What are the main areas of reform for the UK's data protection regime and how will they affect business?
The UK government has released (17 June 2022) its response to the consultation, "Data: a new direction", on the existing data protection regime in the UK. The response sets out the government's proposed post-Brexit reforms to the UK's data protection regime, which is currently based on the General Data Protection Regulation (GDPR).
The reforms are focused around several themes, including: reducing the burden on businesses, reducing barriers to responsible innovation and to data flows, and reforming the Information Commissioner's Office (ICO). The government intends that the reforms will not undermine high standards of data protection within the UK and that, in almost all cases, organisations that comply with the UK’s current regime will still do so once the changes are made.
Implementation of the reforms will require primary legislation, namely the Data Reform Bill which was announced in the Queen's Speech on 10 May 2022: when published, it will provide more detail on the proposed changes.
New accountability Framework
The government aims to reduce what it describes as the regulatory burden of "tick-box exercises", creating greater flexibility and more proportionate and targeted compliance activities for individual businesses. The government proposes:
- The implementation of new "privacy management programmes". These will be tailored to the processing activities and the volume and sensitivity of personal data that organisations handle. The government stresses that organisations that are currently compliant with the UK GDPR would not need to significantly change their approach to be compliant with the new requirements, unless they wanted to take advantage of the additional flexibility that the new legislation will provide.
- No requirement to have a designated data protection officer. Instead, businesses will be required to appoint a senior responsible individual to oversee a business's data protection compliance. This individual will not need to fulfil the requirement for a designated data protection officer (DPO) to be "independent". However, it seems that those businesses that choose to retain a DPO will need a senior responsible individual as well; it remains to be seen how this will work in practice.
- The introduction of risk assessment tools. These will replace the requirement to complete data protection impact assessments (DPIAs) as currently prescribed under UK GDPR. Businesses will still need to implement risk assessment tools to identify, assess and mitigate data protection risks across the organisation. Existing DPIAs will remain valid and in force. Organisations can continue to use DPIAs – and can tailor them to their organisational needs.
- Remove the need to meet current records of processing requirements. However, businesses will need to maintain "personal data inventories" as part of their privacy management programme. These inventories will describe what and where personal data is held, why it has been collected, and how sensitive it is.
- Reducing the threshold for refusing or charging for a subject access request. The threshold for refusing or charging a reasonable fee for a subject access request is to be reduced from "manifestly unfounded or excessive" to "vexatious or excessive". However, the government does not intend to reintroduce a nominal fee for processing subject access requests.
- Expanding types of cookies to be used without obtaining consent. The government intends to legislate to remove the need for websites to display cookie banners to UK residents, and to permit cookies (and similar technologies) for a small number of non-intrusive purposes to be placed on a user's device without explicit consent. Longer term, the government intends to move to an opt-out model of consent for cookies placed by websites (that is, cookies could be set without seeking consent).
Align the enforcement regime for e-privacy. The enforcement regime under the UK's Privacy and Electronic Communication Regulations will be brought in line with the UK GDPR. This will grant the ICO the same enforcement powers (including an ability to fine) in respect of direct marketing compliance.
The government's aim is to modernise and strengthen the enforcement powers of the ICO to ensure it is more accountable to the government and the public. The government has confirmed it will:
- Create a new governance model. It will introduce a statutory board with a chair and chief executive to bring the ICO in line with other UK regulators such as Ofcom and the Financial Conduct Authority. The government will also take forward its proposal to require the ICO to set up new expert panels in relation to codes of practice and statutory guidance, and to introduce a power for the secretary of state for culture, media and sport to approve ICO codes of practice and statutory guidance.
- Set clear strategic objectives and duties. These will ensure the ICO continues to uphold data subject rights, encourages responsible personal data use, and has regard to growth and innovation, competition and public safety.
- Increase the ICO's accountability. by establishing new reporting requirements relating to its performance against strategic objectives, and its approach to enforcement and use of its powers.
- Broaden the ICO's enforcement powers. This will be achieved by extending the current statutory deadline of six months for the ICO to issue a penalty notice following a Notice of Intent (under certain circumstances); compelling witnesses to attend and answer questions at interview; and requiring the ICO to set out anticipated timelines in respect of on-going investigations.
- Reduce volume of complaints. Complainants will be required to attempt to resolve their complaint directly with the relevant data controller before lodging a complaint with the ICO, alongside a requirement on data controllers to have a simple and transparent complaints-handling process to deal with data subject complaints. There are also proposed new legislative criteria that the ICO can use to determine whether to pursue a complaint (such as vexatious complaints or where the complainant has not attempted to resolve the issue with the relevant data controller).
Reducing barriers to innovation
The government want to reduce barriers to responsible innovation and proposes to:
- Remove the legitimate interest balancing test for a limited list of processing activities. This list is likely to include processing activities which are undertaken by data controllers to prevent crime or report safeguarding concerns or which are necessary for other important reasons of public interest.
- Clarify the test for anonymous data. Instead, this will become a relative test – whether anonymous data can be reidentified is relative to the means available to the controller to reidentify the data at a particular time.
There were also some proposed reforms in relation to international data transfers, although these were relatively limited in scope, and subject to more detail on the precise approach being published.
Osborne Clarke comment
How will these reforms affect my business? The reforms, especially the removal of burdensome compliance obligations, could be seen as welcome news, particularly by UK small to medium-sized enterprises and public sector organisations (as we discussed in our recent seminars exploring the future of data regulation). For others, such as organisations that process large volumes of sensitive data and will still need to adhere to a high degree of accountability, the reforms may not be as beneficial.
In particular, for organisations that operate in both the European Economic Area (EEA) and the UK, or provide goods or services to individuals in the EEA and the UK, deregulation under the UK regime may have limited impact where the organisation is also subject to the higher compliance standards in the EEA. In practice, organisations will want to take a uniform approach as much as possible and are likely to continue to observe the most prescriptive requirements.
In addition, any major deviations from the EU data protection regime could call into question the UK's adequacy decision, which currently allows for the free flow of personal data between the EEA and the UK. While this seems unlikely given that there will continue to be very close alignment between the EU and UK regimes, the continuation of the position should not be taken for granted, not least as it is subject to periodic review by the EU.
Indeed, reflecting on the response to the consultation, it is noteworthy how many of the ideas that were put out for consultation have been dialled down or removed from the proposed changes to the current regime. For those changes that are still proposed, much will turn on the detail of the legislation, and the exact wording of the Data Reform Bill will therefore be subject to intense scrutiny when it is published.