A new dawn for UK data protection regulation is upon us, ushering a “golden age of growth and innovation” according to the UK Government. As Elizabeth Denham’s term as the UK Information Commissioner draws to a close at the end of this month, this is hot on the heels of the UK National AI Strategy and the DCMS’ Consultation Paper (Data: a new direction) for reform of the UK data protection regime.
The DCMS Consultation is the first step in the Government’s plan to deliver on ‘Mission 2’ of the National Data Strategy, underpinned by the desire to boost innovation and economic growth for UK businesses while strengthening public trust in the use of data.
At 146 pages long, the DCMS Consultation is both comprehensive and wide-ranging. In this blog post we highlight some of the key proposals in the Consultation, alongside the similarly thorough ICO response to those proposals from last month.
- The UK path: In a post-Brexit world, the DCMS’ proposed reforms have potential to significantly alter the data protection landscape in the UK. They aim to establish a “pro-growth and innovation friendly” data protection regime that is more practical and “business friendly“. The proposals intend to be more proportionate and flexible in nature, focussing on a more risk-based approach and representing a shift away from a “one size fits all” approach to compliance with data regulations. They mark a move away from a rigid set of rules, towards a more outcome focussed regime, in order to reduce burdens on business.
- Wide–ranging reform: The proposals are expansive, seeking to create an adaptable and dynamic set of data protection rules that underpin the trustworthy use of data. The consultation concentrates on 5 key areas:
- Reducing barriers to responsible innovation, for instance by relaxing/simplifying the rules around organisations’ reliance on the legitimate interests condition to justify the processing of personal data (making it easier to rely upon in the context of conducting research and managing AI systems), clarifying the concept of data anonymisation and removing/limiting some of the restrictions currently placed on conducting automated decision making under Article 22 of the GDPR;
- Reducing burdens on businesses and delivering better outcomes for people by amending the current accountability framework with the introduction of risk-based “privacy management programmes” and removing existing requirements in relation to conducting DPIAs, appointing DPOs and maintaining detailed records of processing which align with Article 30 of the GDPR. The proposals also seek to increase the threshold for reportable data breaches to the ICO to breaches where there is a ‘material risk’ to individuals only.
- Reworking rules in relation to cookies and direct marketing including aligning the ICO’s fining powers under the PECR regime with those under GDPR;
- Boosting trade and reducing barriers to data flows including proposals around the use of alternative transfer mechanisms and adopting a more “risk-based” approach to granting UK adequacy decisions to other jurisdictions;
- Delivering better public services by allowing the processing of personal data for public health and emergency situations and providing guidance on the lawful grounds of processing; and
- Reforming the ICO to achieve the above goals by implementing new objectives and accountability mechanisms, for example by refocussing its statutory commitments away from handling a high volume of low-level complaints and towards addressing the most serious threats to public trust.
Further detail on the range of proposals is set out below at “The deeper dive: Key DCMS proposals, their impact and the ICO response“.
- Pro-business in practice? Organisations have already invested considerable time and cost in their own GDPR compliance in recent years. Whilst the proposed reform is stated to “offer improvements within the current framework” and is earnest in theory, it remains to be seen whether the proposed divergence from the existing (EU-based) regime will in fact realise the benefits suggested by the DCMS, and whether it really is more “business friendly” in practice.
The proposals appear to be skewed more heavily towards benefiting smaller organisations in particular, which have historically struggled with the burden of data protection compliance. However, with the added administrative layer for organisations (first having to assess their current EU GDPR compliant practices against any new UK requirements, as well as exercise a greater level of discretion as to how best to comply), there is a risk that the reform may prove to be no less burdensome overall, at least at the outset.
And that is without factoring in the added layer of complexity for organisations operating across both a UK and EU footprint and needing to comply with dual diverging regimes – albeit that these multi-jurisdictional organisations may well continue to apply the potentially higher EU “gold standard” across all jurisdictions for consistency. Data protection compliance is not an exact science at the best of times and the proposed divergence may therefore unintentionally introduce further “grey” areas and a greater degree of uncertainty for organisations.
- Adequacy: How far is too far? But perhaps the biggest question remains over whether the UK is able to maintain its EU adequacy status in the face of these proposed significant data protection reforms. Adequacy does not require a carbon copy replica of the EU GDPR framework and it may be that an element of divergence is possible if the UK continues to maintain a sufficiently protective data regime.
It is too early to tell at this stage. As the ICO response emphasises, as the proposals develop “the devil will be in the detail” (to ensure the final package of reforms adequately maintain rights for individuals). It will also be important to consider the overall impact of the package as a whole and how the various and plentiful proposals all fit together.
It is one thing removing burdens to organisations to deliver growth, but quite another if that then creates further barriers in the process; at its worst, loss of UK adequacy status, increased costs to organisations of using alternative transfer mechanisms and ultimately interrupting the free flow of data between the EU and the UK. A scenario that both the EU and the UK will ideally want to avoid. See “Adequacy: How far is too far? That is the question” below.
- The ICO Response – supportive with some reservations: Whilst broadly supportive of the reform, the intent behind it and the proportionate risk-based approach (recognising that high data protection standards cannot remain “static”), the ICO’s response is peppered with numerous reservations; unsurprisingly taking a more data subject focussed stance – often seeking clarity on additional safeguards to be put in place to ensure data subject rights are not jeopardised and more generally welcoming further consideration of the proposals. It also has strong concerns around reform of the ICO’s own leadership structure, which potentially put the independence of the regulator at risk.
With the “pragmatic” current serving New Zealand Privacy Commissioner, John Edwards, taking the UK ICO helm from January of next year (and with a remit that goes beyond the regulator’s traditional role of focussing only on protecting data rights), it will be interesting to see how these reservations will be reconciled in the short term. Not least, given the DCMS is keen to finalise the proposals set out in the Consultation in the coming months.
The ICO also confirmed it is “crucial we continue to see the opportunities of digital innovation and the maintaining of high data protection standards as joint drivers of economic growth. Innovation is enabled, not threatened, by high data protection standards“.
- Going against the grain? At a time when we are seeing increased data protection regulation at an international level, as well as territories looking to harmonise their data protection regimes, for now the UK seems to sit in contrast with its focus on divergence and deregulation.
Background: The UK balancing act
The issue of international data transfers has long been the main area of concern from a data protection perspective regarding Brexit; particularly whether or not the UK ensures an essentially equivalent level of data protection to that guaranteed under EU legislation. The European Commission’s adequacy decision confirmed the UK as an adequate jurisdiction for GDPR purposes on 28 June 2021. This allowed the free flow of data from the EU and EEA Member States to the UK without the need to put in place additional measures to legitimise the transfer (such as so called “EU Standard Contractual Clauses” or EU SCCs).
One of the key elements of the decision was that the UK’s data protection system continued to be based on the same rules that were applicable when the UK was a Member State of the EU. However, strong safeguards were also incorporated into the decision; these included the unique so-called “sunset clause” limiting the duration of the adequacy decision and the Commission’s close monitoring of how the UK system evolves (the Commission is entitled to suspend, terminate or amend the decision at any time in the case of problematic developments that negatively affect the level of protection found to be adequate). In turn, this has potential to restrict the extent to which the UK is able to diverge from the EU GDPR regime going forwards.
Since leaving the EU, there were suggestions that the UK may pursue a more relaxed, business-minded approach to data. In particular, the DCMS’ National Data Strategy and the Government’s “10 tech priorities” sought to pave the way for harnessing and “unlocking the value” of data across the economy. An approach mirrored and built on in the DCMS Consultation.
However, such an approach will clearly need to be carefully balanced against the UK’s position on data vis-à-vis the EU, particularly to ensure that any divergence from EU legislation is seen as sufficiently protective if the UK is to continue to benefit from the adequacy decision. See “Adequacy: How far is too far? That is the question” below.
Adequacy: How far is too far? That is the question
The “business friendly” intentions behind the Consultation indicate a clear intention to diverge from the EU regime and reform the UK rules on data protection so that “they’re based on common sense, not box-ticking. And…having the leadership in place at the Information Commissioner’s Office to pursue a new era of data-driven growth and innovation.” (Digital Secretary, Oliver Dowden)
But how far is too far to diverge? When does a “business” and “innovation” friendly approach start to erode the level of protection afforded to data transferred from the EU to the UK and jeopardise the recently determined UK adequacy decision? It is one thing removing barriers to international data transfers in order to deliver growth, but quite another if that then creates further barriers in the process; at its worst potentially leading to the European Commission revoking the UK adequacy decision, increased costs to organisations of using alternative transfer mechanisms and ultimately interrupting the free flow of data between the EU and the UK. A scenario that both the EU and the UK will ideally want to avoid.
In the DCMS Consultation itself, the DCMS suggests it is possible to maintain adequacy – on the basis that adequacy does not mean a “word for word” replication of EU legislation – more a shared commitment to high standards of data protection. It cites examples of other EU adequate jurisdictions where this is the case.
The DCMS also makes it clear that any reformed regime will conform to high data protection standards and must be “underpinned by secure and trustworthy privacy standards”. Given the reservations in the ICO’s response, particularly those around data subject rights, as the proposals develop it remains to be seen whether the proposed reform does in fact sufficiently prioritise maintaining public trust in the UK’s data protection regime and, in turn, prioritise the UK’s adequacy status.
However, the Consultation is also accompanied by an impact assessment which includes the direct financial impact on UK businesses if the UK were to lose its EU adequacy status; this totals £1.4 billion over five years (the period in which compliance and SCCs would feed through to affected organisations). There is clearly a fair amount at stake if the UK Government get it wrong.
The deeper dive: Key DCMS proposals, their impact and the ICO responses:
The proposals set out in the Consultation are categorised into five key areas below:
i. Reducing barriers to responsible innovation: the proposal seeks to create an adaptable and dynamic set of rules that are flexible enough to be interpreted quickly and clearly in order to fit the fast-changing world of data-driven technologies – in doing so, supporting the Government’s pro-growth, pro-innovation stance. Proposed initiatives include:
- Easier and more certain reliance on legitimate interests as a lawful basis for processing personal data, through the creation of a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test. Whilst the processing would still need to be proportionate and necessary for the stated purpose, this would create a new set of legal bases which would satisfy the legitimate interests test and would give organisations more confidence to process personal data without unnecessary over-reliance on (the transitory and often more challenging to obtain) consent basis, as is currently the case.
Amongst other categories, the proposed list includes “ensuring bias monitoring, detection and correction in relation to AI systems”, “using audience measurement cookies or similar technologies to improve web pages that are frequently visited by secure users” and “using personal data for internal research and development purposes or business innovation purposes aimed at improving services for customers”. Whilst the Government acknowledges that any list would need to be sufficiently generic to “withstand the test of time”, it envisages updating the list via regulation-making powers, which seem likely to be invoked given the limited and exhaustive nature of the current (albeit relatively uncontroversial) list.
- AI and automated decision making: the Government recognises the ability for data-driven AI systems to bring huge benefits, alongside a need to deploy AI tools that innovate responsibly and manage data-related risks at every stage of the AI life cycle. The Consultation considers the interplay of AI technologies with the UK’s current data protection regime.
In particular, and perhaps most controversial, the DCMS invites evidence on proposals to remove or more tightly limit the restrictions on automated decision making (including profiling) under Article 22 of the GDPR (where the decision-making “produces legal effects concerning” an individual or “similarly significantly affects that individual”). The current restrictions include the right to human review, giving individuals the right to challenge and request review of a decision. Whilst the DCMS recognises safeguards are meaningful in some cases (e.g. high risk AI-derived decisions) especially as there is currently no clear approach and standards for wider AI governance, the current operation and efficacy of Article 22 are thought to be uncertain (with limited case law and guidance available in particular). The DCMS is mindful that these provisions need to keep pace with the likely evolution and proliferation of automated decision making and profiling use. This follows a previous recommendation from the Taskforce on Innovation, Growth and Regulation Reform to remove the provision in its totality, instead permitting use on the basis of legitimate interests or public interests (see above).
Another key area of reform in the use of AI, relates to anonymisation, and considering a clear legal test for determining when data will be regarded as “anonymous”; with organisations currently relying on the ICO’s code of practice of anonymisation and the recitals to the UK GDPR. The Consultation sets out a couple of options in this regard, including elevating recital 26 of the UK GDPR (based on the “reasonable likelihood” that the controller is able to identify the data subject, although this is unlikely to add much to the related ICO guidance on this area). The DCMS is also considering legislation to confirm that whether data is anonymous, is relative to the means available to the data controller to re-identify it (as per the approach in the CJEU case of Breyer v Germany when assessing whether dynamic IP addresses constitute personal data).
In an effort to maximise the ease with which organisations can share and process data responsibly, the Consultation supports the development and use of “data intermediaries” as well (e.g. entities that can provide technical infrastructure and expertise to support interoperability between datasets or act as mediators negotiating sharing arrangements between parties looking to share, access or pool data). Whilst this could potentially benefit data sharing particularly for research and development purposes (by introducing a new innovative data sharing framework within the existing data protection regime), there is limited information on this proposal currently in the Consultation itself.
The DCMS has also raised concerns regarding the scope and substance of ‘fairness’ as it applies to the development and deployment of AI under the existing data protection regime, determining that the concept may be best left to sector-specific regulation rather than the ICO. The UK’s forthcoming AI governance framework is likely to provide further clarity on this early next year.
- Use of personal data for research purposes: among others, the proposal seeks to incorporate a clearer definition of ‘scientific research’ into legislation (principally based on the related recital), consolidate the related provisions, consider the appropriate lawful basis for scientific research and whether the regime should enable data subjects to provide broad consent in circumstances where it is not possible to fully identify the purpose of personal data processing at the time of data collection. The Consultation acknowledges that the data protection regime is currently challenging to navigate and the provisions relating to research are relatively complex and dispersed within the current data protection framework. This is thought to create both real and perceived barriers for organisations, which currently sit at odds with the National Data Strategy looking to encourage reform to support research in the UK.
Key ICO Response
The ICO understands the drivers for greater certainty around use of legitimate interests as a lawful basis. However, rather than removing the need for the balancing test, the ICO envisages a shift in responsibility to carrying out the test from organisations to the Government instead – therefore requiring the Government to feel confident that the processing on any such list does not have a disproportionate impact on data subject rights. The ICO therefore expects the nature, context and detail of the processing to be set out more clearly to provide organisations with the necessary certainty to determine whether their own activities are covered (including how the Government has assured itself that the processing on the list will not have a negative impact without the need for further case to case consideration of the balance). It also called for the Government to provide more detail on how this proposal would interact with the exercise of individuals’ rights (for example, the right to object to the processing of personal data).
The ICO also supports the Government’s proposals relating to research and recognises the need to build trust regarding the fairness of AI and automated decision making. However, it does not agree that removing the right to human review at Article 22 is in the interest of data subjects and feels that this is likely to reduce trust in AI. On the contrary, it suggests extending Article 22 to cover partly (as well as wholly) automated decision making instead. The ICO agrees that providing guidance through engagement with stakeholders (including on what constitutes a “legal or similarly significant effect”) will help clarify what is acknowledged as a complex area, as well as looking more closely at how transparency could be strengthened to ensure human review is meaningful.
ii. Reducing burdens on businesses: the proposal seeks to shift away from a ‘box-ticking’ compliance regime towards one which is more based on a proportionate, flexible and risk-based accountability framework. This would require an organisation to develop and implement a risk-based “privacy management programme” (“PMP“) that reflects the volume and sensitivity of personal information it handles and the type(s) of processing that it carries out. The PMP would include the appropriate policies and processes for the protection of information.
Whilst the proposed changes to the existing framework are relatively significant, in a marked deviation from the EU GDPR requirements, the perceived benefit to small and micro-businesses of “reducing burdens”, may well not be realised in practice. In particular, it is possible that the proposal simply substitutes existing accountability requirements, with similar (but no less onerous) ones, adding a further administrative layer for organisations; first having to assess their current EU GDPR compliant practices against any new UK requirements, as well as exercise a greater level of discretion as to how best to comply (albeit the DCMS has suggested the ICO may provide related guidance in order to assist).
In particular, the proposed amendments to the existing accountability framework include:
- Removing the requirement to appoint DPOs and instead exercising discretion in designating a suitable individual, or individuals, to be responsible for the PMP and for overseeing the organisation’s data protection compliance. Whilst this is intended to drive “more effective data protection outcomes” (without the need for the individual to be sufficiently independent, as is currently the case), the DCMS acknowledges there is a risk that removing DPOs could significantly weaken internal scrutiny. Some organisations, e.g. those undertaking high risk processing, may therefore still opt to designate a DPO-type equivalent to independently monitor and assess their organisation’s data protection compliance (to help demonstrate its commitment to the accountability principle), but this would need to be in addition to the proposed individual responsible for the PMP.
- Removing the requirement for organisations to carry out DPIAs, to allow organisations to adopt different approaches to minimising data protection risks that better reflect their specific circumstances. While the removal of DPIAs means there is an increased risk of organisations undertaking processing that is high risk without adequate prior assessment of the impact of the processing, the Government considers that this will be mitigated by having in place an appropriate PMP.
- Removing the requirement for prior consultation with the ICO in advance of carrying out high risk processing that cannot be mitigated. Removing the immediate threat of enforcement action is envisaged to encourage and incentivise organisations to engage with the ICO for guidance on high risk processing.
- Removing record keeping requirements under Article 30 by establishing personal data inventories which explain what personal data is held, where it is held, why it has been collected and how sensitive it is. The new requirements under the PMP would allow further flexibility in how best to do this depending on the organisation’s own circumstances.
- Changing breach reporting requirements due to the administrative burden on the ICO as a result of over-reporting. This would involve a shift in threshold from reporting a breach unless it is unlikely to result in a risk to the rights and freedoms of natural persons, to a requirement to report a breach unless the risk to individuals is not material. The Government suggests the ICO will publish guidance and examples of what constitutes a non-material risk. This proposal also considers including a new voluntary undertaking process, similar to that in Singapore, which would allow organisations that are able to demonstrate a proactive approach to accountability, to provide the ICO with remedial action plans following a breach, and the ICO may authorise the plan without taking any further action.
- Amending the data subject access request provisions to introduce a cost limit modelled on the Freedom of Information Act. The Consultation also proposes a nominal fee regime as was the case under the DPA 1998, which is stated not to undermine an individual’s right to access their personal data. The proposal largely seeks to address concerns from organisations that they are overburdened when processing subject access requests, particularly wide-ranging, speculative requests (e.g. as a means to circumvent strict disclosure protocols otherwise required under the Civil Procedure Rules).
Key ICO Response
The ICO acknowledges that there are ways in which the legislation can be simplified, particularly to ensure the regulatory and administrative compliance obligations are proportionate to the risk an organisation’s data processing activities represent. Whilst it welcomes the Government’s commitment to retaining the principle of accountability and is open to alternative approaches to ensuring accountability and demonstrate it, the ICO believes further work is required to demonstrate both the additional value that PMPs could deliver and whether the intended benefits could be achieved through more minor changes instead. Particularly in light of the potential disruption and additional burden for business that significant change to the existing approach could bring, given the considerable resource organisations have already put into their current approach. Adequate time and resources would be needed for any such transition to take place effectively.
The ICO further agreed there is a possibility for more flexibility regarding DPIAs, however it noted that any reform to risk assessments must not result in reducing the robustness or quality of the assessment. Accordingly, the ICO has called for additional information on how organisations can adequately assess data protection risk. The ICO also re-highlighted the benefits of appointing a DPO (given the significant expertise, value and assurance the role can bring to data protection compliance) and suggested that this should not be lost with the reforms. The ICO drew parallels to designated roles under other sectors, for example, an ‘approved person’ under the Finance Act or a Money Laundering Reporting Officer under the UK Money Laundering Regulations. The ICO considers that DPIAs and having an appointed DPO will derive greater value and protection for individuals than the Government’s current proposals. It seems likely that organisations will share the same reservations about the reality of these amendments to the accountability framework.
Regarding changes to data subject access requests, the ICO reiterated the importance of these requests, and that this is only set to increase with the increased collection, use and re-use of data supported under the reforms. Concerned as to whether the proposed changes would in fact inhibit the exercise of this right, the ICO requested further evidence to accurately assess the benefits and risks associated with the proposals – not least to avoid disproportionate outcomes for data subjects, including the most vulnerable. One of the ICO’s alternative suggestions to address the burden of subject access requests (through, for example, use of new technologies when procuring and configuring new IT systems, as well as streamlining internal data management processes), may well not be sufficient on its own in practice.
iii. Reworking rules in relation to cookies and direct marketing: Whilst the focus of the Consultation remains firmly on reform of the UK GDPR, some elements of the proposals touch on the Privacy and Electronic Communications Regulations (“PECR”). On the face of it, these appear relatively minor and are likely to be welcomed by organisations and data subjects alike, particularly with the momentum currently behind initiatives to reduce the current “cookie fatigue”. These proposals include:
- Changes to cookies rules as the Government considers how best to balance issues relating to organisations’ ability to collect data to improve websites versus user complaints about the number of pop ups and impact on user journey. Two options are suggested.
- The first would allow organisations to use analytics cookies and similar technologies without user’s consent (i.e. treated in the same way was “strictly necessary” cookies under the current legislation, which is the approach currently adopted in France).
- The second, would permit organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes (i.e. a possible list of exemptions).
- Extending the existing soft opt-in relating to direct marketing (i.e. beyond just organisations where they have previously formed a relationship with an individual during a sale or transaction) to non-commercial organisations (such as charities or political parties) and perhaps as a result of a membership or subscription.
- Increased enforcement under PECR (i.e. bringing fines in line with UK GDPR); allowing the ICO to issue fines of up to £17.5 million or 4% of global turnover (compared to the current £500,000 levy). This would align with the sanctions regime envisaged under the proposed EU ePrivacy Regulation which is still making its way through the European legislative process and, depending on the relative timing, the proposals have the potential to subject UK based organisations to these more stringent sanctions earlier than their European counterparts.
- Changes to cookies rules as the Government considers how best to balance issues relating to organisations’ ability to collect data to improve websites versus user complaints about the number of pop ups and impact on user journey. Two options are suggested.
Key ICO Response
As made clear by Elizabeth Denham at the G7 summit earlier in the year, the ICO agrees that the current approach to cookie pop-ups is not practical for data subjects or organisations and welcomes change to the cookie rules. Whilst the ICO is broadly supportive of the two options proposed by the Government, it requests further clarity on how a possible list of exemptions (without requiring user content) would work in the context of the wider reforms in the Consultation – particularly in light of the list of legitimate interests for which organisations can use personal data without applying the balancing test (see above), which could have the overall impact of removing appropriate safeguards.
Regarding a proposal to use browser and non-browser based solutions, the ICO acknowledges that this will also require adequate enforcement measures are put in place to ensure that users’ preferences are sufficiently respected. The ICO saw benefit in extending the existing soft opt-in to non-commercial organisations, provided existing safeguards continued to apply. The ICO also urged the Government to further consider legislating against the use of “cookie walls” (which require users to consent to cookie settings in order to access an online service’s content), given these arrangements can have the effect of removing meaningful choice by data subjects and therefore give rise to a risk of unfairness to those subjects.
Unsurprisingly, the ICO supports the Government proposal to raise fines under PECR and would like to engage with the Government on the potential benefits and costs of bringing the whole of the PECR enforcement toolkit in line with that of the DPA 2018 as well. Again, if pursued and depending on timing, this has potential to give rise to disparity with UK based organisations subject to more stringent enforcement than their European counterparts.
iv. Boosting trade and reducing barriers to data flows: The Government’s ambition is for the UK to be a leader in digital trade and hopes to support international data flows as part of its plan to do so. Given the flurry of developments in the international data transfer arena in the last 12 months, this area remains one to watch at both the UK and EU levels; particularly the fallout from the Schrems II judgement, the EDPB guidance on supplementary measures, the new EU SCCs and the draft UK equivalents. The DCMS Consultation proposals add a further level of complexity (and divergence from the EU regime) in this area, and follow the DCMS’s UK Global Data Plans which included an ambitious programme of priority data adequacy assessments and partnerships (with countries including the US), as well as a UK approach to adequacy assessments – please refer to our related blog for further information.
In particular, the proposals in the Consultation suggest a “risk-based” approach to UK adequacy decisions, focussing more on outcomes, rather than slavishly comparing respective legislation and suggesting a greater focus on proportionality. The proposals suggest that adequacy regulations could be made even in respect of “groups of countries, regions and multi-lateral frameworks” (for example where they share harmonised data protection standards). The proposals aim to relax the requirement to review adequacy regulations every four years, instead placing an emphasis on ongoing monitoring of countries’ relevant laws and practices given that adequacy is increasingly seen as a “living mechanism”.
The Government is also considering legislative amendments to ensure the suite of alternative transfer mechanisms available to UK organisations in the UK GDPR (set out in Article 46 and that permit international transfers of personal data to countries that are not subject to an adequacy decision) are clear, flexible and provide necessary protections for personal data. In particular, this is with a view to developing:
- proportionality (providing more detailed, practical support for organisations determining and addressing the risks facing data subjects in practice, particularly for smaller organisations). Other proposals also include introducing a “reverse transfer exemption” from the scope of the UK international transfer regime, to alleviate friction for UK businesses where an outbound data transfer is already subject to sufficient protection as part of the inbound transfer to the UK;
- flexibility and future-proofing (to more adequately reflect the rapidly changing international transfers landscape, as opposed to the current exhaustive list of alternative transfer mechanisms). This will complement the work already underway by the ICO to support organisations to take better advantage of existing options for tailored transfer mechanisms, such as Binding Corporate Rules, Codes of Conduct and Certification Regimes. Other proposals include empowering organisations to create or identify their own alternative transfer mechanisms, as well as those listed in Article 46; likely to benefit organisations with complex data transfer requirements in particular, for example, designing and using bespoke contracts to permit safe international transfers, which would supersede the existing option to develop bespoke data protection clauses requiring approval from the ICO. This is similar to the approach adopted in New Zealand’s data protection regime. The Consultation also considers permitting repetitive use of derogations under Article 49, which could provide flexibility and assurance for organisations that need to rely on them in certain limited but necessary circumstances. Derogations are currently only used as a last resort to legitimise international transfers and, even then, only permitted in very limited circumstances and under specific conditions where adequacy and alternative transfer mechanisms are unavailable; and
- interoperability (to ensure the UK regime is compatible with any potential new international transfer regimes regardless of the mechanisms they use to transfer data). Whilst a valid and important factor for organisations, it is currently unclear how, and the extent to which, this will be achievable in practice given the intention to diverge from the EU regime in particular and the related complexities in doing so. The proposals also include modifications to the certification schemes framework to provide for a more globally interoperable market-driven system that better supports the use of certifications as an alternative transfer mechanism.
Key ICO Response
The ICO appreciates the need for “real-time flows of data in the digital economy”, whilst also maintaining high standards of data protection in the UK. It supports the proposed risk-based, practical approach to balance these requirements and welcomes the idea of alternative approaches to ensure this is the case. However, the ICO also requests further clarity in a number of areas around the detail of how this risk-based approach and the proposed alternative approaches would work in practice – to fully understand the implications of reform in this area and what proportionate safeguards were intended, emphasising the importance to UK business of retaining its own EU adequacy status.
In particular, on permitting repetitive derogations, the ICO highlights a fine balance is needed. Where a transfer is repetitive and predictable, use of an alternative international transfer mechanism under Article 46 (wholly or partly) may be more appropriate. However, the ICO accepts, where this is not possible, reliance on a derogation may still be “necessary and proportionate”, provided adequate measures were put in place, such as requiring the data exporter to document the approach taken and safeguards. In light of the increased flexibility and range of transfer tools suggested as a whole under the reform, the ICO also highlighted the importance of considering the proposals as a whole package; not least given the reforms as a whole may reduce the need for flexibility around permitting repetitive derogations.
On the proposed reverse transfer exemption, whilst the ICO supports changes to reduce burdens in a proportionate manner, it suggests any issues faced by UK organisations when making these transfers may in fact be reduced following the outcome of the ICO’s consultation on international transfers and any revised guidance in light of its own interpretation of restricted transfers and extra-territorial effect of the UK GDPR. It therefore encouraged the Government to investigate how effective this exemption may be in reducing complexity in practice.
The ICO touched on its own “proactive action” in this area as well, focussing on the equally “risk-based practical approach” suggested in its proposed International Data Transfer Agreement and Transfer Assessment, which also sought “interoperability” to some extent with the new EU SCCs – please refer to our related blog here.
v. Delivering better public services: the Government wishes to use personal data for the purpose of improving the delivery of public services while also maintaining a high level of public trust. Proposals in this regard support easier data sharing – both between different public authorities, as well as between public bodies and private companies processing on their behalf. In particular, the Consultation clarifies that private companies, organisations and individuals who have been asked to carry out an activity on behalf of a public body may rely on that body’s lawful ground of processing the data and do not have to identify a separate lawful ground to legitimise the processing of personal data. This is intended to support further collaboration between the public and private sector, particularly in light of the benefits achieved during the COVID-19 pandemic.
Key ICO Response
The ICO agrees that data sharing can help public bodies and other organisations to deliver modern, efficient services that make individuals’ lives easier. It also acknowledges that certain safeguards are in place to ensure that public authorities and officials are accountable for determining that all relevant aspects of the public task lawful ground are satisfied and that public interest is protected. However, the ICO called for further clarity on the extent to which these would apply to private bodies in these circumstances to ensure that data subject rights are sufficiently protected.
vi. Reform of the Information Commissioner’s Office: the Government intends to improve the legislative framework that underpins the powers, role and status of the ICO, setting new and improved objectives and accountability mechanisms. This includes refocussing statutory commitments away from handling a high volume of low-level complaints and towards addressing the most serious threats to public threats. The new statutory framework is intended to set out the strategic objectives and duties that the ICO must fulfil when exercising its functions, including placing new duties on the ICO to have regard to economic growth, innovation and competition when discharging its functions. Amongst other suggestions, the Government also proposes a new governance model for the ICO, aligning with the structure adopted by other regulators such as Ofcom and the FCA (i.e. with a CEO and independent board). The Secretary of State would appoint the CEO and approve (or reject) ICO guidance.
Key ICO Response
Whilst the ICO supports some of the proposed changes (including strengthening the ICO’s supervision and enforcement powers and elements of the new duties when exercising its function), it also raised strong concerns with other elements – particularly reform of its leadership structure (and the proposed approval powers granted to the Secretary of State), potentially putting the independence of the ICO (from the Government) at risk. The ICO believes that in order to maintain and build public trust, the regulator must have the ability to regulate independently. This seems a valid concern and, given the need for the Government to work closely with the ICO to further develop the proposals under the reform, one which the Government will need to reconsider closely as part of its response to the Consultation.
Next steps: Spotlight on stakeholder responses
The proposals set out in the Consultation have the ability to significantly change the data protection landscape in the UK and, in turn, the compliance requirements for businesses operating in the UK – a particular headache for those needing to comply with the dual EU and UK regimes. However, the true impact of this “new dawn” on the full spectrum of businesses operating in the UK (particularly whether the intended benefits of the proposals are realistic in practice), will only be known further down the reformation process, once the detail of any legislative changes is published.
Either way, the UK Government is clearly making waves in forging its own data protection path ahead in the wake of Brexit, in some cases currently at odds with the ICO, its own data protection supervisory authority. It will be interesting to see how those pinch points, in particular, will develop and whether they can be reconciled with the significantly more data subject focussed views of the ICO. We therefore expect (and encourage) a wide range of stakeholder responses to the Consultation by the 19 November 2021 deadline. Watch this space.