UK government publishes response to reform of UK data protection regime
Reading time: 7 minutes
Practices: data, privacy and cybersecurity
On June 17, 2022, the UK government published its long-awaited response to the consultation on reforming the UK data protection regime. As part of the UK’s post-Brexit national data strategy, the consultation gathered responses on proposals to reform the UK’s data protection regime to boost the UK economy. In its response, the UK government indicated which proposals it would pursue and which would likely feature in an upcoming data reform bill.
Overall, these reforms do not change the existing data protection compliance regime in the UK, which derives from EU legislation, such as the General Data Protection Regulation and the ePrivacy Directive. Instead, the proposals are incremental and largely change the obligations organizations will be familiar with under the current regime. As expected, these reforms are largely business-focused, with the overall goal of reducing the compliance burdens faced by businesses of all sizes and making it easier to use (and reuse) data for research.
1. Proposed changes to requirements arising from existing data protection legislation
Several proposals amend existing requirements in current data protection legislation; including tailoring such requirements to the size of the organization and/or the risks presented by their processing of personal data; transform mandatory requirements into voluntary compliance obligations; or change compliance thresholds or introduce additional exceptions to current obligations. These include:
- Introduce a new obligation for organizations to implement “privacy management programs”; these programs must be adapted to the size of the organizations and the risks presented by their treatment. Under “privacy management programs”, the existing requirements for the appointment of a data protection officer (DPO), conduct data protection impact assessments (DPIA) and maintain records of processing activities (ROPA) are replaced by more flexible and tailored requirements, such as measures to appoint an appropriate “accountable superior” responsible for the privacy management program, to implement “risk assessment tools” and to hold personal data inventories. Existing DPOs, DPIAs and ROPAs may remain in place and may continue to be used to demonstrate compliance.
- Replacement of the mandatory requirement to consult the Office of the Information Commissioner (ICO) where an organization has identified a data processing activity that poses irremediably high risks, to a voluntary consultation regime.
- Removed the need for websites to display cookie banners to UK residents and to allow cookies and similar technologies to be placed on a user’s device without explicit consent for broader purposes. The UK government has also declared its intention to move to a opt-out model for cookies once ministers are satisfied users have access to the technology that helps them effectively manage their preferences about how their data is stored. processed, except in cases where a website is likely to be consulted by children.
- Extend soft opt-in for direct marketing to non-commercial organizations.
- Introduce qualified exceptions to the required balancing test where relying on legitimate interests as a basis for processing (i.e. where there are clear public interest reasons for the processing to have venue).
- Amend the threshold for organizations to refuse to respond to a data subject access request, from “manifestly unfounded or excessive” requests to “vexatious or excessive” requests, in accordance with the freedom of information regime.
- Introduce reforms to ensure that data exporters can act “pragmatically and proportionately” when using alternative data transfer mechanisms (eg standard contractual clauses).
These proposals aim to reduce the burden on data controllers and, to a lesser extent, processors, when complying with data protection legislation. The business-friendly orientation of these proposals has raised concerns that they could undermine the European Commission’s commitment (THIS) UK Adequacy Decision, which currently allows the free flow of personal data from the EU to the UK (for more information see our alert here). The UK government notes that the EC’s adequacy decisions do not require an “adequate” country to have the same rules as EU law, and maintains that the proposed reform of UK law is compatible with many such decisions.
2. Proposals to promote research/innovation
Several proposals also aim to stimulate research and innovation. These include:
- Clarify what constitutes data processing for research purposes.
- Include a broader notion of consent as a legal basis for scientific research.
- Introduce a qualified derogation from the obligation to inform/recontact data subjects under Art. 13(3) of the UK GDPR when reusing personal data for research purposes.
- Clarify how the data may be reused (for example, the circumstances that constitute further processing and the applicable legal basis for such processing).
- Clarify that the standard required for data to be considered anonymous should relate to the circumstances at the time of processing.
- Redefine restrictions on automated decision-making as a right to safeguards rather than a blanket ban.
Since anonymous data is not considered personal data and therefore falls outside the scope of the GDPR, the proposal to qualify the standard for anonymous data has the potential to unlock a substantial amount of data available for organizations to use. for analysis, research and other processing purposes. However, organizations should ensure that they have a relevant legal basis for anonymizing personal data in the first place, as the act of anonymizing is a processing activity that would fall within the scope of the GDPR.
On AI, the UK government has also said it will further examine how fairness takes into account a broader governance context and introduce a new exception to allow processing of sensitive personal data in the purpose of monitoring and correcting biases in AI systems. The UK government has also reiterated its intention to publish a white paper on AI governance in line with its national data strategy and, in line with its previous position, has stated its intention not to legislate separately for AI. (contrary to the upcoming EU report on the AI Act).
3. Proposals for reform of the Office of the Information Commissioner
The UK government also intends to reform the ICO, the body responsible for overseeing the UK’s data protection regime. Its proposals include:
- Refocus enforcement on the most serious threats rather than the high volume of low-level complaints.
- Reform of the complaints framework – data subjects must attempt to resolve their complaint directly with the relevant controller before filing a complaint with the ICO, and the ICO has discretion not to investigate certain types of complaints (including complaints where the data subject has not first attempted to resolve the issue with the relevant organization).
- Expand the ICO’s enforcement powers to commission technical reports and compel witnesses to attend interviews.
- Increase the maximum fine the ICO can impose under the Privacy and Electronic Communications Regulations from £500,000 to £17.5 million / 4% of global turnover (whichever is greater), in accordance with UK GDPR and the Data Protection Act 2018.
- Modification of the legal deadline granted to the ICO to issue a sanction following a notice of intent: in special circumstances, the ICO will no longer be required to issue a sanction within 6 months of the issuance of a notice of intent.
- Introduce an obligation for the ICO to set time limits for the phases of an investigation to the relevant data controller at the start of an investigation.
- Allow the ICO to take action on nuisance calls, based on the number of calls an organization generates, and require communications providers to report suspicious traffic levels.
Some proposals, such as proposals to reform the complaints framework and establish investigation timeframes, will be welcomed by organizations as they provide opportunities for internal complaint resolution and reduced uncertainty in the event of investigation. The refocusing of enforcement on serious threats coincides with a recent announcement that the ICO will now be able to retain up to £7.5m of fines imposed in a financial year; the impact of these developments on the app remains to be seen.
Take away food
As these proposals have not yet been translated into legislative text, no immediate action is required. The UK government has also said that almost all organizations that comply with the current UK regime will be in compliance with the future regime, and that many companies, as a matter of good practice, have already implemented the new requirements. This means that, for organizations operating primarily in the UK, the overall impact of the proposals (as they currently stand) is likely to be minimal; similarly, while organizations operating internationally in the UK and Europe continue to assess compliance with EU data protection law, the overall impact of the proposals should also be limited. Be that as it may, since these proposals are also likely to provoke formal and informal reactions, in particular from the European authorities, who have not yet indicated whether they agree with the United Kingdom’s position on the compliance, the possibility of further changes cannot be excluded. We are monitoring this space closely for updates.