There can be little argument that the current regime for data protection in the UK has become complicated. Moreover, since the introduction in the UK of the General Data Protection Regulation (GDPR) on 25 May 2018, the potential penalties for non-compliance have been increased to a level where many have been forced to take notice of legislation which had previously, more often that not, been honoured only in the breach.
Even before Brexit took effect, the legislation was at best ambiguous. The EU-imposed GDPR was billed as the main legislative requirement, but its provisions were incorporated into the Data Protection Act 2018 – often with a UK interpretation – which was the UK’s implementation of GDPR. Even within the GDPR, there was a mixture of Articles which had clear legislative effect and Recitals which provided guidance and support of those principles but whose authority was always in doubt. Indeed, the government has itself stated that the “recitals to the UK GDPR are not legally binding and there is no clear nor standardised explanation on what these procedures should include, despite the ICO’s guidance”.
Following the end of the Brexit transition period, which occurred on 31 December 2020, the UK implemented its own version of GDPR – the UK GDPR which replaced provisions previously expressed on an EU-wide basis with provisions intended to apply only to the UK. Some of these were in identical terms to those found in the original GDPR, and some others were reworded.
With these issues in mind, and with the expressed intention of wanting to “secure an even better data protection regime that fully supports a world-leading digital economy across the UK”, the government has issued a consultation on UK data protection reform which contains a number of eminently sensible proposals designed to make data protection compliance by businesses easier and less costly but which inevitably also contains a great deal of unsubstantiated, and at time impractical, rhetoric.
EU Adequacy Decisions
The extent to which the UK will be able to implement the proposed provisions contained in the consultation, depends to a degree on the extent to which the government wants to test the recent European Commission adequacy decisions relating to transfers of personal data between the UK and EU.
These agreements have confirmed that the UK currently has ‘adequate’ data protection for the transfer of personal data from the EU. This therefore opens up the opportunity for lawful transfers of data between the EU and UK thus making life easier for those businesses and service providers with operations based in the EU who otherwise would have had to rely upon other less straightforward methods to ensure data transfers to the UK were lawful – for example Standard Contractual Clauses.
Clearly the government will not wish to upset these arrangements – and it can be no coincidence that the government’s plans have not been published until after the adequacy decision was made. These adequacy agreements are very much reliant upon the UK’s data laws continuing to be acceptable to the EU and, should the UK decide to plough its own furrow in relation to data protection laws then the EU could potentially withdraw its adequacy decisions.
What does the consultation propose?
The government’s consultation entitled Data: a new direction was published on 10 September 2021 and remains open until 19 November. It can be found at www.gov.uk/government/consultations/data-a-new-direction. It aims to “build on the key elements of the current UK General Data Protection Regulation (UK GDPR), such as its data processing principles, its data rights for citizens, and its mechanisms for supervision and enforcement,” and will continue to “maintain high data protection standards without creating unnecessary barriers to responsible data use”. It hopes that it will help to:
- strengthen our position as a science superpower by simplifying data use by researchers and developers of AI and other cutting-edge technologies;
- secure the UK’s status as a global hub for the free and responsible flow of personal data;
- reinforce the responsibility of businesses to keep personal information safe, while empowering them to grow and innovate; and
- ensure that the ICO remains a world-leading regulator, enabling people to use data responsibly to achieve economic and social goals.
Comprising five chapters spread over 144 pages, the consultation is a detailed document which looks at data protection in the UK from the perspective of empowering businesses to be able to make better use of data without at the same time reducing public protections. It aims therefore to remove much of the bureaucracy and box ticking that is to be found in the GDPR and to replace it with practical and proportionate steps that focus on outcomes rather than processes. It also plans to bring in line requirements currently to be found in the Privacy and Electronic Communications Regulations (PECR) and to increase fines under the PECR to similar levels as those currently to be found in the GDPR.
There is a considerable amount of detail contained within these provisions – much of which has little application to the average law firm. We will, therefore, concentrate here on the “headline” issues and those that are most likely to impact on legal practice.
Reducing barriers to responsible innovation
Chapter 1 of the report looks at proposals to put in place the right governance, regulations and incentives so as to “encourage organisations to make use of data responsibly” and to addressing the uncertainty in our current data protection regime that “risks creating barriers to data access, use and sharing that stifle innovation and competition”. To achieve this, the consultation proposes that research specific provisions be consolidated and that there should be a clearer definition of what constitutes scientific research. This could include the creation of a new lawful basis for the use of personal data for research purposes. This could include a clarification that data subjects should be “allowed to give their consent to broader areas of scientific research when it is not possible to fully identify the purpose of personal data processing at the time of data collection”.
Linked to this, and of more direct relevance to law firms, are the proposals in relation to legitimate interest processing. There are currently six lawful bases for processing personal data. These are consent, performance of a contract, legal requirement, vital interests of the individual, performance of a public task and legitimate interest. This latter basis permits data to be used for a purpose other than that for which it was acquired where the processing does not infringe the rights of the individuals whose data is involved and where an assessment or balancing of the rights of the individual versus the need for the processing of this data has been carried out by the data controller.
The disadvantage of the legitimate interest assessment from the point of view of the controller is that there is considerable uncertainty as to when the controller’s rights outweigh those of the data subject and there is also an often not inconsiderable cost in terms of time and resources in carrying out the assessment. To help to address this, the government therefore proposes creating a list of defined legitimate interests for which organisations can use personal data without applying the balancing test, subject to it still being necessary for the stated purposes and proportionate. Any processing not on the list would still require the balancing test to be applied – which would also be a requirement in relation to the use of children’s data, irrespective of whether the data was being processed in connection with an activity on the list. The types of issues which might be included on the list would be:
- reporting of criminal acts or safeguarding concerns to appropriate authorities;
- delivering statutory public communications and public health and safety messages by non-public bodies;
- monitoring, detecting or correcting bias in relation to developing AI systems;
- audience measurement cookies or similar technologies to improve web pages that are frequently visited by service users;
- improving or reviewing an organisation’s system or network security;
- improving the safety of a product or service that the organisation provides or delivers;
- using personal data for internal research and development purposes, or business innovation purposes aimed at improving services for customers;
- managing or maintaining a database to ensure that records of individuals are accurate and up to date, and to avoid unnecessary duplication; or
- improving data security through processes such as anonymisation.
The government also proposes that certain types of automated decision-making should be permitted without human oversight. This is currently not permitted by Article 22 of the UK GDPR unless required for a contract with an individual, authorised by law or based on explicit consent. The government is suggesting that, whilst it considers “the safeguards under Article 22 are meaningful in some use cases”, that “the current operation and efficacy of Article 22 is subject to uncertainty” and that it “can be considered too restrictive to ensure that the UK GDPR remains principle-based and future-proofed in light of evolving machine learning and AI technologies.” The proposal, therefore, is that Article 22 be scrapped so as to permit the UK to “deliver more agile, effective and efficient public services and further strengthen the UK’s position as a science and technology superpower”.
The government hopes to be able to develop a safe regulatory space for responsible AI development, testing and training which would allow for greater freedom to experiment.
Reducing burdens on businesses
Chapter 2 of the consultation addresses methods by which the burden of data protection on businesses can be reduced and thus enable the legislation to deliver better outcomes.
Whilst the government continues to be committed to high standards of data protection it wants to have a regulatory regime that delivers this without unnecessary burdens. The government’s view is that the current legislation is too reliant upon a ‘box-ticking’ compliance regime as opposed to one which encourages a proactive and systemic approach. It believes that the danger of a “largely one-size-fits-all approach from organisations, regardless of the relative risk of their data processing activities, can potentially discourage innovation in how to achieve the actual goals of using data responsibly and protecting individuals’ rights”. This in turn will lead to the delivery of worse outcomes for individuals “while imposing unnecessarily high costs on organisations, as well as disincentivising the development of better practices”.
A key driver of unnecessary burdens on organisations is the accountability framework set out in Article 5 of the UK GDPR. For this reason, the government proposes that changes be made to the accountability framework.
Although the principle of accountability is fundamental, setting out specific requirements that organisations must satisfy in order to demonstrate compliance simply generates “significant and disproportionate administrative burdens which misdirect time and energy away from the activities that ensure the responsible use of personal data in a specific context”. The view is that this approach to compliance may also be putting a particularly disproportionate burden on SMEs and organisations that undertake low risk processing – for example the vast majority of law practices.
To address this, the government is proposing to implement a more flexible and risk-based accountability framework which is based on privacy management programmes. Under this framework, organisations would be required to implement a privacy management programme tailored to their processing activities and ensure data privacy management is embraced holistically rather than just as a “box-ticking” exercise. This mirrors the approach to be found in many non-EU countries such as Australia, Canada and Singapore. This would allow organisations to implement a risk-based privacy programme based on the amount and type of personal data handled and could take account of the types of activities in which the firm was involved.
It will still be necessary for organisations to know what data they hold and where, for what it is used, the lawful bases that apply to that use and for how long it needs to be kept. There will also continue to be the need to ensure that information is kept secure and that privacy rights are addressed. However, there could be greater flexibility and control over how this is achieved.
To achieve this, organisations would be expected to develop and implement a risk-based privacy management programme reflecting the volume and sensitivity of the personal information handled, and the type(s) of data processing carried out. The kind of issues that would need to be addressed would include:
- Roles and responsibilities within the organisation in relation to personal data protection with designated individual(s) being responsible for representing the organisation to the ICO and data subjects where necessary.
- Evidence that oversight and support from senior management, and appropriate reporting mechanisms to senior management, are in place, and how the organisation ensures its staff understand key data protection obligations, policies and processes.
- Measures to assist in structuring appropriate privacy management programmes. These might include personal data inventories which describe and explain what data is held, where it is held, why it has been collected and how sensitive it is and risk assessment tools to identify, assess and mitigate privacy risks across the organisation.
- Procedures for communicating with data subjects about their data protection rights and the organisation’s policies and processes under a privacy management programme.
- Procedures for handling breaches.
- Regular reviews of the effectiveness and appropriateness of policies, processes and procedures to ensure they remain effective and appropriate.
- Practical steps to ensure clear and easily understandable transparency of policies and processes.
Data Protection Officers
Although not something that will affect most law firms (other than those who have chosen to observe the requirements to be found in Lexcel and CQS rather than explaining why they are not doing so), nevertheless the proposal to abolish the mandatory appointment by certain organisations of a Data Protection Officer (DPO) with specifically defined responsibilities is one that will be welcomed.
Under UK GDPR, a DPO must be appointed by public authorities and by other organisations that satisfy certain specific criteria. The proposal is that the requirement for a DPO be replaced with a requirement to designate a suitable individual (or individuals) to be responsible for overseeing compliance but without specifying any particular requirements and obligations for the role. This will include that the DPO be in some way “independent” of the organisation – and thus effectively preventing them from being involved in other ways in the management of the organisation.
Data Protection Impact Assessments
Another significant burden placed upon organisations by the UK GDPR is that of the need for data protection impact assessments (DPIAs) to identify, assess and minimise data protection risks. The government’s plan is to remove the requirement for organisations to undertake a DPIA and allow them instead to adopt different approaches to identifying and minimising data protection risks that better reflect their specific circumstances.
To mitigate the potentially detrimental effects of removing these, the government would expect organisations to have the privacy management programmes requiring them to put in place risk management processes, including the processes which allow for the identification, assessment and mitigation of data protection risks across the organisation and to place the onus upon organisations to adopt a proportionate and risk-based approach.
To supplement this the government seeks to encourage a more proactive, open and collaborative dialogue between organisations and the ICO on how to identify and mitigate risks, especially for high-risk processing activities. The current legal provisions require that, where an organisation has identified a high risk that cannot be mitigated, it must consult the ICO before starting the processing and may face enforcement action if it fails to do so, including penalties of up to the greater of £8.7 million or 2% of annual global turnover. Instead, the government proposes the removal of this requirement so that it is no longer mandatory, and organisations would not face any direct penalties for failing to consult the ICO in advance of carrying out the processing.
Given the infrequent use of the process, the government considers the benefits may outweigh the risks by encouraging more proactive, open and collaborative dialogue between organisations and the ICO. Organisations would still be encouraged to seek advice and guidance from the ICO where they have identified a high risk but there would also be a list of processing activities that the ICO considers to be high risk to ensure clarity.
Flexible record keeping
Although not affecting most law firms there is a requirement that organisations with 250 or more employees maintain records of processing activities. This must include all of the information set out in Article 30 of the UK GDPR, namely the purposes of the processing; the categories of data and categories of data subjects to which the processing relates; the organisations with which the data might be shared, including in any third countries; and (where possible) how long the data will be kept for and what security measures are in place to protect it. This requirement can involve the creation of large amounts of paperwork, which largely duplicates information required by other provisions in the legislation, particularly the requirement to provide information to data subjects in Articles 13 and 14 of the UK GDPR.
The government therefore proposes to remove record keeping requirements under Article 30 even though there are risks that this could hinder effective enforcement and offer less regulatory protection to data subjects. However, the government considers the risks to be minimal. The new requirements under a privacy management programme would still require certain records be kept but organisations will have more flexibility about how to do this in a way that reflects the volume and sensitivity of the personal information they handle, and the type(s) of data processing they carry out. In any event, Articles 13 and 14 of the UK GDPR will still require much of the same information to be recorded in privacy notices.
One of the issues that arisen as a result of the GDPR is that data protection authorities such as the ICO are being inundated with data breach reports. Under Article 33 (1), an organisation must inform the ICO of a data breach “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. This exemption can only be relied upon where there is likely to be no risk to an individual’s rights and freedoms, thus making even breaches which present a low risk, notifiable.
The government is proposing that organisations would not need to report a personal data breach where the risk to the individual is “non-material” and the ICO will be encouraged to produce clear guidance and examples of what would be ”non-material” risk, and what would or would not be considered a reportable breach.
Subject Access Requests
Subject Access Requests (SARs) have become the bane of many organisations and for many law firms they are being used by disaffected clients to cause trouble, and by opponents in litigation to try and gain information to which they would not otherwise have been entitled. One common example of this is the attempt to circumvent strict disclosure (of information and inspection of documents) protocols that would otherwise need to be followed under the Civil Procedure Rules in the context of actual or prospective litigation.
Whilst the government acknowledges the importance of the SAR as one of the fundamental rights in data protection legislation providing a critical transparency mechanism and allowing individuals to check the accuracy and uses of their personal data, nevertheless it is also aware that some organisations have experienced a number of issues with the ways that subject access requests are submitted and handled. In particular, in relation to an organisation’s capacity to process requests and the threshold for responding to a request.
Under the UK GDPR, organisations are prohibited from charging for SARs unless they can demonstrate that they are unfair or excessive, whereas under the Data Protection Act 1998 a nominal fee of up to £10 was allowed.
To address the issues, the government is considering the introduction of a fee regime (similar to that in the Freedom of Information Act 2000, which provides for access to information held by public bodies) for access to personal data held by all data controllers – structured so as not to undermine an individual’s right to access their personal data but hopefully to be sufficient to discourage time wasters and those using the system for malicious or unethical purposes.
Privacy and electronic communications
Whilst the focus has so far been on changes to the UK GDPR, the government is also looking at a complementary regulation, namely the Privacy and Electronic Communications Regulations 2003 (PECR).
The PECR sets out specific privacy rights relating to:
- Marketing by electronic means, including marketing calls, texts, emails and faxes.
- The security of public electronic communications services and the privacy of customers using communications networks or services and matters such as caller ID and call return.
This covers not only electronic marketing such as the sending of emails to individuals to promote services, but also more controversially – especially recently – covers cookies (a small file stored on a user’s terminal equipment by the web browser) and in particular the spate of pop-up cookie messages that afflict almost everyone accessing websites.
Under the current legislation, organisations are not permitted to place cookies on websites, or other technology without the consent of the individual, unless they are “strictly necessary” for delivering an online service. This requirement is not risk-based and is interpreted very narrowly, which means that consent is necessary for even low risk activities, such as the use of analytics cookies. Consent will usually be sought via pop-up notifications when a user visits a website or accesses a service.
There have been two main consequences of this. First, organisations have been hampered in their ability to improve their websites and services by the stricter consent requirements intended to give consumers greater control over how their data is used. Secondly, individuals are finding that engaging with websites is becoming more onerous due to the need to navigate the profusion of cookie banners which many simply accept without further thought so that they can access a website.
The government is considering tackling these issues by allowing organisations to use analytics cookies and similar technologies without the user’s consent and treating them in the same way as “strictly necessary” cookies under the current legislation for which consent is not required. Organisations would still be required to provide the user with clear and comprehensive information about the measurement technologies that are active on their device and the purposes behind the use of the technology. This would bring us in line with countries such as France which already regards analytics cookies as being “strictly necessary” and therefore does not require consent when certain conditions are met. The government will also look at other alternatives to web browser solutions or software applications that achieve the effect of removing cookie pop-up notices altogether.
Another aspect of the PECR that is being considered is that of the ”soft opt-in” in relation to direct marketing activities. The PECR currently allows email and SMS marketing messages to be sent where consent has been given by the recipient or where the recipient, or for existing customers only, when the soft opt-in requirements are met. However, the consent exemption for existing customers applies only to commercial organisations. The government is proposing that this be extended to cover other organisations such as political parties and charities.
Finally, under the PECR section is the government’s plan to bring PECR’s enforcement regime into line with the UK GDPR and Data Protection Act. The PECR already prohibits organisations from undertaking direct marketing by contacting individuals by phone if they are registered with the Telephone Preference Service or have previously informed the company that they do not wish to be contacted. Similarly, the last few years have seen the government making a number of changes to PECR to provide consumers with greater protection from unsolicited direct marketing (“nuisance”) calls by, for example, the introduction of director liability in 2017 to prevent rogue directors liquidating their companies in order to avoid paying fines and by banning cold calls from pension providers and claims management firms, unless individuals have expressly agreed to be contacted.
Although the legislation has led to enforcement action against a number of UK-based firms responsible for unsolicited marketing calls and texts, this has not been effective against communications from overseas or against fraudulent and scam calls, both of which have seen an increase since the arrival of COVID.
The ICO already has powers to take action for breaches of the PECR and can serve a monetary penalty notice of up to £500,000, which can be issued against the organisation or its directors. However, this is significantly lower than the fines that the Information Commissioner can impose under the UK GDPR which can be up to £17.5 million or 4% global turnover depending upon the contravention.
The government proposes, therefore, that the fines that can be imposed under PECR should be increased to the same level as the UK GDPR to ensure that the enforcement regime is dissuasive, particularly when addressing serious infringements of PECR.
There are just a couple of other issues raised by the consultation which are worthy of mentioning.
The first is in relation to what is referred to as adequacy agreements. Under UK law, there are restrictions on the transfer of personal data to other countries. This helps to ensure that an individual’s data is sufficiently protected. Personal data can only be transferred to another country if that country provides an adequate level of protection, if there are appropriate safeguards in place to protect the personal data, or if one of a limited number of exceptions applies.
UK law allows the government to assess whether other countries’ laws and practices provide an “adequate” level of personal data protection. Where this assessment finds that a country does provide an adequate level of personal data protection, data adequacy status is granted to that country. The effect of adequacy regulations is that personal data can be sent from the UK to the adequate country without any requirement for further safeguards. In practice, this means that a UK-based organisation can send personal data to an organisation based in the adequate country without needing to put in place additional measures (such as standard contractual clauses) to ensure that the data is protected.
The government has stated that it intends to add more countries to the list by progressing an ambitious programme of adequacy assessments and will ensure that all adequacy regulations made under our current laws remain valid under any future regime, using a risk-based decision-making process and by relaxing the current requirement to review adequacy regulations every four years.
The second, and final topic in this report, relates to the ICO itself. The government has indicated that it wishes to assert greater control over the ICO and consequently has proposed introducing a new, statutory framework to set out the ICO’s strategic objectives and duties and a power for the Secretary of State for DCMS to prepare a statement of strategic priorities to inform how the ICO sets its own regulatory priorities.
The effect of this would be to bring the ICO into line with other UK regulators such as Ofcom, and Ofgem and would the introduction of a new overarching objective for the ICO, in addition to its other functions, tasks and duties namely:
- upholding data rights: this element of the overarching objective, based on existing legislation, would ensure the ICO can monitor the application of data protection legislation, uphold the data rights of individuals, and safeguard personal data from misuse; and
- Encouraging trustworthy and responsible data use: this element of the objective would ensure the ICO will uphold the public’s trust and confidence in use of personal data.
This is of course only a consultation paper and that which emerges from it should of course be influenced by the feedback that government receives. It is, however, a complex piece of work and one which the government is clearly keen to see progressed. Given its track record in other areas, therefore, it would not be surprising to see the provisions put through in largely the form in which they appear here.
The practical implications upon most law firms will not be great – other than in relation to the advice which they deliver to clients. Observance of the provisions of the GDPR is not something which attracts a great deal of attention at present given that it is not something that the SRA has actively decided to pursue. That does not mean to say that law firms can afford to ignore the provisions with impunity and indeed, failure to observe the provisions of the UK GDPR and other similar laws is in itself a breach of the provisions of paragraph 7 of the SRA Code of Conduct for Solicitors, RELs and RFLs and paragraph 3 of the SRA Code of Conduct for Firms.