The government has today published its eagerly awaited Consultation Paper on Reforms to the UK Data Protection Regime – ‘Data: A New Direction’ (“Consultation Paper”), setting out the specific areas for regulatory reform of the UK’s data protection regime. It follows a spate of activity from the government in relation to plans for its post-Brexit global data transfer regime and the publication of the UK’s National Data Strategy last year.
Following Brexit, the UK is now free to develop its own data protection regime and the proposals articulate the Government’s vision for extensive changes to the data protection landscape to secure digital enabled growth, within a strong regulatory environment that upholds trust and confidence. The proposed reforms align with the National Data Strategy and focus on five key areas – supporting digital innovation in key growth areas, such as research and AI; reducing the regulatory burden of compliance for business; reducing barriers to international data flows; reforms to the flow of data within the public sector; and reforms to the status and powers of the ICO.
As the Consultation Paper runs to nearly 150 pages, it will require careful consideration, but some of the more interesting proposals for reform are summarised below for our readers.
Reducing barriers to responsible innovation
The Consultation Paper states that “the government recognises that any data protection regime requires active interpretation and application to new and emerging technologies”. The proposals aim to provide an “an adaptable and dynamic set of rules that are flexible enough to be interpreted quickly and clearly in order to fit the fast-changing world of data-driven technologies” and include:
- a number of proposals in relation to the use of personal data for research purposes, including:
- consolidating and bringing together research-specific provisions;
- incorporating a clearer definition of ‘scientific research’ into legislation;
- enabling the lawful ground of consent to be relied on for processing based on broad consent for scientific research; and
- where processing is for research purposes, disapplying the current requirement for controllers who collected personal data directly from the data subject to provide further information to the data subject prior to any further processing, where it would require a disproportionate effort to do so.
- creating a limited, exhaustive list of legitimate interests that organisations can use personal data for without applying the balancing test. The list would include processing of personal data necessary for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems.
- in relation to AI, the government, has outlined concerns around the scope and substance of ‘fairness’ in the data protection regime as applied to the development and deployment of AI systems, and the ICO’s regulatory reach. The government suggests that other horizontal or sectoral laws and associated regulators may provide a more appropriate avenue for assessment of some aspects of fairness, especially of outcomes, in the AI context.
- considering how to develop a safe regulatory space for the responsible development, testing and training of AI, which will allow organisations the freedom to experiment where it does not cause harm.
- amendments in relation to the processing of special category personal data necessary for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems.
- clarifying to put it beyond doubt that further processing for an incompatible purpose may be lawful when based on a law that safeguards an important public interest or when the data subject has re-consented.
- including a clear test for determining when data will be regarded as anonymous within legislation and legislate to confirm that the test for re-identification under the general anonymisation test is a relative one.
Reform of the Accountability Framework
The Consultation Paper explains that a “key driver of unnecessary burdens on organisations is the accountability framework set out in the UK GDPR”. Proposals aim to provide more proportionate and flexible approaches, while retaining “the principle of accountability at its heart”, and include:
- the development and implemention of a risk-based privacy management programme (“PMP”) based on the volume and sensitivity of the personal information, and the type(s) of data processing carried out, which includes the appropriate personal information policies and processes for the protection of personal information.
- removal of certain prescriptive elements from the current legislation:
- replacing the existing requirements to designate a Data Protection Officer with a new requirement to designate a suitable individual, or individuals, for overseeing the organisation’s data protection compliance, the specific requirements needed for the role will not be specified in legislation;
- removing the requirement for organisations to undertake Data Protection Impact Assessments. The government anticipates that increased regulatory guidance would offer strategies that organisations should consider adopting to protect personal information, including when and how they may want to undertake a data protection impact assessment;
- removing the requirement for prior consultation with the ICO for higher risk processing (under Article 36(1-3) of the UK GDPR) so it is no longer mandatory and controllers would not face any direct penalties for failing to consult the ICO in advance of carrying out the processing;
- introducing a new ‘voluntary undertakings process’ allowing organisations to provide the ICO with a remedial action plan upon infringement, which the ICO may authorise without taking any further action.
- adopting a more flexible model for record keeping under Article 30 by removing prescriptive requirements for exactly what needs to be included in the record.
- changing the threshold for data breach notification to the ICO so that organisations must only report a breach where the risk to individuals is “material”. The government plans to encourage the ICO to produce guidance and examples of what constitutes a ‘non material’ risk, as well as to produce examples of what is and what is not reportable, in order to assist organisations.
Changes to the Data Subject Access Request regime
The Consultation Paper recognises that some organisations have experienced a number of issues with the ways in which subject access requests are submitted and handled, the government has proposed introducing a fee regime, which would include:
- a cost ceiling to address organisations’ capacity constraints; and
- amending the threshold for response (e.g. be able to refuse a request if the request is vexatious).
Changes to the rules on cookies
The changes to the Privacy and Electronic Communications Regulations 2003 (PECR) have been well trailed in the media and seek to address the frustrations with cookie pop ups. Proposed reforms include:
- permitting organisations to use analytics cookies and similar technologies without the user’s consent (i.e. treat them in the same way as “strictly necessary” cookies under the current legislation for which consent is not required); or permitting organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes.
- extending the soft opt-in to electronic communications from organisations other than businesses where they have previously formed a relationship with the person e.g. a result of membership or subscription. This would then allow non-commercial organisations, such as charities, to use the soft opt-in, which is not available under the current legislation.
- increasing fines that can be imposed under PECR so they are the same level as fines imposed under the UK GDPR (i.e. increasing the monetary penalty maximum from £500.00 to up to £17.5 million or 4% global turnover depending upon the contravention).
Boosting Trade and Reducing Barriers to Data Flows
Following Brexit, the UK now has the ability to adopt its own decisions in relation to adequacy for personal data transfers. The government has stated that it intends to grant additional countries adequacy, “by progressing an ambitious programme of adequacy assessments”, and will consider making adequacy decisions for groups of countries, regions and multilateral frameworks. The government intends to ensure that all adequacy regulations made under current laws remain valid under any future regime. In addition, the government proposes creating a new power for the Secretary of State to formally recognise new alternative transfer mechanisms.
- The government intends to relax the requirement to review adequacy regulations every four years. The priority will instead be on ongoing monitoring of countries’ relevant laws and practices.
- The government has stated that it also wants to explore legislative change to ensure that the suite of alternative transfer mechanisms available to UK organisations in the UK GDPR is “clear, flexible and provides the necessary protections for personal data”, including:
- allowing organisations to create or identify their own alternative transfer mechanisms in addition to those listed in Article 46 of the UK GDPR (e.g. bespoke contracts to enable safe international transfers); and
- establishing a proportionate increase in flexibility for use of derogations by making explicit that repetitive use of derogations is permitted.
- The government is proposing to exempt ‘reverse transfers’ from the scope of the UK international transfer regime. This reform would make transfers that have been received by an organisation in the UK and are being sent back to the original transferor exempt from the international transfer requirements.
Delivering Better Public Services
The government recognises in the Consultation Paper that “there are a number of barriers to effective data use in government, including: data infrastructure that is not interoperable; legal and cultural barriers to data sharing; inconsistent data capability in the workforce; and financial disincentives that discourage investment”. The government’s proposals in this area include:
- clarifying that private companies, organisations and individuals who have been asked to carry out an activity on behalf of a public body may rely on that body’s lawful ground for processing the data under Article 6(1)(e) of the UK GDPR and do not have to identify a separate lawful ground.
- clarifying that public and private bodies can lawfully process health data when necessary for reasons of substantial public interest in relation to public health or other emergencies.
- introducing compulsory transparency reporting on the use of algorithms in decision-making for public authorities, government departments and government contractors using public data.
- considering whether to expand the range of situations in Schedule 1 of the DPA 2018 where special category personal data may be processed.
- clarifying the legislation to facilitate improved cross-sector working, which will support in particular the joint operational activity between law enforcement and national security partners
Reform of the ICO
The Consultation Paper includes a number of proposals to reform the legislative framework underpinning the role, status and powers of the ICO, including:
- placing a new duty on the ICO to have regard for economic growth and innovation when discharging its functions.
- establishing a new information sharing gateway to enable regulators to share information in support of cooperation across a broad range of issues.
- introducing a requirement for complainants to attempt to resolve their complaint directly with the relevant data controller before lodging a complaint with the ICO.
- requiring data controllers to have a simple and transparent complaints-handling process in place to deal with data subject complaints.
- introducing criteria by which the ICO can decide not to investigate a given complaint.
- introducing a new power for the ICO to be able to commission an independently-produced technical report to inform investigations to obtain a view from a third party about aspects of a regulated organisation’s activities.
- amending to the statutory deadline for the ICO to issue a penalty following a Notice of Intent from 6 months to 12 months and the inclusion of a so-called ”stop-the-clock” mechanism providing the ICO with the power to stop the clock if relevant information is not provided on time.
The consultation runs until 19th November 2021.