On 10 September 2021, the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) published its long-awaited proposals for reform of the country’s data protection laws. The consultation paper includes a detailed and comprehensive set of suggested amendments to the UK GDPR, Data Protection Act 2018, and Privacy and Electronic Communications Regulations (PECR), with the cumulative effect resulting in a potentially major overhaul of existing standards. These proposals form part of the UK’s wider strategic plan to reform current regulations, following its departure from the European Union at the beginning of this year.

Ten of the most significant proposals from the paper are outlined below:

Accountability and governance

DCMS is proposing substantial modifications to current accountability standards, including potentially revoking existing obligations to perform data protection impact assessments (DPIAs), maintain records of processing, and appoint a data protection officer.

These measures could instead be replaced with a new duty on controllers to implement a risk-based ‘privacy management programme’ (PMP). A PMP would essentially be a form of compliance governance framework, which is intended to introduce a more ‘holistic’ and less rigid approach to accountability. The consultation paper indicates that a PMP would need to include, for instance, clear roles and responsibilities for compliance, internal data protection policies, risks assessment tools (which consider privacy risks across the organisation), and operational plans to periodically monitor, assess and revise the PMP.

Data breach reporting

Due to concerns about over-reporting of personal data breaches, DCMS is contemplating changing the test for when such breaches need to be reported to the UK ICO.

Currently, controllers have to notify the ICO of breaches, except where they consider it unlikely to result in a risk to the rights and freedoms of data subjects. This standard could be modified, so that where an incident is not considered to pose a material risk to individuals, then notification can be avoided.

Lawful grounds for processing

Several amendments could be made to the existing rules governing the lawful grounds for processing. DCMS suggests providing organisations with clarity on when legitimate interests can be relied upon, by including a statutory list of specific use-cases where the ground will apply by default. These may include, for example, internal research and development, product safety, and monitoring of algorithmic bias. Where the processing activity falls within the scope of this limited set of circumstances, controllers will no longer be required to perform a balancing test.

The paper also includes proposals to introduce a new lawful basis for scientific research and expand or clarify the circumstances under which the ‘substantial public interest’ exemption can be relied upon for the processing of special category data.

International data transfer mechanisms

DCMS is looking to make the existing rules governing transfers of personal data from the UK to third countries more “proportionate, flexible and interoperable”.

The proposed changes could include, amongst other things, empowering organisations to develop and self-approve their own transfer mechanisms (as opposed to relying on existing standards) and allowing non-UK bodies to develop accredited international certification schemes which can be relied upon by UK companies to facilitate the free flow of data. The Secretary of State may also be granted the power to introduce or approve new alternative transfer mechanisms from time to time.

Adequacy decisions

Consistent with DCMS’ recent announcement on its plans to increase trade through global data partnerships, the consultation paper outlines the ambition to be “the world’s most attractive data marketplace.” This will likely be underpinned by a more risk-based and proactive approach to the granting of adequacy decisions, which will permit the free flow of data to the relevant third countries.

Adequacy assessments could be made with respect to particular sectors or territories within a jurisdiction, which offer sufficient protections over personal data. They may also form part of multilateral frameworks entered into between the UK government and several other countries.

Cookies

Various potential options for reforming existing cookie requirements are set out within the consultation paper. The most significant being consideration of ways in which cookie pop-up notices could be removed from websites, while still safeguarding user privacy.

A less ambitious alternative could involve removing the obligation under PECR to obtain prior consent for analytics cookies and similar technologies, where they involve a low risk of harm to users.

DCMS also suggests aligning the maximum fines for infringements of PECR (which are currently set at £500,000) with those under the GDPR.

Artificial intelligence

Taking into account the growing interest in regulating artificial intelligence and other algorithmic systems, DCMS outlines a series of potential reforms that could be introduced with respect to the use of personal data in such contexts.

This includes introducing further clarity on how the UK GDPR’s fairness obligation should apply to AI and the potential enhancement of the explainability and accountability obligations that apply to controllers in connection with the use of ‘inferred data’, when making automated decisions about individuals.

The paper considers both the potential revocation and expansion of the obligations relating to solely automated decision-making under Article 22 UK GDPR. Meanwhile, it also advocates for compulsory transparency reporting by public authorities and private government contractors where algorithms are being used to facilitate decision-making.

Data subject access requests

Due to the significant costs that organisations often incur in complying with the data access obligation, DCMS has proposed the re-introduction of a nominal fee that has to be paid by data subjects prior to making a subject access request.

In addition, organisations may be able to cap the costs they have to incur in responding to a DSAR and refuse vexatious requests made by data subjects.

Anonymisation

The UK GDPR could be amended to include a statutory standard for what constitutes anonymisation under data protection law. This is intended to address existing confusion on the measures that need to be taken by organisations.

Role of the UK ICO

DCMS intends to take a more interventionist approach to managing the role and strategic vision of the UK ICO. The consultation paper indicates that the government believes the ICO currently utilises excessive resources in handling small-scale, but high volume, complaints and that it wants to move the focus towards addressing the most serious threats posed to public trust.

As part of this reform, data subjects may be required to seek to resolve their complaints directly with the relevant controller before reporting them to the ICO. To facilitate this change, controllers may also be required to introduce a simple and transparent complaints-handling process.

What next?

The government consultation on the proposals is now open and runs for 10 weeks, closing on the 19 November 2021. This presents an unprecedented opportunity for organisations and individuals to influence the future UK data protection framework, which is also bound to have an impact on the way this area of law develops internationally.