer — to be replaced with the appointment of a “senior responsible individual” that provides appropriate oversight.
- The requirement to undertake data protection impact assessments — to be replaced with a more flexible requirement to ensure risk assessment tools are in place to identify, assess, and mitigate data protection risks across an organisation.
- The prior consultation requirement in Article 36 UK GDPR — to be replaced with voluntary prior consultation, a mitigating factor the ICO may take into account when enforcing against an organisation.
- The requirement for a formal record of processing activities — to be replaced with a more flexible record-keeping requirement under the privacy management programme.
The majority of these proposals will be welcomed especially by small-medium B2B businesses that process relatively low volumes of non-special categories of personal data, as they will benefit from the added flexibility and ability to take a risk-based approach tailored to their business. Conversely, international organisations might find it easier in practice to maintain a consistent approach towards data governance under the higher, more prescriptive, standard of the EU GDPR, rather than to implement and maintain compliance with two separate privacy regimes for the EU and the UK.
One interesting point to watch is whether more organisations will avail themselves of voluntary prior consultation than the existing mechanisms in Article 36 UK GDPR. Most respondents agreed that such a mechanism (recognised instead as a mitigating factor in the event of enforcement) would result in better and more proactive collaboration/conversations between the ICO and organisations that undertake high-risk processing activities. This could result in a win-win for the ICO, which will gain greater visibility, and for organisations seeking to leverage novel and innovative processing techniques or use data in new ways.
International Data Transfers
The UK government accepted the following proposals on international data transfers:
- Approaching adequacy decisions with principles of risk assessment and proportionality, and with greater focus on risk-based decision-making and outcomes than the approach currently adopted in the EEA.
- Providing further support and guidance on the use of alternative transfer mechanisms — the DCMS Secretary of State will be able to create new mechanisms for international data transfers or recognise such alternative mechanisms.
The main thrust of these proposals is the UK government’s restatement that it can exercise discretion in managing international data flows post-Brexit, including by granting adequacy decisions to allow the free flow of personal data to jurisdictions that the European Commission does not currently consider adequate.
The UK government also noted that it is considering: (i) making adequacy regulations for groups of countries, regions, and multilateral frameworks; (ii) relaxing the requirement to review adequacy regulations every four years; and (iii) replacing the need for a formal adequacy review with “a well-functioning, rigorous and ongoing monitoring process” (though what this process will entail in practice is not yet clear). Further, the UK government is currently prioritising: (i) adequacy decisions with Australia, Colombia, Dubai International Financial Centre, South Korea, Singapore, and USA; and (ii) trade negotiations bilaterally with the US, Australia, and New Zealand and multilaterally by its entry into the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). The UK government’s current approach to these negotiations includes introducing chapters/provisions ensuring free flow of “trusted”[i] data between the signatories.
The UK’s proposed approach to international data transfers may be subject to particular scrutiny by the European Commission, in light of the UK’s current adequacy status. The UK adequacy decision provides for continuous monitoring of the UK’s data protection framework by the European Commission, and allows the European Commission to suspend or repeal the decision at any time if it no longer considers the UK regime to ensure an adequate level of protection for personal data. Indeed, many respondents to the Consultation noted concern about the risk of a change in the UK’s current adequacy agreements and the potential impact on businesses. The specific detail around the government’s intended framework for international transfers, and any potential implications for the UK adequacy decision, will become clearer once the draft legislation is published.[ii]
e-Privacy — Focus on Cookies and Similar Technologies
The UK government has also accepted proposals to reform the Privacy and Electronic Communications Regulations 2003 (PECR):
- Removing the restrictions on cookie use under Regulation 6 PECR by allowing such use, absent user consent, for a limited number of non-intrusive purposes (e.g., website functionality, audience management but not tracking). These changes will apply not only to websites, but also to connected technology, including apps on smartphones, tablets, smart TVs, or other connected devices. In the longer term, the aim is to move to an opt-out consent model, eliminating the need for displaying cookie banners to UK residents.[iii]
- Raising the fines for breaches under PECR from the current maximum of £500,000 to UK GDPR level fines (i.e., £17.5 million or 4% of global turnover).
The move to an opt-out model should result in less onerous compliance requirements for businesses in relation to their UK users and customers. However, this proposed approach departs from the European model, and the increasingly restrictive guidance and enforcement of consent requirements for cookies across the EU. In practice, businesses will need to weigh up the costs and benefits (in terms of both user experience and operationally) of an internationally consistent cookie banner/consent mechanism versus a divergent, lighter touch approach for UK users only.
The DCMS will publish a formal impact assessment in the immediate term which includes an analysis of the expected impact of the proposals (updated from the initial note published alongside the consultation). The DCMS expects the results of this analysis to differ materially to that in the initial note, particularly to reflect the concerns of the majority of respondents around: (i) impacts to consumer confidence in privacy schemes and the effect these reforms may have on international relations; and (ii) the risk of a change in the UK’s current adequacy agreements and the impact on businesses if adequacy were to be lost.
Following the formal impact assessment, as outlined in the Benefits of Brexit policy paper on 31 January, the accepted proposals likely will be codified in a draft bill expected to be introduced in Parliament (possibly at some point this year). Once introduced in Parliament, the Bill will be subject to further review and negotiation before being finalised and brought into effect.
[i] The terms “trusted data” or “trusted cross-border data flows” are occasionally used in various UK government documents setting out the current approach to trade negotiations; note this term is not used in all instances and it is unclear what the qualifier “trusted” would practically mean at this stage.
[ii] We note the UK government’s remarks that “The reformed regime will retain the same broad standard that a country needs to meet in order to be found adequate, meaning individuals’ data will continue to be well-protected by a regime that ensures high data protection standards.” See also the recent speech by John Edward (the UK Information Commissioner) in Brussels reiterating this point.
[iii] It is not entirely clear at this stage whether the term “UK residents” will only apply to users and customers who are resident in the UK, or whether it will also apply to non-UK users passing through the UK.