Last month saw the publication by the Department for Digital, Culture, Media and Sport of new proposals for data protection following the UK’s departure from the EU. The announcement was made following the conclusion of the ‘Data: a New Direction” consultation (a summary of which can be found at https://www.gov.uk/government/consultations/data-a-new-direction which ran between September and November 2021. The announcement by the government outlines the proposals that the government intend to take forward forward into the anticipated Data Reform Bill – unless of course recent leadership events get in the way! This represents the second major change to data protection regulation since Brexit – there already having been a UK version of GDPR that came into effect last year.
Although the government is still considering several of the proposals, those that are likely to form part of the Data Reform Bill have been covered in some detail in the government’s response to the consultation. These are:
- reducing barriers to innovation – providing clarity and certainty to businesses;
- reducing burdens on business and delivering better outcomes for people – which looks at reducing disproportionate burdens on businesses and delivering better outcomes for people in relation to the processing of personal data.
- boosting trade and reducing data flow barriers – including plans to create an autonomous UK international transfers regime, which supports international trade and eliminates unnecessary obstacles to cross-border personal data flows
- delivering better public services – through improved use of and access to personal data; and
- reforming the ICO – including proposals to implement a new, modern governance framework, with an independent board, and require the ICO to account for the impacts of its activities on growth, innovation and competition.
The government’s stated aim is to “establish the UK as the most attractive global data marketplace” and to “create a framework which empowers citizens through the responsible use of personal data”. To achieve this the government aims to give individuals greater clarity over their rights and a clearer sense of how to determine access to and benefit from their own data. In addition, the Information Commissioner’s Office (ICO), is being given more effective powers to deter nuisance calls, which it is hoped will alleviate a source of stress for many and to create a data rights regime which “delivers not only economic benefits but wider societal benefits alongside personal benefits to citizens”. Time will no doubt tell as to how successful they are in that regard.
The proposals in the government’s response runs to some 30 headings across 5 chapters. However, the key take-aways from it are:
Reducing barriers to responsible innovation
The government plans to reduce the legal requirements relating to the use of personal data in connection with scientific research and introduce statutory definitions for “scientific research”, “historic research” and “statistical purposes” intended to provide clarity and certainty for researchers and will allow a concept of broad where it is not possible to fully identify the purpose of the processing at the point of data collection. The government will also clarify the rules on further processing.
Possibly of more general relevance, however, is the fact that the government plans to introduce a limited list of legitimate interests where businesses can process personal data without needing to apply the balancing test which is currently required. This list is likely to include “processing activities which are undertaken by data controllers to prevent crime or report safeguarding concerns, or which are necessary for other important reasons of public interest“. This may include processing personal data for business innovation purposes that are aimed at improving services for customers.
Within chapter 1 of the report there are also proposals relating to AI, automated decision making, data minimisation and anonymisation. Here the government has shied away from removing Article 22 of the UK GDPR providing, inter alia for individuals “not to be subject to a decision based solely on automated processing”. This may yet be revisited, however, since it is planned to publish a white paper on the governance of artificial intelligence, following the publication of its National AI Strategy (https://www.gov.uk/government/publications/national-ai-strategy ) in September 2021. Finally in this chapter, the government intends to clarify when data would be regarded as anonymous and therefore outside the scope of data protection legislation and plans to bring in proposals dealing with data intermediaries covering innovative data sharing solutions.
Mitigating burdens on businesses and improving better outcomes for people
A key outcome for the government is to reduce the data protection burdens faced by business.
One of the ways in which it will achieve this is to reduce risk management requirements for certain organisations, including SMEs. Whilst the government takes the view that the current principle of accountability is fundamental, it also recognises that current requirements for data controllers to demonstrate how they are complying with the data protection legislation can put a disproportionate burden on some organisations.
It is intended therefore to build in greater flexibility for specific obligations on organisations, including removing existing requirements to appoint a Data Protection Officer (to be found in Articles 37 to 39), conduct Data Protection Impact Assessments (Article 35) and maintain records of data processing activities (Article 30).
Notwithstanding these changes, organisations will still be required to maintain high data protection standards and to achieve this there will be new requirements for organisations to implement risk-based privacy management programmes requiring the consideration of measures including the appointment of a senior person in the organisation to be responsible for privacy.
Also to be reviewed are the provisions relating to subject access requests. These have proved to be something of a challenge for many law firms who have seen them used by disgruntled clients, opposing parties in litigation and even competitors as a means of gaining access to information or simply causing trouble to the firm. Whilst the government accepts the importance of data subjects being able to access their data it is conscious of the pressure that it places upon smaller organisations – especially when it is used as a weapon against the organisation. Consequently the government plans to proceed with changing the current threshold for refusing or charging a reasonable fee for a subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’, which will bring it in line with the Freedom of Information regime. Proposals to introduce a nominal fee for the exercise was however rejected.
In addition to looking at changes to the UK GDPR and the Data protection Act 2018, the consultation also looked at provisions to be found in the Privacy and Electronic Communications Regulations (“PECR”), in particular cookie consent requirements. The proposals put forward are to update the PECR, reducing existing cookie “opt-in” requirements to a new “opt-out” model. This, it is hoped, will reduce the number of cookie banners popping up on websites. Plans have also been put forward to increase the financial penalties under PECR for nuisance calls and texts and other serious data breaches, increasing the existing cap of £500,000 to match penalties under UK GDPR of £17.5 million or 4% of worldwide revenue, whichever is larger.
Boosting trade and reducing barriers to data flows
The government intends to create an autonomous framework for international data transfers that reflects the UK’s independent approach to data protection, and which will help to drive international commerce, trade and development and underpins modern day business transactions and financial institutions.
So far as the UK’s approach to adequacy assessments of third countries, it is proposed that there be a risk-based approach to adequacy, which will allow for the consideration of additional factors including the value of facilitating international data transfers when reaching an adequacy decision combined with an ongoing monitoring of adequacy regulations and a relaxation of the current requirement to review regulations every 4 years.
For countries which are not subject to an adequacy decision, new powers will be introduced to formally recognise new alternative transfer mechanisms. This proposal will allow the Secretary of State to create new mechanisms for the international transfer of UK data overseas, and to recognise international mechanisms in UK law.
Improving public services
One of the things that the government wanted to do was to build upon lessons learned from the COVID pandemic in relation to the power of using personal data responsibly in the public interest, and the benefits of collaboration between the public and private sectors. The government takes the view that there are challenges to doing this effectively, including data infrastructure that is not interoperable, legal and cultural barriers to data sharing, inconsistent data capability in the workforce and financial disincentives that discourage investment.
As a consequence, the government has stated that it wants to create a “joined-up and interoperable data ecosystem for the public sector” capable of addressing the limitations referred to whilst at the same time ensuring high levels of public trust. These reforms could include ways to improve the delivery of government services through better use and sharing of personal data.
The UK Government will seek to support personal data sharing within the public sector in order to improve the delivery of public services. This could be achieved by extending public service delivery powers under s 35 of the Digital Economy Act 2017 to business undertakings. This could include clarifying rules on the use, collection and retention of biometric data by the police, and specifying new scenarios to permit certain processing activities on grounds of substantial public interest.
However, the government confirmed that it would not be pursuing its proposal for the lawful processing of health data by organisations, without the supervision of healthcare professionals, on the grounds of substantial public interest during public health or other emergencies.
Reform of the Information Commissioner’s Office (“ICO”)
Finally, the government has put forward proposals for the reform of the Information Commissioners Office (ICO). The plan is to modernise the governance of the ICO, by introducing a statutory board including a chair and chief executive with the chief executive being appointed by the ICO’s board in consultation with the DCMS Secretary of State rather than by the government. However, the government will introduce a new statutory framework that sets out the strategic objectives and duties that the ICO must aim to fulfil when exercising its data protection functions. This, it is suggested, will ensure that the ICO continues to promote the rights of data subjects, whilst accounting for growth, innovation and competition. There will also be criteria dealing with when the ICO should pursue a complaint, which it is hoped will enable the ICO to take a proportionate, risk-based approach to its handling and investigation of complaints.
As a part of these reforms, the ICO will be required to publish:
- A strategy setting out how it will discharge its functions and deliver against its objectives. The ICO will be required to report annually on performance against its strategy.
- Key Performance Indicators (KPIs). The ICO will be required to report at least annually against its KPIs.
- Its approach to delivering its new objectives and duties framework. The ICO will be required to report annually on how it has discharged its functions in line with the new framework.
- A response to the government’s Statement of Strategic Priorities – explaining what it proposes to do as a consequence of this statement. The ICO will also be required to report annually on activities taken, as set out in its response to the statement.
- Its approach to enhanced consultation and setting up expert panels with regards to codes of practice and statutory guidance. The composition of the panel and the rationale for the composition should be published in advance of the panel convening. A summary of their engagement should be published as well as justification for why the ICO has or has not adopted recommendations from the panel. Impact assessments produced in relation to codes of practice and statutory guidance should also be published.
- Its approach to exercising its discretion concerning complaints handling.
- Statutory guidance under s.160 of the Data Protection Act 2018, which will be extended to include the ICO’s new enforcement powers.
“Data: a new direction – government response to consultation” can be found on the GOV.UK website (https://www.gov.uk/government/consultations/data-a-new-direction/outcome/data-a-new-direction-government-response-to-consultation)