The Government chose the hottest day of the year so far, and the last day of London Tech Week 2022, to publish its response to the ‘Data: A New Direction’ consultation, the precursor to the forthcoming Data Reform Bill which was proposed in ‘The Benefits of Brexit’ policy paper and formally announced in the Queen’s Speech 2022.

Handley Gill has previously published a post about the consultation and the Queen’s Speech announcement.

The central theme of the proposals, both as originally proposed and according to the Government’s latest position, is suggested to be to capitalise on the freedoms created by Brexit to establish a framework which moves away from the absolutist approach which has been demonstrated in judgments and decisions of the European courts and supervisory authorities, and instead imposes a risk-based approach to both compliance and enforcement.

Following the consultation, however, a headline message that the government seeks to convey in its response is that, notwithstanding its determination to replace multiple requirements of the existing data protection compliance regime under the UK GDPR and Data Protection Act 2018, it is not intended that the reforms should lead to additional costs for business. Instead, existing compliance measures will be valid mechanisms for complying with the forthcoming requirements for a holistic privacy management programme, thus granting organisations greater flexibility without requiring a wholesale rip up and refresh of existing processes, procedures and documentation.

The Information Commissioner has now welcomed the proposals.

In this post, we identify which of the consultation proposals is in, what’s out, and what to look out for in the future.

In a future post, we will comment on the implications of the proposals, and identify what else we would like to see in the forthcoming Data Reform Bill.

What’s in?

• Protections for processing for the purposes of scientific research, historical research and for statistical purposes will be highlighted and given binding status, with the provisions of recital 159 UK GDPR being elevated to operative provisions to supplement Article 89 UK GDPR.

• Provisions relating to research will be collated together in the legislation for easier signposting.

• Binding status will be provided to provisions on the potential breadth of consent in the context of scientific research, by incorporating the provisions of recital 33 UK GDPR into the operative provisions.

• Creation of an exemption to the requirement under Article 14 UK GDPR to provide transparency information to data subjects where personal data processed for research purposes and it would involve disproportionate effort to contact them again in connection with additional processing activities.

• Recital 62 UK GDPR will be given binding status to make clear that when considering whether the provision of transparency information would involve disproportionate effort in connection with research, consideration should be given to the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.

• Clarification on the circumstances in which personal data may be used for alternate purposes (data re-use), including further processing for an incompatible purpose when based on a law that safeguards an important public interest, and to make clear that further processing when the original lawful basis for processing was consent cannot be undertaken other than in limited circumstances.

• Introduction of exemptions to the requirement to conduct a balancing exercise when relying on the legitimate interests lawful basis under Article 6(1)(f) UK GDPR (subject to potential safeguards in connection with children’s personal data), which it is envisaged will include likely processing activities which are undertaken by data controllers to prevent crime or report safeguarding concerns, or which are necessary for other important reasons of public interest, with a power for the list to be amended by way of secondary legislation.

• Introduction of a new lawful basis for processing personal data under Article 6 UK GDPR for registered political parties, permitted participants in a referendum and elected representatives when processing personal data for the purposes of democratic engagement.

• Amending Article 6 UK GDPR to clarify which lawful grounds for processing are available to organisations when they are requested by a public body to help deliver a public task.

• Introduction of a new ground for processing special category personal data in Schedule 1 Data Protection Act 2018 for processing for the purpose of monitoring and correcting bias in AI systems subject to appropriate safeguards, such as limitations on re-use and the implementation of security- and privacy-preserving measures.

• To extend paragraph 22 of Schedule 1 Data Protection Act 2018, which permits processing of special category personal data in the form of political opinions by political parties for the purposes of democratic engagement, to elected representatives.

• To refine the definition of personal data at Article 4(1) UK GDPR to import the definition of what renders an individual identifiable from the Council of Europe’s Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, making clear that this applies only to persons “who can be easily identified: it does not cover identification of persons by means of very sophisticated methods”.

• Implementation of privacy management programmes based on the level of processing activities and the volume and sensitivity of personal data they handle, with sanctions for non-compliance carrying maximum fines of the greater of £8.7m or 2% of annual worldwide turnover.

• The requirement for certain organisations to appoint a data protection officer under Article 37 UK GDPR will be abolished, and replaced with a requirement to nominate a responsible individual.

• The requirement under Article 35 UK GDPR to conduct a data protection impact assessment (DPIA) in respect of processing likely to result in a high risk to data subjects will be abolished, although DPIAs will remain a valid route to compliance with the requirements of privacy management programmes.

• The removal of the obligation under Article 30 UK GDPR to maintain records of processing activities, to be replaced with an obligation to document purposes of processing. In practice, for many organisations, some form of record of processing is likely to remain the foundation for their privacy management programme.

• The obligation to consult with the Information Commissioner in respect of processing which, notwithstanding any mitigations and safeguards, poses a high risk to data subjects under Article 36 UK GDPR will be abolished in favour of recognising voluntary prior consultation as a mitigating factor in the event of enforcement action.

• The threshold for refusing a data subject access request or the exercise of other data subject rights under Article 12(5) UK GDPR will be reduced from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’.

• Amendment of Article 45(2) UK GDPR, which details the factors to be taken into account by the Secretary of State when making an adequacy decision on the level of protection for personal data afforded by a third country or international organisation, to permit a risk-based approach to be adopted, provide for consideration to be given to the effectiveness of redress mechanisms (whether judicial or administrative), and provide for consideration to be given to the desirability of facilitating international data flows.

• Amendment of s.17B(1) Data Protection Act 2018 to extend the period for conducting reviews of adequacy decisions in respect of third countries and international organisations.

• Permission for data exporters to act “pragmatically and proportionally” in the use of alternative transfer mechanisms.

• The Secretary of State will be permitted to bring forward regulations to recognise new alternate transfer mechanisms under Article 46 UK GDPR.

• Introduction of greater consistency between the UK GDPR, and Parts 3 and 4 Data Protection Act 2018.

• The restrictions on setting cookies on devices under Regulation 6 Privacy and Electronic Communications Regulations will be relaxed to expand the types of cookies that can be set without explicit consent being obtained from the current ‘strictly necessary’ category of cookies to other ‘non-intrusive’ cookies, which it is anticipated will include website analytics cookies.

• The exemption from the restriction on the sending unsolicited email communications under Regulation 22(2) Privacy and Electronic Communications Regulations, the so-called ‘soft opt-in’, will be extended to non-commercial organisations and to political parties and elected representatives.

• Enforcement against nuisance/unauthorised marketing calls will be based on the number of calls generated, rather than the number of calls connected.

• Communications providers will be subject to a duty to report unusual activity on their networks to the Information Commissioner.

• The Information Commissioner’s enforcement powers in relation to breaches of the Privacy and Electronic Communications Regulations will be enhanced to align more closely with those under the UK GDPR, including the power to issue assessment notices, to carry out audits, and to impose fines up to the same maximum levels.

• A power to make regulations to exempt political communications from the scope of the Privacy and Electronic Communications Regulations will be introduced.

• The introduction of a new principal statutory objective for the Information Commissioner coupled with a series of specific statutory duties, including to have regard to: have regard to competition, growth and innovation; and, public safety.

• The introduction of a power granting the Secretary of State the right to prepare a statement of non-binding strategic priorities (SSP) for the Information Commissioner to have regard to when discharging his data protection functions, which will be subject to Parliamentary approval and sit underneath the statutory objective and other statutory duties.

• The introduction of a chief executive, chair and board to replace the current corporate sole structure of the Information Commissioner, with the chair being appointed by Her Majesty by Letters Patent, and non-executive board members appointed by the public appointments process and the chief executive appointed by the board in consultation with the Information Commissioner.

• The Information Commissioner’s salary will no longer be subject to Parliamentary approval.

• Replacing the Information Commissioner and Information Commissioner’s Office as the name for the data protection regulator.

• The Information Commissioner will be required to establish expert panels in connection with the preparation of its guidance and codes of practice, unless exempt, carry out impact assessments and obtain the Secretary of State’s approval for guidance and codes of practice, unless exempt, and the Secretary of State will publish her rationale.

• The Information Commissioner will be granted the discretion to determine when and how to investigate complaints and the power not to investigate certain complaints.

• The Information Commissioner will be granted power to commission technical reports, taking into consideration the relevant knowledge and expertise available to the controller or processor and the impact of the cost of producing the report

• The Information Commissioner will be granted the power to compel witnesses to attend and answer questions, subject to protections.

• Schedule 16, paragraph 2(2) Data Protection Act 2018 will be amended to grant the Information Commissioner in certain circumstances more than the current 6 month period to issue a penalty notice following the issue of a notice of intent without the consent of the person subject to the notice.

• Transparency requirements will be imposed on the Information Commissioner in relation to its investigations and enforcement action, to require the relevant controller to be informed of its anticipated timelines.

What’s out?

• No new lawful basis for processing for the purposes of research will be created.

• Bias monitoring and correction in AI systems will not be included in the exemptions to the requirement to conduct a balancing exercise when relying on the legitimate interests lawful basis.

• The restriction in Article 22 UK GDPR on decisions based solely on automated processing, including profiling, which produces legal effects concerning data subjects or similarly significantly affects them will be retained.

• There will be no introduction of a voluntary undertakings programme in the event of infringements, akin to Singapore’s Active Enforcement regime.

• The threshold for data breach reporting to the Information Commissioner under Article 33 UK GDPR will not be altered, but the Information Commissioner will be encouraged to produce clearer guidance.

• No cost ceiling for data subject access requests under Article 15 UK GDPR will be introduced.

• A nominal fee for data subject access requests under Article 15 UK GDPR will not be re-introduced.

• So-called reverse transfers, for example where data is exported from the UK to a data processor in the EEA and is then transferred back to the controller in the UK, will not be exempted from the scope of the data transfer provisions under Chapter 5 UK GDPR.

• Data exporters will not be permitted to establish their own alternative transfer mechanisms.

• Article 49 UK GDPR, which establishes derogations from the transfer requirements, will not be amended to make clear that derogations may be relied upon repeatedly.

• There will be no extension of s35 Digital Economy Act 2017 to facilitate personal data sharing from the public to the private sector.

• There will be no amendment to Schedule 1 Data Protection Act 2018 to clarify the grounds for processing special category personal data in the form of health data outside the healthcare sector in an emergency.

• The government will not seek to appoint the chief executive of the data protection regulator.

• There will be no introduction of a compulsory transparency reporting on the use of algorithms in decision-making for public sector bodies.

• There will be no attempt to define the meaning of ‘substantial public interest’ in Schedule 1 Part 2 Data Protection Act 2018.

• There will be no further statutory restrictions on the use of biometric personal data by policing.

• The Information Commissioner’s statutory duties will not include consideration of the government’s wider international priorities.

• The Secretary of State will not be given the power to initiate reviews of the Information Commissioner’s performance.

• The Information Commissioner will not be required to produce impact assessments in respect of products other than guidance and codes of practice.

• Schedule 16, paragraph 2(2) Data Protection Act 2018 will not be amended to increase the period the Information Commissioner has to issue a penalty notice following the issue of a notice of intent without the consent of the person subject to the notice form 6 to 12 months.

• The Biometrics Commissioner’s casework functions will not be transferred to the Information Commissioner.

What to look out for in future

• Publication of a white paper on AI governance, addressing issues including fairness and transparency.

• Amendment to Article 22 UK GDPR, which restricts decisions based solely on automated processing, including profiling, which produces legal effects concerning data subjects or similarly significantly affects them applies, to instead introduce safeguards on such processing.

• Legislation in the form of regulations to enable the development of Smart Data Schemes.

• The establishment of specific lawful grounds for processing personal data by data intermediaries.

• The restrictions on the setting of cookies under Regulation 6 Privacy and Electronic Communications Regulations will ultimately move to an opt-out approach with the current cookie banner requirements replaced by browser-based and similar solutions that will help people manage their cookie and opt-out preferences, except in relation to websites “likely to be accessed by children”.

• Prospective increase in obligations on communications providers to block nuisance calls.

• ·The exemption of political communications from the scope of the Privacy and Electronic Communications Regulations could be introduced.  

• Consolidation of the UK GDPR, DPA 2018, PECR and the new Data Reform Bill.

• Consideration to making adequacy regulations in respect of groups of countries, regions and multilateral frameworks.

• Consideration to making the certification regime under Article 46(2)(f) providing a lawful basis for transfers more compatible to international or other countries’ data protection regimes.

• Public consultation on extending s35 Digital Economy Act 2017 to support personal data sharing within the public sector to improve public services.

• Introduction of additional grounds for processing special category personal data under Schedule 1 Data Protection Act 2018, including to permit sporting bodies to fairly assess the eligibility of athletes for restricted category events and to extend the provisions which currently permit the processing of race and ethnicity data to improve diversity at senior levels within organisations to other types of data relating to under-represented groups.

• The Biometrics Commissioner’s casework functions will be considered for transfer to the Investigatory Powers Commissioner.

• The government is considering whether the ICO or other existing bodies could carry out some of the Biometrics and Surveillance Camera Commissioners’ ancillary activities, such as the third-party certification scheme for surveillance camera operators.