On 10 May 2022, the United Kingdom (UK) Government announced its intention to introduce a reform bill that will implement extensive changes to the existing domestic data protection framework. In the Queen’s Speech, the Prince of Wales unveiled the UK's planned Data Reform Bill, which expects to create ''a more flexible, outcomes-focussed approach to data protection that helps create a culture of data protection, rather than 'tick-box exercises.''' If implemented, the proposed changes will see the UK deviate from the standards that apply in the European Union (EU) under the General Data Protection Regulation (the EU GDPR). While the purpose of the changes is to loosen restrictions imposed by the EU GDPR on the use of data, it will create a parallel privacy regime and increase the number of laws with which businesses are required to comply. The UK Government will publish the draft legislation later this year. In this client alert, we summarize those changes that are likely to be included in the draft legislation and which businesses operating in the UK should be aware, as well as their potential impact on the UK adequacy decision.
As part of its Brexit arrangements, the UK incorporated the GDPR into domestic law by way of the Data Protection Act 2018 (the UK GDPR). In June 2021, the European Commission (EC) issued its decision confirming that the arrangements in place ensure an adequate level of protection for the purposes of Article 45 of the EU GDPR. The EC’s adequacy determination is not permanent and may be revoked if the EC determines that the UK no longer provides the requisite protection. The EC is scheduled to review the adequacy determination at the latest in 2024. However, the EC has already indicated that such review may come earlier if the UK deviates too far.
Those in favor of Brexit argued that it would allow the UK to deviate from the laws and standards imposed by the EU on Member States. These deviations would allow the UK to realise a 'Brexit dividend'. The EU's data privacy was one such law. On 10 September 2021, the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) launched a consultation outlining its proposals to extensively reform the UK’s data protection and privacy regime. Those proposals fell within five broad categories:
- Boosting Trade and Reducing Barriers to Data Flows;
- Reducing Administrative Burdens on Businesses;
- Reducing Barriers to Responsible Innovation
- Delivery of Better Public Services; and
- Reform of the Information Commissioner's Office (ICO).
The consultation ran until 19 November 2021. The UK Government has now confirmed that it will introduce reforms to the domestic data privacy framework in this parliamentary term.
The UK Government has said that the proposed changes to the UK's data protection laws are ''pro-growth and innovation-friendly,'' will ''support vibrant competition and innovation to drive economic growth'' and will ''maintain high data protection standards without creating unnecessary barriers to responsible data use.'' The full detail of the proposed changes will be revealed when the draft bill is published. However, it is anticipated that the changes will include the following:
Accountability of Data Controllers
The EU GDPR is accountability-centric. In particular, the EU GDPR, requires data controllers to maintain a record of processing, produce Data Protection Impact Assessments (DPIAs) and, for organizations that process data on a 'large scale,' they must appoint a Data Protection Office (DPO). The proposed changes are aimed at empowering organizations to make their own determination of the risks that they are willing to take when processing personal data. This is potentially a significant departure from the one-size fits all approach but introduces a ‘comply or explain’ principle. For example, it is proposed that:
- The requirement to maintain a record of processing will be abolished and controllers will, instead, be required to prepare and maintain 'personal data inventories.' Those inventories will focus on processing activities but less on peripheral aspects;
- It will no longer be mandatory for data controllers to prepare and maintain DPIAs. Instead, a more flexible approach will be adopted permitting data controllers to adopt different approaches to identifying and minimizing privacy risks; and
- Data controllers will no longer be required to notify the ICO prior to conducting a high-risk processing activity.
The UK GDPR requires data controllers to report all data breaches unless it ''is unlikely to result in a risk to the rights and freedoms of natural persons'' (Article 33). The UK Government has proposed increasing this threshold to reduce the number of reports that data controllers are required to make to the ICO. It is also proposed that a new voluntary undertaking model will be introduced that would allow data controllers to develop an approved remedial action plan that can be invoked in the event of a breach.
Right to Charge for Subject Access Requests
In most cases, data controllers are currently unable to charge data subjects a nominal fee for complying with subject access requests (DSARs). The UK Government has proposed removing this restriction and bringing the arrangements in line with the Freedom of Information Act 2000. Under that regime, public bodies are entitled to charge for the costs of sending the information (e.g., the costs of photocopying and postage).
If a data subject wants to complain about a proposed fee for a DSAR or complain about any other data protection matter, then they need to lodge the complaint directly with the ICO. However, to reduce the volume of complaints the ICO receives, the UK Government intends to introduce an obligation for complainants to attempt to resolve their complaints directly with the data controller before lodging a complaint with the ICO.
Organizations are currently prohibited from storing information, or gaining access to information stored on a computer or smartphone (i.e., using 'cookies'), unless the individual has provided consent (or unless such cookies are strictly necessary). The UK Government has proposed to reform those cookie rules with the aim of reducing 'consent fatigue,' either by allowing a wider range of cookies to be used without consent (such as analytical or tracker cookies), or only requiring consent for certain stipulated purposes such as invasive tracking or real-time bidding.
International Data Transfer Mechanisms
The circumstances around which personal data can be transferred or 'exported' to third countries is presently subject to ensuring that adequate protections exist and has been the subject of extensive litigation. The UK Government has proposed exploring legislative change which will ensure that a range of alternative transfer mechanisms are available to UK organizations which are clear, flexible and provide the required protections for personal data in three ways:
- Proportionality – The safeguards put in place for international transfers should be based on clear principles which are proportionate to the risks that data subjects face. The UK Government proposes to clarify the legislation on assessing these risks in order to facilitate more detailed and practical support for organisations on determining risk;
- Flexibility and future-proofing – The existing set of alternative transfer mechanisms in Article 46(2) of the UK GDPR constrain transfers and may lack the flexibility required for future international transfers. The UK Government, therefore, proposes to amend the international transfers regime to give organisations greater flexibility; and
- Interoperability – The UK should build an international transfer regime which is flexible and allows it to adapt to mechanisms which have been created by other third-party countries for international transfers. The UK Government, therefore, wants to adopt a regime compatible with new international transfer regimes.
The precise detail of the changes to be included will not be known until the UK Government publishes the draft bill. However, while businesses may welcome a reduction in ''red-tape,'' the reality is that a substantial number of data controllers operate across borders and, as such, will remain subject to the EU GDPR (or other privacy laws). For that reason, these changes may have little practical effect because companies based in the UK will still need to comply with the EU GDPR. Instead, by diverging from the EU GDPR, the UK may be increasing the cost of compliance. Further, divergence too far from the GDPR may cause the EC to withdraw its adequacy decision. Once we see the full text of the Bill, the position should become much clearer and we will provide a further update which will set out the implications in full.