In the last few days, the UK government has begun a public consultation on its plan to reform data protection legislation in the wake of Brexit entitled Data: A new direction. It says the aim is to create a more “pro-growth and pro-innovation” regime to achieve what the (now former) DCMS Secretary Oliver Dowden dubbed a “data dividend” for the British economy.
As regular Panopticon readers will know, the UK’s data protection regime has principally been driven by the EU framework – most recently in the form of the GDPR. Following the end of the Brexit transition period from January 2021, the GDPR (which during the UK’s membership of the EU had direct effect) was transposed into domestic law with minor changes. This means there is now the ‘EU GDPR’, in force across the 27 Member States, and the ‘UK GDPR’ which is applicable in the UK.
Even before the UK GDPR came into force in January 2021, however, the government had stated its intention to diverge from EU data protection law as part of its National Data Strategy, at least to some extent. These proposals are the first concrete step in that direction.
The consultation addresses the proposals in five broad categories:
- Using data for innovation – The governments wants to clarify the scope of the ‘legitimate interests’ ground of lawful processing under Article 6(1)(f) of the UK GDPR. The aim of this proposal is to avoid what the government considers is unnecessary over-reliance on the consent ground, which it says has led to “consent fatigue” among data subjects. Under the proposal, legislation would provide an exhaustive list of pre-approved legitimate interests for which businesses would not need to balance their interests in processing the data against the rights of the data subject. The proposed interests to which this would apply include “using personal data for internal research and development purposes, or business innovation purposes aimed at improving services for customers”, which would provide businesses with a relatively broadly framed basis for processing.
The consultation document also sets out plans in relation to AI, including the proposed removal of the human oversight requirement in solely automated decision-making (ADM) under Article 22 of the UK GDPR – perhaps in favour of a ‘legitimate interests’ test for the use of ADM.
Another important area of reform concerns anonymisation. One proposal is to create a new test for determining when data will be regarded as anonymous which would take account of the actual risk of re-identification, reflecting the approach of the CJEU in Breyer v Germany C-582/14 (that the question of whether data is anonymous is relative to the mean available to the data controller to re-identify it).
- Reducing administrative burdens on businesses – There are a raft of proposals in relation to red tape: overall, the government wants to shift away from formalistic ‘box-ticking’ approach. This reflects concerns from businesses that the balance under existing legislation is generally weighted too heavily in favour of data subjects, placing excessive burdens on companies. A theme underlying these plans is a desire to ensure the data protection regime helps rather than hinders the UK’s economic competitiveness.
Proposals include scrapping the Article 30 record keeping requirements, removing the duty to carry out data protection impact assessments (DPIAs), and increasing the threshold for mandatory reporting of data breaches to the ICO to tackle “over-reporting”. In broad terms the plan is to replace the current accountability framework with a risk-based, substantive approach to privacy management.
Notably, there are also proposals to permit companies to charge fees for dealing with subject access requests, to address the significant burden currently faced by businesses in that area. Views are also sought on extending the ‘soft opt in’ for use of personal data marketing purposes under the PECR.
- Cross-border data transfers – The government hopes to support international data flows as part of its plans to bolster international trade. The consultation documents states that the government intends its future approach to adequacy decisions in respect of other jurisdiction’s data protection standards to be “risk-based and focused on outcomes” rather than on rigid textual comparisons of respective legislation. Under the proposals, the legislation would also clarify that foreign data protection regimes that afford only administrative (as opposed to judicial) redress will be acceptable. DCMS has previously announced that several new ‘adequacy partnerships’ are planned with priority countries, including with the US.
- Use of data in public services – The key idea here is to pave the way for easier data sharing both among different public authorities as well as between public bodies and private companies that process personal data on their behalf – the benefits of which the government says have been highlighted during the Covid-19 pandemic. In particular, the government wants legislation to make clear that in such circumstances companies are able to rely on the lawful ground for processing under Article 6(1)(e) of the UK GDPR.
- Reform of the Information Commissioner’s Office – The government proposes to introduce a new set of strategic objectives for the ICO. There would also be a new statutory duty on the ICO to have regard to economic growth, innovation and competition when discharging its functions, which reflects the thinking running through the reforms.
A new governance model is also proposed, with an independent board and CEO, mirroring more closely the structure of other regulators such as the FCA and Ofcom. It is also clear that the government is keen to reduce the current burden on the ICO to investigate a high volume of comparatively low-level complaints – proposals in this regard include requiring complainants to attempt to resolve matters with the data controller before complaining to the ICO. According to the consultation document, no significant changes are planned to the scope of the ICO’s enforcement powers.
As a final thought, while the consultation contains a large number of proposals, it is clear that the regime envisaged remains rooted in the familiar GDPR framework. That being said, discussion about divergence from the EU approach to data protection will inevitably raise questions about the durability of European Commission’s recently finalised adequacy decision in respect of the UK’s post-Brexit arrangements. The UK government has a tightrope to walk, with pressure to achieve changes that satisfy the business community and enhances the UK’s ability to market itself as a global centre of innovation and growth competing with the need to avoid changes that put the government on a collision course with the EU.
The consultation is open until 19 November 2021.