The UK Government’s response to the post-Brexit ‘UK GDPR’ reforms was issued on Friday last as part of London Tech Week. It was met with mixed reaction, locally and globally.
But what does the reform of the UK’s data protection laws mean for global and Australian organisations doing business in the UK? How great of an impact will the new proposed reforms have on cross-border data transfers? And will these reforms herald a change of approach here for the Attorney General’s (AG’s) office on its ongoing review of the Australian Privacy Act 1988 (Cth) (Privacy Act)?
We explore the key issues.
What do the UK Government reforms propose?
The consultation on the UK’s response to the EU General Data Protection Regulation (GDPR) post-Brexit – Data: a new direction – when launched last September sought to create an ‘ambitious, pro-growth and innovation-friendly’ data protection regime for the UK – the UK’s answer to GDPR. It aimed to foster the UK as a more favourable data-trading partner than its ‘bureaucratic’ EU counterparts.
On first glance, the Department for Digital, Culture, Media, and Sport’s (DCMS) response features a number of welcome reforms to GDPR. These include the removal of the mandatory data protection officer (DPO) role, adding an opt-out model for cookies collection instead of the ‘frustrating’ cookie pop-ups, introducing a more flexible record-keeping requirement, and providing ‘modernising’ updates to the structure of the Information Commissioner’s Office (ICO) (the UK’s Information Commissioner & regulator) to align more broadly with private sector governance (including an independently appointed CEO, Board and chair). Tougher fines for scam and nuisance calls are also identified – an area that no doubt Australian regulators will keep a close focus on – and increased measures for serious data non-compliance.
What does this mean for businesses operating in the UK?
Whilst DCMS has not replaced the GDPR with an entirely new law, as some might have hoped, it has attempted to relax some of the problematic practical issues that have besieged organisations in adopting the EU GDPR.
However, in dealing with over five chapters of specific reform areas, the UK Government has arguably introduced a ‘rose by another name’. The core GDPR accountability and governance requirements may be changed – but they have instead been replaced with very similar (and arguably no less burdensome) UK obligations.
In replacing the DPO role, the DCMS response calls for ‘complimentary measures’, including a requirement to ‘appoint a suitable senior individual to be responsible’ for an organisation’s privacy management programme (PMP) (another new requirement) so as to avoid the ‘tick-box process’ of the GDPR.
Cookies consent has also been changed – with the Government confirming that it intends to move to an ‘opt-out model of consent for cookies placed by websites’, save for some exemptions, including sites likely accessed by or targeted at children. In practice, this would mean cookies could be collected and set when someone first accesses a website without consent (e.g. via the website browser) but the site must be clear on the process for opting-out and conditions applicable. So, further policies and processes on opt-in/opt-out mechanisms (and the conditions and exceptions that apply) will need to be factored into UK data compliance frameworks.
DCMS has identified a key aim of its proposed changes is to reduce compliance burdens for small businesses – and the flexibility it proposes to introduce on data record keeping will be welcome, in contrast to the detailed ‘golden’ records of processing under the GDPR. However, the new requirement for a ‘personal data inventory’ to be maintained as part of a PMP may not make much material/practical difference for many organisations, particularly those who have already spent significant sums of money on meeting the GDPR records management thresholds to date.
So it is hard to see where the $1bn ‘red tape’ savings heralded by the UK Government will eventuate. DCMS takes the view that a framework based on mandatory privacy management programmes will enable a proportionate approach to compliance, based on an organisation’s size and the volume of data (including sensitive data) being handled.
This all seems quite fair and sensible – organisations that process highly sensitive data (i.e. special category data) or large volumes of high-risk data, will be expected to have the most robust approaches to accountability.
However, the need for organisations operating in Europe and the UK to self-assess whether their existing GDPR compliance frameworks will meet the proposed new UK PMP regime, at least, seems to simply replace European bureaucracy with British.
For many organisations, and in particular Australian organisations investing in, or offering services in the UK and Europe, the administrative burden of having to comply with, yet another, data protection regime will simply add to the headache – and costs – that global organisations have to contend with on a lack of standardisation of data protection laws.
Lessons for Australia?
As the Australian Government undertakes its own review of the Privacy Act here it will no doubt be keeping a close eye on industry response to these UK reforms. The new Online Privacy Code here is not unlike the areas addressed in the UK Online Safely Bill making its way through the UK Parliament – so synergies are already at play.
Many of the areas identified by the UK consultation are also areas in which the AG’s office has identified a requirement to shore up defences in Australia.
Not least, the additional modernisation and enforcement powers for the ICO echo the proposed strengthening of enforcement provisions and investigation powers of the OAIC – although the proposed veto right to statutory codes and guidance adoption by the UK Secretary of State does raise some red flags on the political direction, and stated independence, of the UK ICO.
The new PMP obligation and requirement for UK entities to improve data risk cultures is not unaligned with APRA’s announced 2022 priorities on improved risk management cultures in the financial services industry, including proposals for APRA-regulated entities to implement and maintain proactive risk assessment tools to mitigate data and cyber-related risks.
Of real interest for Australia, is the approach the UK Government has indicated regarding cross-border data flows, signalling that a greater number of adequacy assessments would be issued by the Government to remove the ‘unnecessary barriers to cross-border data flows’ and that certification methods would be embraced. This approach echoes similar proposals under the Privacy Act reforms on overseas transfers to introduce mechanisms to prescribe countries and certification schemes under APP 8.2(a), and to make standard contractual clauses available to APP entities.
For the UK, no doubt the EU-UK cross-border transfers will be a priority action (and its need to retain EU adequacy), but adequacy assessments for key Commonwealth jurisdictions, including certain designated sectors in Australia, may not be a bridge too far.
The DCMS reforms reference ’empowering international trade’ by striking new ‘data partnerships’, with priority countries listed as including the United States, Australia and Singapore, and promoting research and development of innovative technologies. If implemented as proposed, these reforms could well result in facilitating more efficient and seamless data-flow transfers between the UK and Australia, thereby improving trade between the two countries.
It will be interesting to see if the Australian Government will follow the UK’s lead on proposed reforms. Whilst the UK reforms made all the right noises in heralding a ‘risk-and outcome-based approach’ and a reduction in compliance-burden, the UK Government’s response has confirmed that the devil is indeed in the detail once the final text of the Bill is published and placed before Parliament.
Australian regulators and the AG’s office will no doubt be watching with interest. Providing a practical and proportionate framework, whilst also maintaining a hard line on serious data privacy infringements is no mean feat. But whilst an improvement in Australia’s privacy regulatory framework is much needed, the AG’s Office will need to strike the right balance to avoid reducing the benefits that increased digitisation and technology innovation has brought to both Australian and global organisations, particularly in a post-COVID world.