On 17th June 2022, the Department for Digital, Culture, Media and Sport (DCMS) published its response to the consultation it ran on the reform of UK data protection law. DCMS's response sets out 63 reform proposals that the UK government intends to take forward, as well as those proposals it will and will not consider further.
The original consultation ran between September and November 2021. The proposals within it and those that will be now be taken forward align with the UK's National Data Strategy and focus on the following 5 key areas:
- Reducing barriers to responsible innovation;
- Reducing burdens on business and delivering better outcomes for people;
- Boosting trade and reducing barriers to data flows;
- Delivering better public services; and
- Reform of the Information Commissioner's Office.
This article sets out some of the key changes that the government will now adopt under each of the focus areas. You can also read the article we published on the consultation in October last year here.
1: Reducing barriers to responsible innovation
In order to reduce barriers to innovation, the government plans to implement changes to data protection law across a number of areas that touch on innovation. The proposed changes include those described below:
Research purposes: Consolidation of the rules on processing personal data for research purposes, linking them to relevant ICO guidance and creating a clear statutory definition of scientific research to provide clarity as to when processing will be for research purposes.
Further processing: Clarification of the rules on re-use of personal data, including setting out how further processing may be possible:
- For an incompatible purpose when based on a law that safeguards an important public interest or when the data subject has re-consented; and
- When the original processing relied on consent.
Legitimate interests: Creation of a limited list of legitimate interests for businesses to process personal data without applying the legitimate interests balancing test. These are likely to include processing activities which are:
- Undertaken by data controllers to prevent crime or report safeguarding concerns; or
- Necessary for other important reasons of public interest.
- A power to add to the list will also be created.
AI and machine learning: Clarifying that Schedule 1, Paragraph 8 of the Data Protection Act 2018 enables the processing of sensitive personal data (referred to as special category data in the UK GDPR) for the purpose of monitoring and correcting bias in AI systems.
Rights in relation to automated decision-making and profiling: The scope and limits of Article 22 of the UK GDPR will be clarified.
Data minimisation and anonymization: Adopting the Council of Europe's Convention 108 test for whether data is anonymous and whether a living individual is identifiable.
2: Reducing burdens on business and delivering better outcomes for people
To reduce the burdens of complying with data protection law and at the same time deliver better outcomes for people, the government plans to implement wide-ranging changes to core data protection requirements within the UK GDPR.
Reform the accountability framework: Organisations will be required to operate a risk-based privacy management programme focused on privacy outcomes rather than the UK GDPR's prescriptive requirements. This will lead to: the replacement of requirements to appoint a data protection officer with a requirement to have a senior person responsible for oversight of data protection; the removal of the requirement for data protection impact assessments – although this will be replaced with an obligation to ensure there are risk assessment tools in place; and the removal of the requirement to maintain records of processing activities – although an organisation will need to have data inventories.
Subject access requests: The threshold of "manifestly unfounded" for refusing subject access requests will be replaced with the concept of "vexatious or excessive" requests being exempt - in line with the Freedom of Information Act – this will lower the threshold for businesses to refuse subject access requests to stem the floodgates of disruptive DSARs.
Privacy and electronic communications (PECR): Significant changes relating to privacy and electronic communications include:
- In the immediate term, removing the consent requirement for analytics cookies and similar technologies;
- In the future, moving to an opt-out model of consent for all cookies placed by websites, other than those likely to be accessed by children. This will be significant change and will be permitted provided that the website gives the web user clear information about how to opt out;
- Requiring websites to respect preferences set by individuals through their browsers;
- Extending the so-called "soft-opt in exemption" for direct marketing to include communications from non-commercial organisations, such as charities and political parties;
- Empowering ICO to take action against organisations for the number of unsolicited direct marketing calls 'sent' as well as calls 'received' and connected;
- Introducing a 'duty to report' on communication service providers in relation to suspicious traffic transiting their networks;
- Empowering ICO to impose assessment notices on companies suspected of PECR breaches; and
- Fines for breaches under PECR will be increased to UK GDPR levels – i.e. from a maximum of £500,000 now to £17.5 million or 4% of a business's global turnover – a significant deterrent and likely to change direct marketing risk analysis considerably.
Use of personal data for the purposes of democratic engagement: The "soft opt-in exemption" for direct marketing will extend to other political entities including candidates and registered third-party campaign groups who are registered with the Electoral Commission.
3: Boosting trade and reducing barriers to data flows
The government intends to boost trade while reducing barriers to data flows by introducing the following changes:
Alternative transfer mechanisms: Creation of a new power for DCMS to create new UK mechanisms for transferring data overseas or recognise in UK law other international data transfer mechanisms.
Adequacy: Reformation of the power DCMS has to make adequacy decisions, with a focus on risk-based decision-making and outcomes, and considering the desirability of facilitating international data flows. Removal of the requirement for the DCMS Secretary of State to conduct a review of an adequacy decision every 4 years.
4: Delivering better public services
The government wishes to deliver better public services by implementing changes to data protection law that will enable that delivery. The changes that will be adopted include those described below:
Non-public bodies delivering public tasks: Clarification of which lawful processing grounds are available to organisations when they are requested by a public body to help deliver a public task.
Digital Economy Act 2017: Extension of the data sharing powers under the Act to improve public service delivery.
Building trust and transparency: Alignment of key terms within Part 3 (law enforcement processing) and Part 4 (intelligence services processing) of the Data Protection Act 2018 to drive consistency across the UK GDPR.
Public safety and national security: Rules on the police's use of biometric data will be clarified.
5: Reform of the Information Commissioner's Office
We have outlined below the proposals that may have significant impact on businesses, the ICO and its independence.
Strategy, objectives and duties: A new statutory framework setting out ICO's strategic objectives will be introduced, alongside duties to have regard to economic growth and innovation, competition issues and to consult with relevant regulators and bodies when exercising its powers.
Complaints: Data controllers will be required to implement a complaints-handling process that is simple and transparent for data subjects to use, and that data subjects must use this before making a complaint to the ICO. The legislation will also set out the criteria the ICO can use to determine whether to pursue a complaint, the aim of which is to provide clarity and enable the ICO to take a more risk-based and proportionate approach to complaints.
Enforcement powers: Introduction of a provision to permit the ICO additional time beyond the six month statutory deadline to issue a Penalty Notice following a Notice of Intent to issue a fine (under certain circumstances). The ICO will also be granted a new power to compel witnesses to attend interviews during investigations and answer questions.
Proposals which are being considered further
The DCMS's response also outlines proposed changes which need further consideration by the government. These include:
Further processing: The government intends to clarify the distinction between new processing and further processing.
AI and machine learning: Consideration of fairness at a holistic level to address this across data protection and other relevant regimes which will feature in the White Paper on AI Governance.Privacy and electronic communications: Further requirements for communication providers to block a greater volume of nuisance calls by blocking calls/texts at source and to provide free services to block incoming calls. Other measures will also be considered to reduce unsolicited direct marketing and fraudulent calls.
Adequacy: Consideration of adequacy regulations for groups of countries, regions and multilateral frameworks to simplify international data transfers.
What changes are not being progressed?
Based on the consultation's feedback from respondents, there are a range of proposals that the government does not intend to take forward. These include:
- Creation of a new lawful ground for processing for research purposes;
- Removal of Article 22 of the UK GDPR (regarding profiling and automatic decision-making);
- Raising of the threshold for when data breaches are notifiable to the ICO under Article 33(1) of the UK GDPR; and
- Introduction of a fee for data subject access requests and a cost cap on the activity to deliver them.
What's next?
The Queen's Speech in May 2022 put forward the government's intention to introduce a Data Protection Reform Bill. Until the the Bill is published and the text of the proposed reforms is available, the full impact they may have on businesses is not certain.
However, the proposals, as we know them today, raise a number of questions:
How will they affect the UK's post-Brexit adequacy decision?
At present, the EU's finding of adequacy for the UK means that personal data transfers from the EEA to the UK (including transfers from the UK to the EEA and back to the UK) can continue without the need for any additional safeguard mechanisms. However, this is subject to UK data protection law remaining closely aligned to EU GDPR. DCMS's announcement states that it expects that the UK will maintain adequacy, so it is to be hoped that the European Commission and privacy activists share this view.
Which laws apply to organisations?
As many UK businesses continue to trade with customers in the EEA, they will need to continue to comply with the EU GDPR as well, due to its territorial scope (i.e. the EU GDPR applies when an organisation provides goods or services to, or target, individuals in the EU). While DCMS's position is that the proposed reforms will make data governance easier for UK-only businesses (i.e. those not conducting business with the EU), this will not necessarily be true for those businesses targeting the UK and EU, who will need to continue to satisfy the requirements of both regimes.
What about existing data protection compliance?
Many UK businesses have invested large amounts of time and money to put in place systems, documentation and training to comply with the GDPR. Will they need to make further changes in line with the new UK regime? This could be the case, for example, where organisations have not established or are not running ongoing privacy management and monitoring programmes, i.e. where GDPR compliance was treated as a tick-box exercise to meet prescriptive requirements for May 2018 and no significant privacy management activities have taken place since. It could also be the case where target-operating models for data protection have not been established and no senior person has responsibility for data protection within the organisation. The changes to PECR, particularly the increased fining potential, could also make some organisations decide to review their approach to direct marketing.
Overall, there is still some way to go until we have a better understanding of the impact the changes will have on UK businesses.
However, it is now clear that another round of gap analysis, review of existing processes and change implementation is likely to be required for businesses in the UK very soon.
