Overview of the Government’s response to ‘Data: a new direction’ consultation

The long anticipated response to the ‘Data: a new direction’ consultation which was launched on the 10th September 2021 is finally here. The UK Government has stated: ‘These reforms will create a data rights regime which delivers not only economic benefits but wider societal benefits alongside personal benefits to citizens.’ The response outlines the UK Governments expected reforms to UK data protection laws and covers 30 headings across 5 chapters targeting different areas including:

• Chapter 1 - Reducing barriers to responsible innovation. The purpose of this chapter is to provide a clear understanding of the legislation, it’s interpretations and the requirements when it comes to the processing of personal data.
• Chapter 2: Reducing burdens on businesses and delivering better outcomes for people.
• Chapter 3: Boosting trade and reducing barriers to data flows.
• Chapter 4: Delivering better public services.
• Chapter 5: Reform of the Information Commissioner’s Office.

Overview of the Response to the Consultation

The document notes that there were many positive responses in respect of the proposals under the consultation such as:

1. Clarifying existing legislation and guidance in respect of police collection and use and retention of data for biometrics for the purpose of improving public safety and transparency.
2. The proposed changes to research provisions. This includes the proposal to merge research provisions, to introduce a definition for ‘scientific research’, and proposed amendments to notification requirements.
3. The reform of the ICO and ensuring it remains an independent regulator.
4. Removing certain requirements for consent in respect of cookies.
5. Standardising definitions and terms used across data processing regimes.
6. The extensions of powers, to include businesses, under section 35 of the Digital Economy Act 2017.

However, there were also some concerns raised regarding proposals such as:

1. Introducing fees in respect of Subject Access Requests.
2. Allowing data controllers to carry out processing of personal data without a balancing test where it involved children’s data.
3. Removing the requirements for Data Protection Officers and Data Protection Impact Assessments.
4. How reforms could impact the independence of the ICO.
5. Automated decision making and the removal of human review.
6. Direct marketing and whether charities or political parties should be excluded.

Proposals of Interest

The document helpfully summarises the list of consultation proposals that the Government plans to proceed with, where they will be considering a proposal further before making a decision, and those the Government does not plan to proceed with. Therefore, we have a good indication of many of the likely changes that will be included in the UK data protection reforms. For a full list of what proposals will be taken forward at this stage please see the full Annex of the report here. We have picked out a few key proposals of interest to be aware of including:

1. Changes to Research

Consolidating Research Exemptions

One area which the UK Government felt they would be able to address ongoing uncertainty is in respect of legislation relating to the processing of personal data for research purposes. It was acknowledged that the current legislation is quite difficult to navigate. Therefore, the Government proposed consolidating all research provisions and bringing them together under a chapter. This was mainly supported by the majority of respondents; however, it was noted that clearer ICO guidance regarding the present legislation would be just as effective. Whilst recent ICO guidance is not yet published, the Government has taken the recent ICO consultation on data processing for research into consideration in respect of this proposal. As a result, the Government is likely to take a slightly different approach by simplifying current legislation by moving existing sections rather than creating a chapter. It is not yet clear what this will look like in practice, but hopefully this should clarify the existing legislation, making it easier for organisations to navigate.

• New definitions for Scientific Research
  Another proposal which received a vast amount of support is a new definition for scientific research within legislation. The Government will not introduce a new statutory definition as such. Instead it proposes to utilise the definition of scientific research from Recital 159 and move ‘the definition from the recitals to the operative text of the UK GDPR’. It was felt that this would be adequate in ensuring that the definition remains broad and has ‘capacity for guidance from the regulator’. The Government will include additional definitions for ‘statistical purposes’ and ‘historic research’ to the UK GDPR. These definitions will be ‘based on the existing recital language’. It is hoped this will maintain clear and coherent language in respect of research as already implemented under the UK GDPR, whilst providing clarity to researchers.
• Incorporating broad consent for scientific research into legislation
  The Government will be incorporating broad consent for scientific research into the main body of the UK GDPR. Despite various views on this topic, it was recognised that the concept of broad consent already exists within the recitals. It is hoped by making this more prominent within the legislation, it will provide ‘greater clarity and transparency in relation to broad consent in this context.’
• New lawful basis for research purposes
  Despite discussions regarding introducing a new lawful basis for research purposes, the government will not take this proposal further at the moment. The Government noted; ‘The evidence suggests that researchers are currently comfortable in using the existing lawful bases for processing personal data.’ There was a general acknowledgment by some respondents that a new lawful basis for research purposes may result in misuse of the lawful purpose.

2. A new list of processing activities which do not require a Legitimate Interest Assessment (“LIA”)

Organisations relying on legitimate interest as a lawful basis for processing personal data are currently required to carry out a three-part legitimate interest assessment (“LIA”). The LIA includes a purpose test, necessity test and balancing test.  Organisations expressed a lack of confidence in relation to the completion of the balancing test, which requires organisations to balance its legitimate interest with the privacy rights of individuals. Organisations fear that failure to get the balancing test right will result in investigation by the ICO leading some to avoid legitimate interest altogether and instead rely on consent, indicating to the Government that the balancing test is a barrier to organisations relying upon legitimate interest as an appropriate lawful basis for processing.  

To address this the Government will create a ‘limited, exhaustive list of legitimate interests’ defining specific processing activities that may be carried out without an LIA. Albeit this will be an initially limited list, the Government has proposed a power to be able to update the list over time, subject to parliamentary scrutiny. It is unclear at this stage whether this power will be introduced.

It should be noted that whilst a full LIA will not be required where processing falls under the limited list, to remain complaint, organisations must be satisfied that there is a legitimate purpose and necessity to the processing as prescribed under Article 6(1)(f) of the UK GDPR. Organisations relying upon legitimate interest for processing not covered by the new list will still be required to complete a LIA.

It will be interesting to see whether this change will increase the confidence of an organisation to use legitimate interest as their lawful purpose. The practical effect of this new proposal will be a reduction in paperwork for organisations where they are able to use a legitimate interest included in the list.

3. Opt out Model for Cookie Consent

Despite many voicing disagreement, the Government will remove the requirement for organisations to obtain consent for some non-essential cookies and replace this with an opt-out model, with the ultimate goal to remove the requirement to place cookie banners on websites for UK residents. Those in favour of reform, felt the current cookie consent requirements are too stringent and make it difficult for organisations to collect insightful information about interactions with their website. At an individual level, some described cookie pop-up banners as an annoying barrier to accessing a website, the content of which is often ignored.  

It appears that this will be a two stage process, however there is presently a lack of clarity regarding the differential purposes of each stage. In the short term, the Government will permit the placement of a limited number cookies for ‘non-intrusive purposes’ on all websites and connected devices. These purposes are yet to be confirmed, but may purposes may include audience measurement or detection of faults on an organisation’s website. The Government will follow this with an opt-out model of consent for all cookies, whilst providing clear instructions on how a user may opt out. The Government has said ‘The opt-out model would not apply to websites likely to be accessed by children’.

There were obvious concerns surrounding these proposals. The proposed change to remove cookie banners and opt-in consent for non-essential cookies clearly goes against what we understand as consent for the use of personal data and raises concerns in respect of the transparency of organisations processing the personal data. While it is appreciated that no one particularly enjoys cookie pop ups, getting rid of them altogether undermines transparency if cookies can be placed on devices as a default. Therefore, it would be hoped that significant efforts would be made in the absence of the cookie banner to inform users of how their data will be used and how to opt-out. It is also presumed that an organisation would have to rely on another legal purpose in order to process the data subject’s personal data, where they have not asked for explicit consent.

The Government has acknowledged responses stating how highly individuals value their right to privacy and control over what is done with their personal data. The Government stated ‘it will work with industry and the regulator on browser-based and similar solutions that will help people manage their cookie and opt-out preference and will move to an opt-out model of consent for cookies only when the Government assesses these solutions are widely available for use. It will be interesting to see how this will be detailed in the draft Bill but for the moment, organisations should continue with opt-in consent for non-essential cookies together with a suitable cookie notice/pop-up banner.

4. Removal of DPO

As part of the Government’s plan to introduce a Privacy Management Programme, it will move forward with removing the requirement for a Data Protection Officer and replace it with the need to appoint senior responsible individual to be responsible for the programme. The Government has said that the purpose of this is to ‘shift the emphasis to ensure data protection is established at a senior level to embed an organisation-wide culture of data protection’. Many respondents are concerned about this change citing that it may affect the level of trust between their organisation and data subjects. However, this may not be as a significant change as first thought. The responsibility for data protection compliance should already be owned at a senior level of the organisation. If it is the case that these individuals do not have the expertise, it is likely they would either appoint someone internally to do the day to day role of data compliance or continue to outsource it to a Data Protection professional.  Therefore, it is highly likely that there will be an ongoing importance to maintain the DPO equivalent within your organisation and specifically ensuring that your organisation is appointing someone with data protection expertise. This will remain key to managing ongoing data protection obligations, which shall remain onerous.

Next Steps?

It will be interesting to see what happens as time progresses and how the Government will go about implementing these proposals. The next step in this process will be for the Government to publish the draft bill. However, given that the future  success of many proposals are still being considered, this is unlikely to be anytime soon. At this stage the Government has stated that it is ‘committed to maintaining important principles’. These principles are as follows:

1. Ensuring high standards of data protection within the UK. The Government wants to continue to ensure trust among the public through the use of their personal data, whilst offering increased flexibility to organisations ‘to find the most effective and proportionate way’ to protect their data.
2. Ensuring the UK regime for data protection ‘will be future-proofed’. They want organisations to focus on ‘important privacy outcomes – rather than ticking boxes’. The aim is to ensure that technology can grow at the same time as the law to ensure there is no regulatory uncertainty.
3. Clarifying that there will not be too many new requirements and those that are new are already considered best practice and likely to be implemented by organisations already. Therefore, organisations who comply with currents data protections laws will comply with the future regime.
4. Confirming that the new regime will ensure advantages for the UK, whilst ensuring that data subjects have their rights protected and that the ICO remains independent.
5. Affirming that the ICO will continue to be the regulator and ensure best practice, accountability and transparency.

Overall the proposals are clearly a Government move to make targeted adjustments to the UK GDPR which benefit the economy and wider society and to rebrand certain aspects of UK data protection, such as the role of the DPO. However, it has been careful not to adopt anything too radical which may affect its adequacy status at this stage, keeping closely aligned with the EU Framework. Whilst the new changes will introduce a degree of flexibility to UK organisations, ensuring high level data protection compliance will remain to be at the forefront of the regime. Therefore, organisations will have to continue to demonstrate this through their own internal processes and strategies.

Our team will be continuing to monitor the situation and provide any updates as they are announced. If your organisation has any questions about how these proposals may affect your organisation or wish for some support from our team, please feel free to contact us on 03330 430350.