policy monitor

UK – Consultation on a new UK data protection regime: ‘Data: a new direction’

The UK government has launched a consultation on reforms to create an ambitious pro-growth and innovation friendly data protection regime that underpins the trustworthy use of data. The National Data Strategy of the UK mentions that data is a strategic asset, and its responsible use should be seen as a huge opportunity to embrace. The consultation was the first step in delivering on Mission 2 of the National Data Strategy to secure a pro-growth and trusted data regime. Now that the UK operates outside the EU, the UK can reshape its approach to the regulation of data protection and can, according to the government, ‘seize opportunities with its new regulatory freedoms by helping to drive growth, innovation and competition across the country’. The consultation has been going on for a year and in July a first public version of the Data Protection and Digital Information Bill (DPDIB) has been released with the findings emerging from the consultation.

Summary

The proposals in the consultation are arranged across 5 chapters that deal with important themes: reducing barriers to responsible innovation, reducing burdens on business and delivering better outcomes for people, boosting trade and reducing barriers to data flows, delivering better public services and a reform of the Information Commissioner’s Office (ICO, the UK data protection authority). From each of these chapters the most eye-catching measures, with the European data protection regime in mind, will be explained briefly.

Reducing barriers to responsible innovation

A primary novelty in this regard constitutes the introduction of statutory definitions for ‘scientific research’, ‘historic research’ and ‘statistical purposes’. This should provide more clarity and certainty for researchers as well as ensure consistency across the fields of research currently recognized in UK legislation. A second very interesting introduction emerging from the consultation is the provision for the use and clarification of the concept of broad consent in order to allow researchers to use less specific consent where the purpose of the data processing is not final at the moment of collection.

Another important topic of this first chapter are the provisions on further processing i.e. reuse of personal data. The government judged in its response to the consultation that there is an insufficient clarity in the current framework on this topic and that there is a need for action. The government will not only simplify the legislation to make it more clear for organizations on how personal data can be re-used lawfully, but will also clarify that further processing for an incompatible purpose may be lawful when based on a law that safeguards an important public interest or when the data subject has re-consented. On the same topic, further processing in a situation with a controller different from the original controller and where the original lawful ground was consent will be clarified.

Another very interesting provision in this first chapter of the consultation is the creation of a limited list of legitimate interests for businesses to process personal data without applying the balancing test. One example on the proposed new list of the Bill is the occasion where the processing is necessary for detecting, investigation, or preventing crime. Interestingly, the government has chosen to include only purposes relating to the public interest and not general commercial purposes. It is unclear however if organisations need to carry out some form of legitimate interests assessment to determine the necessity of processing for the envisaged purpose.

Attention is also given to the ambition to adopt the Council of Europe’s test for anonymization into legislation. The government also stated hereby that the test for anonymization is a relative one to avoid setting an impossibly high standard for anonymization.

Lastly, in relation to automated decision making, the government had put forward that it would clarify the limits and the scope of Article 22 UK GDPR (i.e. the right of a data subject to not be subject to a decision based solely on automated processing). In the new Bill, the government has proposed to reframe existing provisions regarding automated decision-making in the terms of a positive right to human intervention but this right would only apply to "significant" decisions, rather than decisions that produce legal effects or similarly significant effects. Some see a danger in this provision for the achievement of EU adequacy status, however, this will also depend on the clarification which decisions are ‘significant’ for the purpose of the right.

Reducing burdens on businesses and delivering better outcomes for people

An eye-catching change that is introduced in the context of this chapter is the transformation of the cookies rules. The consultation introduced the possibility to e.g. remove the consent requirement for analytical cookies and similar technologies and for a wider range of circumstances where the controller can demonstrate legitimate interest for processing the data. The overall idea surrounding the introduced rules is to change the existing opt-in mechanism to a new opt-out model to cut down existing requirements on businesses to maintain, and consumers to click through, cookie pop-ups and banners. The consultation also gave attention to possible browser-based solutions to manage a person’s consent preferences.

Of further importance in this chapter are the requirements for organizations to operate a privacy management programme, to remove the requirement for DPIAs for more flexibility as to how to identify and manage risks in their organization and to remove the requirement for prior consultation with the ICO on high-risk processing. Also interesting in this regard is the government’s suggestion to replace the requirement to appoint a DPO with the requirement to designate a suitable individual to oversee the organization’s data protection compliance.

The threshold for refusing to respond to/charge a reasonable fee for subject access request will also be amended from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’ to make complying with subject access requests more manageable.

Attention was also given to the subject of direct marketing related to political parties and non-commercial organisations. Most important proposals are to extend the soft opt-in (the possibility to contact individuals with whom they have previously been in touch, provided that the individuals were given the opportunity to opt-out of such contact at the time they provided their details) for direct marketing to communications from political parties, given the importance of democratic engagement, and from non-commercial organisations such as charities.

Finally, attention is also given to the topic of financial penalties under PECR (The Privacy and Electronic Communications Regulations) for serious data breaches, increasing the existing PECR fines to UK GDPR level.

Boosting trade and reducing barriers to data flows

In this chapter the government sets out the importance for the UK of removing certain barriers to cross-border data flows by e.g. progressing an ambitious programme of adequacy assessments. Important suggestions herein are the removal of the requirement for the DCMS Secretary of State to conduct a review adequacy decision every 4 years. On top of that, the government planned to clarify that either judicial or administrative redress is acceptable for international data transfers.

Delivering better public services

The UK Government aims to support personal data sharing within the public sector in order to improve the delivery of public services. The UK Government's suggestions include clarifying rules on the use, collection and retention of biometric data by the police, and specifying additional scenarios to permit certain processing activities on grounds of substantial public interest. Interesting as well is that organizations that are asked to carry out an activity on behalf of a public body may rely on that body’s lawful ground for the processing of personal data.

Reform of the ICO

The government states that the ICO plays a critical role in an increasingly data-driven world. With the proposed reforms the government wants to better equip the ICO in performing its function as an agile and forward-looking regulator. Interesting proposals include the amendment of the statutory deadline, to give the ICO more flexibility by foreseeing an extended time period, for the ICO to issue a penalty following a notice of intent and the enhancement of the ICO’s transparency regarding investigations.

And now?

As stated above, in July a first public version of the Data Protection and Digital Information Bill (DPDIB) has been released with the findings emerging from the consultation. The release of the Bill is the first clear sign of the UK government’s intended direction after the consultation process and the content of the Bill ends up sticking fairly close to what was found in the final remarks to the consultation. Maintaining EU adequacy was said to be a specific focus for the Bill but the question remains if the EU will consider the UK as an adequate data exchange partner due to lack of GDPR parity when the eventual final version of the Bill will be released and adopted