On 10 September, the UK government launched its widely-anticipated consultation on reforms to the UK’s data protection laws. The consultation paper, titled ‘Data: a new direction’, runs to 146 pages and includes some significant proposals.
The last few years have seen plenty of changes to data protection rules. Since the EU’s General Data Protection Regulation (GDPR) came into effect in May 2018, we’ve had the impact of Brexit and the move to a revised domestic GDPR, as well as anxieties about international transfers and adequacy decisions. Whilst a period of consolidation would surely have been welcomed, it’s been clear for some time that wasn’t going to happen. Ministers have been talking up changes as part of the government’s data strategy and delivering a ‘Brexit dividend’, which has caused alarm among campaigners and privacy activist who fear a weakening of individual rights.
In reality, the proposals contained in the consultation are not quite as radical as either the government or its most vociferous critics would like you to believe. If they were adopted in full they would certainly ‘soften’ the law, but there’s to be no great bonfire of data protection law, with most of the basics staying firmly in place. This includes the data protection principles, the lawful bases for processing, (most of) the individual rights and the enforcement regime. A summary of the changes is set out below.
The most eye-catching changes are reserved for accountability. Proposals include removing the requirements for organisations to appoint data protection officers, undertake data protection impact assessments and maintain records of processing activities. These would be replaced by more flexible ‘privacy management programmes’.
The press release accompanying the consultation states that “the government recognises that the current regime places disproportionate burdens on many organisations. For example, a small hairdressing business should not have the same data protection processes as a multimillion pound tech firm”. This is a classic straw man. If the small hairdressing business really does have the same processes as the multimillion pound tech firm, then it’s been very badly advised. Nevertheless, organisations large and small are likely to broadly welcome the shift towards an even more flexible approach and, in the face of yet more legislative changes, the knowledge and skills of data protection officers are likely to remain in demand.
Innovation and individual rights
Under the heading ‘reducing barriers to responsible innovation’, there are some welcome technical changes proposed that would make it easier for personal data to be used (and reused) for research purposes, a proposal to create a list of ‘legitimate interests’ and detailed proposals on the use of artificial intelligence and automated processing. This may or may not include removing the Article 22 rights in relation to automated decision-making. As AI technology continues to develop, it is right that the government takes a cautious approach to reforms in this area.
On individual rights, there are proposals to introduce a cost limit for subject access requests and to require controllers to put in place complaints procedures. These appear to echo the current freedom of information regime that will be familiar to public bodies. Controllers will certainly welcome the proposed cost limit, given the disproportionate amount of time and effort spent on a small number of such requests.
Cookies and direct marketing
Given recent Ministerial comments on cookie consents, it’s no surprise that the government intends to make amendments to the often overlooked Privacy and Electronic Communications Regulations. Proposals include allowing more types of cookies to be set without consent, including for analytical purposes, and allowing charities and political parties to take advantage of the ‘soft opt-in’ to send direct marketing to existing contacts (or exempting politicians entirely from these rules in the name of democratic engagement). Whilst there is certainly an appetite for reform to cookie compliance rules, the prospect of more direct marketing from politicians may be considerably less popular. The consultation also includes a long-overdue proposal to bring penalties under the Regulations into line with the UK GDPR.
International data transfers
The consultation contains a whole chapter on international transfers. There is plenty of ambitious talk about increasing the number of countries that the UK assesses as ‘adequate’, to allow more international data transfers without restriction. Perhaps more significantly, the government intends to explore additional alternative transfer methods, for use where there are no adequacy regulations in place. There is little detail on how these might work in practice, although the proposal to allow organisations to determine their own transfer method appears to be a throwback to the position under the Data Protection Act 1998.
This is the chapter that is potentially of most interest to the European Commission, which will be looking closely at whether any new international transfer rules are compatible with the EU’s GDPR and therefore whether there is anything that may undermine the UK’s current adequacy decision with the EU.
Changes at the regulator
Lastly, the consultation contains changes to how the Information Commissioner’s Office (ICO) is run and managed. The cumulative effect of the proposals is to give the government increased control over the ICO, for instance by setting regular strategic priorities and imposing additional duties. Rather than being the office of the post holder, the proposals envisage that the ICO will be led by an independent board and a CEO. It would be interesting to know the thoughts of John Edwards on these proposals. He was only announced as the government’s preferred nominee as the next Information Commissioner in August, and already the role looks set for a significant make-over.
The consultation will run until 19 November 2021. If you have any comments or would like to discuss how the changes might affect you, please get in touch.