It was confirmed last week in the Queen's Speech that reform of the UK's data protection regime remains very much a part of the Government's plans, and that we should expect a new Data Reform Bill (Bill) to surface during the Summer. While there remains little information on the extent of the reform for now, the proposals will be seeking to strike an acceptable balance between reducing some of the administrative burdens associated with the GDPR (particularly for SMEs involved in low risk data processing), and ensuring that protections for individuals remain sufficient to preserve the UK's "adequacy" status. It seems likely, however, that many businesses can at least expect a reduction to their governance and record-keeping obligations, as the Government has stated its intention to move towards more flexible "privacy management programs" favoured by several other non-EU jurisdictions.
On 10 September 2021 the Department for Culture, Media and Sport (DCMS) published a consultation document entitled "Data: a new direction" (Consultation), requesting views on a number of proposals that could bring sweeping changes to the UK's data protection landscape. The Consultation closed on 19 November 2021, but we are still waiting for the Government to comment on the +3000 responses it has received.
What we learned last week
There was little to be gleaned regarding the specific proposals from Queen's Speech itself, though the accompanying Briefing Notes were a little more enlightening. They set out the main purposes of the Bill, namely to:
- create a world class data rights regime
- establish a new pro-growth and trusted data protection framework
- reduce burdens on business
- support innovation
- modernise the ICO, including strengthening its enforcement powers and increasing its accountability
- drive industry participation in schemes which give citizens and small businesses more control of their data, particularly in relation to health and social care.
As for the potential benefits, the Government's stated hopes are that the reform could:
- shift the emphasis of the UK's data regime to become more "outcomes-focused" and reduce burdens on UK businesses, allowing them to become more efficient and competitive
- empower citizens to use data to improve their lives, including by improving awareness of data subject rights
- clarify the regulatory environment to facilitate responsible innovation and scientific progress
- ensure that the ICO's activities target the organisations who breach data rights
- enhance the UK's position in the field of scientific and technological research, by simplifying the rules around use of personal data for such purposes.
At this stage, all of this remains vague enough to be fairly innocuous. What businesses, citizens, and the UK's international trading partners are still waiting for is a more concrete articulation of the Government's intentions. In particular, which GDPR-mandated "box-ticking" requirements might be removed, and how much of the protection currently afforded to data subjects is the government prepared to sacrifice in pursuit of a more business and innovation-friendly agenda?
Much of the ongoing uncertainty can be attributed to the breadth of the initial Consultation. It contains over 150 specific questions on issues spanning some of the most significant aspects of the data protection regime, including purpose limitation rules, profiling and automated decision-making (ADM), scope of data subject rights, cookie requirements, international data transfers, and reform of the ICO.
It is uncontroversial that several of these aspects currently present practical difficulties for businesses, and could potentially be recalibrated to ease the compliance burden without substantial detriment to individuals. However, if data protection impact assessments, legitimate interest balancing tests, requirements to appoint DPOs, data breach reporting and maintenance of records of processing activities (ROPAs) are all on the chopping block, it is questionable whether organisations would make sufficient voluntary use of such tools to avoid material reduction in standards. While large, multinational organisations may continue using these tools in order to adopt a uniform approach across all jurisdictions in which they operate, smaller organisations with a UK focus may welcome the freedom to bypass these obligations in favour of a more flexible approach to risk assessment.
This represents a very difficult balance to strike, particularly as the levers that the Government chooses to pull (and how hard) are being closely scrutinised by the European Commission. The UK's data protection regime is currently deemed to offer "essentially equivalent" protection for data subjects as the EU GDPR and, as a result, personal data can currently flow freely between them without additional safeguards. However, when the adequacy decision was issued by the European Commission in 2021 it included a sunset clause, meaning the decision would automatically expire in 2025. This provision was included (for the first time in an adequacy decision) for the specific purpose of guarding against future divergence by the UK.
Therefore, in seeking to ease the administrative burdens of compliance for businesses there is also a risk of sailing too close to the wind; should the UK's position change sufficiently for it to lose its adequacy status, this will create a significant and expensive compliance problem for businesses that routinely transfer personal data across borders.
Some of the proposals in the Consultation have already come under fire from civil society and consumer groups, including plans to liberalise legitimate interests as a lawful basis for processing, facilitate more widespread use of AI and ADM, and introduce new conditions for the exercise of data subjects rights. However, the potential reform of the ICO could have an equally significant bearing on the future for UK adequacy. As we have seen from the developments on international data transfers in recent years, one of the major concerns of the EU's institutions is the level of access to personal data by government agencies. While the increasing prevalence of private sector surveillance is grabbing the lion's share of the headlines, safeguarding data subjects against abuses of data rights by governments remains of paramount importance.
The Consultation includes a number of proposals which would render the UK's ICO less independent from government. These include making the ICO's Guidance and Codes of Conduct subject to approval by the Secretary of State, and giving the government the right to appoint the ICO's Chief Executive. These proposals create the possibility of external interference in the operations of the ICO and could significantly impact its ability scrutinise governmental and public sector use (or abuse) of personal data.
Much is also likely to depend on how the proposals develop for a potential UK Bill of Rights to replace the Human Rights Act. The Ministry of Justice is currently reviewing responses to a consultation on this issue, which closed last month. The EU has previously emphasised the importance of the UK continuing to fulfil its international obligations under the European Convention on Human Rights, and is one of the pillars on which its adequacy decision depends. The ICO also highlighted this point in its public response to the consultation.
Few would suggest that the GDPR is perfect and, like any new law that attempts such a major program of reform, it has some vocal detractors. There are many voices calling for the GDPR itself to be reformed in some of the ways being proposed by the Consultation, and arguing that strict compliance with a number of low-impact requirements places disproportionate demands on companies engaged in benign data processing activities. There certainly seems to be a growing consensus that data laws and regulators should train their sights on the small number of operators who do more to undermine data protection than everyone else combined.
The UK government is also not alone in highlighting that many regimes that currently benefit from adequacy decisions from the European Commission are not based on the prescriptive GDPR model, and instead favour the more risk-based "Privacy Management Program" approach that the Consultation envisages. Although a great many of the data protection and privacy laws that have emerged since 2018 have borrowed heavily from the GDPR model, the adequacy decisions in favour of New Zealand, Canada and Argentina are proof that there is plenty of room for manoeuvre within the concept of "essentially equivalent protection".
All eyes are on the text of the Bill, and on its international reception…