The Department of Culture, Media and Sport are conducting a consultation on reform of the UK’s data protection regime following the UK’s withdrawal from the European Union. The Department has proposed over seventy individual reforms and invites responses to the proposed reforms from the public. The consultation was opened on 10 September and runs for ten weeks. The purposes of the reforms according to the Department, are to boost trade and reduce barriers to data flows as the government suggests that the regime, as it stands, is too prescriptive, confusing and stifles innovation and the economy. They claim the reforms are expected to increase responsible data use, while simultaneously lowering compliance costs and reducing uncertainty around the use of personal data.
Of the changes proposed, some are minor amendments, whereas others have the potential to usher in radical changes across the privacy space. Below are some of the key proposed changes;
- Reducing barriers to innovation to boost the economy
The reforms propose to make it easier to use personal data for research and development purposes. The government offered two proposals to clarify when universities can process personal data for research; a new legal basis for research and clarifying when universities can rely on ‘public task’ to conduct research. They also suggest the law should include a clearer definition of ‘scientific research’. They wish to clarify in legislation that data subjects should be allowed to give their consent to broader areas of scientific research when it is not possible to fully identify the purpose of personal data processing at the time of data collection. Moreover, the government wishes to impose a new duty on the ICO to have regard to economic growth, innovation and competition when discharging its functions.
- Reducing administrative burdens on businesses
Results from a previous survey of businesses, confirmed that a lack of certainty around UK GDPR produced a chilling effect on businesses handling data. In particular, organisations were unclear on the legal bases for processing personal data and consequently were not benefitting from the optimal use of personal data. The reforms aim to explain the legal bases with special emphasis on the use of legitimate interest. The Department proposes to list eight examples of where legitimate interest can be used and remove the requirement to conduct a legitimate interest test before it is relied upon. In addition, it proposes to remove the requirement to perform a Data Protection Impact Assessment to allow organisations to conduct risk assessments on their own terms. In addition, the Department is considering; introducing a fee for Data Subject Access Requests, removing the requirement for a Data Protection Officer (DPO), and alternative measures to managing cookies and consent.
- Boosting trade and reducing barriers to data flows including transfer requirements
The Department intends to expand the list of jurisdictions deemed adequate, as well as relax the requirement to review adequacy decisions every four years. It hopes to increase the ease and use of transfer mechanisms to increase data flows.
- Delivering better public services
The Department aims to encourage increased use of personal data to inform and improve public services. For example, it proposes to clarify that organisations who have been asked to process personal data on behalf of a public body, may rely on that body’s legal basis of ‘public task’ and need not identify a separate legal basis.
- Reform of the Information Commissioner’s Office (ICO)
The government proposes a new statutory framework for the ICO. The government wishes to establish a chief executive and an independent board at the ICO, with the board led by a chair with non-executive directors. In addition, the Secretary of State would prepare a statement of strategic priorities to inform how the ICO sets its own regulatory priorities. The government wishes to ensure that the ICO follows best practice when developing complex or novel guidance and adopts a more proportionate regulatory approach to complaints.
The Department published its “Analysis of Expected Impact”. However, the results, produced in monetary terms, are based on assumptions. Furthermore, the document omits the calculation of the cost of data breaches that will inevitably occur if the rules are relaxed. This represents quite significant risk to organisations, as data breaches can result in severe monetary, operational and reputational harm.
Reaction to the Proposed Reforms
Some may celebrate the proposed changes to cookies, such as the end to, some would say, ‘pointless’ cookie banners requiring consent. In addition, the Department’s Impact Analysis claims that the current regime reduces and negatively impacts data-driven industries such as direct marketing, behavioural advertising, credit information and website analytics. However, it could be argued that that was one of the main aims of GDPR – to protect an individual’s privacy online. The Government also intends to remove the requirement for a DPO. Nevertheless, experts point out it is good business sense to have DPO on hand because the risk of non-compliance will remain the same. The monetary sanctions that could be imposed, will be just as severe as before.
It was also pointed out that to organisations with EU data subjects, the reforms are of limited benefit. If organisations offer goods and services in the EU, they are required to comply with EU GDPR. Consequently, if the UK regime radically changes, this could actually increase confusion and uncertainty for such organisations where they have to comply with two different compliance regimes currently aligned. Organisations having just acclimatised to GDPR, will have to re-examine their compliance once again.
Finally, adequacy was given to the UK by the EU in June this year, meaning that the EU considered that the level of protection given to personal data in the UK was equivalent to that in the European Economic Area (EEA). This allowed data to flow more freely between the UK and the EEA. However, it was never a done deal as even before it was granted, MEPs urged the European Commission to revise the decision. EU have stated that they will be closely monitoring the UK in terms of their implementation of data protection rules. The adequacy decision is due to be reviewed every four years but could be withdrawn immediately should the UK significantly diverge from GDPR. The Department admitted that any change to the UK’s adequacy status would have an impact on organisations transferring personal data to the EEA as the only options would be via alternative transfer mechanisms, which can be costly and time consuming to formulate. Therefore, this adequacy rating from the EU may well act as a restrictive force for any UK desire to stray too far from the EU GDPR.
How to get involved in the Consultation
Interested parties are encouraged to submit a response to the consultation. The document contains specific questions on the proposed reforms and organisations are asked to provide explanations and evidence for their answers. The deadline is 11:45pm on 19 November 2021, and the government will publish its response to the consultation in due course following careful consideration of the responses.
This is a Consultation that we shall be monitoring closely and will issue a further update in due course. Depending on whether the proposals are adopted, such reform could have a significant impact on the manner in which organisations approach data protection compliance.