Taking a wrong turn? Government pursues data protection reform
Further to last year’s ‘Data: A New Direction’ consultation, and the statement by the Minister for Brexit Opportunities & Government Efficiencies, Jacob Rees-Mogg, to the European Scrutiny Committee on 20 April 2022 that the Government would bring forward a new data protection Bill, the Government has today announced in the Queen’s Speech that it will bring forward legislation in this Parliamentary session to reform the UK’s data protection law which has been adopted virtually wholesale from the European General Data Protection Regulation (GDPR).
While the precise content of the Data Reform Bill has not yet been published, Sky News has reported that a Bill will be put forward in the summer. The Briefing Notes on the Queen’s Speech state that the purposes of the Data Reform Bill are to “Take advantage of the benefits of Brexit… to create a new pro-growth and trusted UK data protection framework that reduced burdens on business” while protecting personal data to a “gold standard”, “modernise the Information Commissioner’s Office” and “increase industry participation in Smart Data Schemes”.
Impetus
The Government’s 10 Tech Priorities include “Unlocking the Power of Data”, “Keeping the UK safe and secure online”, “Fueling a new era of Startups and Scaleups”, and “Unleashing the transformational power of tech and AI”, all of which are impacted by existing data protection legislation.
The National Data Strategy reflected on the UK’s status as the largest data market in Europe, and suggested that data hoarding, a lack of clarity around data rights, and the failure to exploit data, presented barriers to the UK’s ambitions to drive economic growth. One of the missions of the strategy is “securing a pro-growth and trusted data regime”, which is stated to mean “maintaining a data regime in the UK that is not too burdensome for the average company; one that helps innovators and entrepreneurs to use data responsibly and securely, without undue regulatory uncertainty or risk, to drive growth across the economy”, while the public “have confidence and trust in how data, including personal data, is used”. Data availability was recognised as a key pillar underpinning the UK’s strategy, requiring appropriate mechanisms for international data flows, as was the use of data in a manner which is “lawful, secure, fair, ethical, sustainable and accountable”.
Data: A New Direction
With those priorities in mind, the Government published a consultation on proposals for reform of the UK’s data protection regime in September 2021. These are stated to be expected not to disrupt the UK’s ‘adequacy’ status under the GDPR, easing data flows from the EEA to the UK, and to create a £1 billion economic benefit over 10 years.
The proposals included:
Remodelling the UK GDPR to incorporate relevant text from the recitals into the legislation itself to provide greater clarity
Providing greater clarity for and easing requirements for processing personal data for research purposes, particularly for further research use
Relaxing restrictions on processing personal data in the context of training and testing AI, and identifying and monitoring bias, and for detection and correction
Legislating specific circumstances which will constitute a legitimate interest lawful basis for processing personal data, negating the need to conduct a legitimate interests assessment to balance the rights of data subjects
Either expanding or removing the right not to be subject to solely automated decision making and profiling having legal or similarly significant effects
Introducing compulsory transparency reporting on the use of AI in decision making by public bodies, government departments and government contractors using public data
Making it easier to lawfully process special category personal data by:
o Creating a new legal basis for processing health data, when necessary for reasons of substantial public interest in the context of public health or other emergencies
o Augmenting or otherwise clarifying the grounds for processing special category personal data in the substantial public interest
Incorporating into the legislation when personal data will be considered to be identifiable, and therefore not anonymous, and when data should be considered anonymous and making clear this is to be determined in the hands of the relevant controller
Easing data sharing by:
o Introducing an information sharing gateway between the regulators in the Digital Regulation Co-operation Forum (DRCF)
o Clarifying that a third party processing personal data on behalf of a public body is entitled to rely on the same lawful basis for processing and is not required to identify its own lawful basis
o Clarifying rules on further uses of personal data in a compatible manner by different data controllers, in an incompatible manner when protecting an important public interest
o Formalising the role of data intermediaries
Moving from a check box approach to compliance to risk-based privacy management programmes, reinforcing the requirement to take appropriate technical and organisational measures to protect personal data reflecting accountability principles of leadership and oversight, risk assessment, policies and processes, transparency, training and awareness of staff, and monitoring, evaluation and improvement, including by:
o Removing the requirement for certain organisations to designate a data protection officer (or only for public authorities, or certain types of public authorities, to appoint a data protection officer), and instead requiring the appointment of a responsible individual for the privacy management programme and oversight of compliance
o Removing the requirement to conduct data protection impact assessments, while maintaining a requirement for risk management processes
o Removing the requirement for high-risk processing to be the subject of prior consultation with the Information Commissioner
o Removing the requirement to maintain records of processing activities
o Increasing the threshold for reporting data breaches to the Information Commissioner so a breach would only be reportable if it presented a material risk to the rights and freedoms of data subjects
o Imposing a requirement to have effective and transparent complaints handling procedures in place and to publish transparency information about complaints received
Amending the requirements of the Privacy and Electronic communications Regulations, to:
o extend the soft opt-in for electronic marketing communications
o increase the maximum fine for breaches and enhancing other enforcement tools
o remove the requirement to obtain consent for analytics cookies, treating them as strictly necessary, or remove cookie consent requirements more broadly in relation to functionality
o introduce a duty on communication service providers to report suspicious traffic to tackle unsolicited and fraudulent calls and texts
o legislating that messages from political parties are not to be treated as direct marketing or permitting reliance on the soft opt-in
Expanding the mechanisms for restricted international data transfers
o permitting adequacy decisions to be made in respect of groups of countries, regions and in relation to multi-lateral frameworks
o Increasing the time period during which there is a requirement to review adequacy decisions from 4 years
o To clarify in the context of determining adequacy that the necessary redress mechanism can be either judicial or administrative
o Establishing a four-stage approach to adequacy decisions to legitimate restricted international data transfers, comprising: gatekeeping, assessment, recommendation, procedure
o Exempt so-called ‘reverse transfers’, i.e. the return of personal data from a processor to a controller, from the scope of the restricted international data transfer regime
o Enabling organisations to design and implement their own restricted international data transfer mechanisms
o Granting the Secretary of State the power to recognise alternative restricted international data transfer mechanisms
o Permitting derogations for restricted international data transfers to be relied on repetitively
o Modifying the certification regime to be globally compatible
Reducing the burden on the Information Commissioner’s Office by requiring a complainant to raise a complaint with the relevant controller prior to being entitled to complain to the Information Commissioner, and granting the Information Commissioner powers not to consider complaints
Revising the Information Commissioner’s enforcement powers by:
o Introducing a new regulatory enforcement tool in the form of voluntary undertakings
o Increasing the Information Commissioner’s enforcement powers by granting a right to compel witnesses and an entitlement to instruct a third party to produce a technical report to inform its regulatory investigation
o Extending the period within which the Information Commissioner must issue a final penalty notice following a Notice of Intent to 12 months and introducing a ‘stop the clock’ mechanism
Limiting the right of data subjects to access their personal data by introducing a fee regime in the form of a cost ceiling
Revisiting Part 3 of the Data Protection Act 2018 which deals with processing for the law enforcement purposes to:
o Clarify rules on the collection, use and retention of data for biometrics by the police, potentially by issuing a new code of practice
o bring consistency to Parts 3 and 4 of the Data Protection Act 2018 governing processing for the law enforcement purposes and processing for national security
To increase the governance and oversight of the Information Commissioner’s Office through:
o The imposition of statutory strategic objectives and duties on the ICO in the exercise of its functions, including the overarching objectives to uphold data rights and encourage trustworthy and responsible data use, and duties to have regard to economic growth and innovation when exercising its functions and to have regard to competition, to have due regard to public safety, to consider the government’s international priorities, to co-operate with other regulators, and to enable the Secretary of State to issue a statement of strategic priorities
o To introduce an independent board and CEO at the ICO, to be appointed by a public appoints process
o Requiring improved reporting by the ICO by implementing KPIs and potentially imposing transparency obligations
o Granting the Secretary of State the right to implement an independent review of the ICO’s activities and performance
o Requiring the ICO to conduct and publish impact assessments when issuing guidance, codes of conduct etc
o Granting the Secretary of State the power to require the ICO to appoint an independent expert panel to inform its proposed guidance, codes of conduct etc, and a right of approval over such documents
Absorbing the functions of the Biometric Commissioner and the Surveillance Camera Commissioner into the ICO
Response to the consultation’s proposals
The ‘Data: A New Direction’ proposals were not universally welcomed, with the Biometrics and Surveillance Camera Commissioner complaining that he had been unaware of the proposals, and the Information Commissioner raising concerns at the prospect of the independence of the role being fettered.
In some areas, such as in relation to so-called ‘cookie walls’ the Information Commissioner called for the Government to go further, whereas in others it objected to proposals which might remove the requirement for fairness in the adoption of AI, remove safeguards for solely automated processing, reduce its independence, and proposals to revise how organisations are to be accountable for data protection compliance which risked reducing protection for data subjects. Calls for greater clarity in relation to the proposals were sought throughout.
The Information Commissioner also pointed out the incongruity between some of the proposals and how they would interact with data subject rights.
A move to a risk-based approach makes compliance more difficult for micro entities and SMEs and in reality is likely to result in lower overall compliance. There are certainly grounds to criticise the current data protection framework: the Information Commissioner is inadequately resourced to promptly provide guidance, or to appropriately enforce its provisions; in specialist areas of processing, such as for the purposes of journalism, the Information Commissioner’s Office can lack the relevant expertise and fails to source it externally; while most people will have heard of the GDPR, applying its principles can be complex and many organisations have an inadequate understanding of the practical requirements or the resource to access expertise; the gargantuan potential fines under the GDPR (and now the UK GDPR) were effective in provoking fear and initially attracting the attention of business leaders, and notices of intent issued by the Information Commissioner have been similarly headline grabbing, but in reality the largest fines have been significantly lower and have tended to result from data breaches rather than unlawful processing activities; where unlawful processing has taken place, fines and notices to cease processing data can appear ineffective and don’t prevent the competitive advantage obtained from that unlawful processing from being exploited. The Government’s proposals won’t address these issues. Nor will they address the reality that changes to UK law need to be given sufficient time to be embedded by the complex multi-national organisations responsible for the vast majority of processing of personal data, and where changes to UK law are not adopted by such organisations in their standard terms for widely adopted products and services, for example, British businesses are exposed to legal and regulatory risk.
We will be keeping our resources on data protection reform up to date as the proposals progress.
Should your organisation require advice or support in understanding or implementing data protection legislation, or if you want to understand how data protection reforms may impact you, please contact us.
Find out more about our data protection and data privacy services.