On 10 September 2021 the Department of Digital, Cultural, Media and Sport (DCMS) published a consultation titled ‘Data: a new direction’ (Consultation). The Consultation is part of the UK governments wider national data strategy to unlock the power of data across the UK economy and secure a ‘pro-growth and trusted data regime’. The Consultation closes on 19 November 2021 and recommends a number of fundamental changes to the current data protection regime in the UK. We have considered 5 key proposals that will have a direct impact on how businesses can use data going forward if the changes are adopted.
Key proposed reforms
The underlying intention of the Consultation is to: i) reduce barriers to innovation (particularly in spaces such as AI and machine learning development); ii) decrease the burden on businesses and a move away from ‘box ticking’ compliance; and iii) boost trade by reducing barriers to international data flows. These core goals are considered and addressed by the following recommendations.
Research and science purposes
DCMS proposes further clarity on the existing protections for the use of personal data for science and research to ensure innovative businesses can fully realise the benefit of the current regulations. This clarity could be achieved through the consolidation of current provisions, further guidance on interpretation and possibly through a new lawful basis for processing. This reform would give research and development organisations much needed certainty in respect of their data processing activities.
Lawful basis for processing
The Consultation identifies an ‘over-reliance on consent’ which has resulted in ‘consent fatigue’ among individuals which in turn reduces consent and impedes responsible data use. A driving factor of the over reliance on consent is the uncertainty surrounding reliance on legitimate interest and the complexity of the legitimate interest balancing test. The Consultation proposes to publish an exhaustive list of legitimate interests for which an organisation can rely without having to perform the balancing test.
Legitimate interest is often viewed as a more uncertain lawful basis on which to rely but with an exhaustive list of authorised purposes organisations may be more willing to move away from reliance on consent. Although, to ensure it can withstand the test of time, the list will likely be generic which may still cause interpretation challenges for businesses looking to rely on the list. The language of the listed legitimate interests will be vital to see the benefit of this proposed reform.
Focus on innovation and AI
DCMS recognises the increased role artificial intelligence (AI) and machine learning will play in future health, social and economic innovation. There is a recognition that the technology neutral nature of the UK GDPR is important to ensure its effective application, while at the same time guidance is needed on how principles such as “fairness” can be addressed in the context of machine learning. Currently, for solely automated decision making consent is required to process personal data. DCMS is proposing that as part of the exhaustive list of legitimate interests (as explained above), the government will include circumstances where legitimate interest can be relied on in relation to AI systems for the purposes of monitoring, detecting and correcting bias. There is an emphasis on facilitating data use in AI and machine learning within the wider context of regulatory movement in this space.
Adequacy and international data transfers
There is an estimated £11 billion worth of trade going unrealised around the world due to barriers associate with data transfers. Recognising this barrier, DCMS notes that the UK government will be adopting an ambitious programme of adequacy assessments to add countries to its adequacy list and increase unrestricted data flows. Adequacy will be assessed on a risk based analysis to create a scalable, flexible adequacy regime in the UK. The Consultation proposes to shift the focus of international data transfers mechanisms to ensure they are necessary and proportionate, using a risk based metric that the current transfer mechanisms do not take into account.
DCMS recognises the current challenges faced by organisations looking to classify data as pseudonymised or anonymised. As such, DCMS proposes new tests for establishing anonymisation which , in theory, should provide organisations with clarity on using techniques such as pseudonymisation or anonymity for security and data minimisation. However, in a particularly interesting consideration, the Consultation proposes introducing legislation confirming that anonymisation will be “relative to the means available to the data controller to re-identify”. It is not clear whether the relative test would replace the motivated intruder test or whether the motivated intruder test would still play a role in establishing what means are available to the data controller in order to re-identify.
The Consultation identifies key pain points for businesses and endeavours to resolve them by taking a risk-based, proportionate approach to regulation. The UK GDPR is a principles based legislation and DCMS recognises the benefits and flexibility of this approach. However, the DCMS also recognises that there is a need to clarify the application of current data protection laws to facilitate the secure use of data. While the changes, if implemented, will come as a welcome relief for SME businesses a question arises as to the security of the UK’s adequacy decision from the European Commission if the UK were to implement such widespread data reform. The UK’s adequacy decision from the EU includes a sunset clause which means the decision will automatically expire at the end of 4 years unless renewed. If the UK adopts the proposed reforms in the Consultation there is a chance UK data protection law will diverge from EU law to such an extent that it may put the UK’s adequacy decision at risk.
The Consultation is still in its consultation phase and the recommendations being made are just suggestions at this stage. The implementation of any of the suggestions may take time and input from numerous stakeholders. This consultation is the first step in the process of reforming the UK’s regime for the protection of personal data and foreshadows possible changes to come.