Reforming UK data protection laws – the ICO responds

Following the Government’s announcement of its proposals to amend the UK data protection legislation (which you can read about in Katherine’s Taunton’s post here), the ICO has now published its response to those proposals – see here. As expected, the core thrust of the response is that, in pressing for a new more business and particularly tech-friendly data protection regime, the Government should be careful not to throw the data privacy baby out with the bathwater. Not least, we see Elizabeth Denham, in her foreword to the response, emphasising the point that achieving public trust in business – particularly in the tech sector – through the maintenance of high standards of data protection is itself integral to the achievement of economic growth. In terms of the detail, there is much to pore over in a response that runs to some 89 pages. However, points that particularly caught my eye include the following:

  • Cookies – The ICO welcomes the Government’s proposals to cure the internet of the scourge of the relentless cookie pop-up by orienting to technologies that streamline cookie consents (e.g. through the use of browser-based solutions). However, notably the ICO also invites the Government to legislate against so-called ‘cookie walls’ (i.e. technology which effectively requires users to agree to having cookies placed on their devices as the ‘price’ of gaining access to a particular website). This latter issue is a bit of a political hot potato. Many businesses take the view that in the modern consumer digital economy they should not be compelled to provide online content to users for free and, provided that the particular ‘cookie price’ is transparent to users prior to accessing the site, there is nothing objectionable about such a regime. In common with many regulators in the EU, the ICO is clearly inclined to the view that such arrangements risk causing unfairness to users, particularly in terms of depriving them of meaningful choices about how their data is processed. It will be interesting to see how the Government positions itself on this important tech-centred issue.
  • PECR – Unsurprisingly, the ICO endorses the Government’s proposals to raise the penalty limit for PECR breaches from £500k up to the far higher limits provided for in the UK GDPR. The ICO invites the Government to level up the entire regulatory toolkit under PECR, so that it is equivalent to that available under the DP regime. One imagines that ultimately the prospect of the ICO having more clout to deal with PECR rogues will be a relatively easy sell politically.
  • Reform of the legitimate interests legal basis – The Government’s proposals envisage a new approach to the protection of legitimate interests, whereby the current balancing exercise presupposed by Article 6(1)(f) UK GDPR would be replaced by a list of instances where the legitimate interests balance is automatically treated as having been struck in favour of the relevant processing. The ICO notes that the aims of creating more certainty and predictability around the use of the legitimate interests lawful basis are no doubt laudable. However, it goes on to make the (obviously correct) points that the devil is in the detail, and the detail is plainly lacking from the proposals as currently formulated. These are important proposed reforms and it is inevitably crucial that we all understand precisely what the Government is envisaging here in terms of effectively pre-authorised legitimate interests processing.
  • SAR fees/costs limit – The ICO is clearly reluctant to endorse the Government’s proposals to enshrine a SAR regime where a (nominal) fee can be charged for responding to a SAR and SARs can be refused on costs grounds, on the basis that such measures will substantially inhibit the exercise of a hugely important right. The ICO invites the Government to research this issue further. As to this, there is no doubt that, across the private and public sector, there are very serious concerns about the enormous and many would say wholly disproportionate burdens which the current SAR regime brings in its wake. There is clearly considerable pressure on the Government to address these concerns by one means or another. The ICO’s suggestion that these burdens can be substantially reduced through the introduction of new technologies and methods of data handling is likely to come under challenge as being highly unrealistic as to how matters operate on the ground.
  • DPOs & DPIAs – The ICO resists proposals to junk the DPO regime or alternatively dilute the skills requirements imposed in respect of DPOs.  It seeks to emphasise the value that DPOs – and particularly specialist, expert DPOs – bring to the data privacy table. Similarly, the ICO seeks to row against the proposals to consign DPIAs to the dustbin of history. As with other aspects of the ICO response, the business community is likely to row against the ICO’s position on both the DPO and DPIA issues on the basis that it both overstates the value to be derived from the existing requirements and underestimates the burdens which those requirements place on businesses.
  • Reforms of the ICO – The response confirms that the ICO is seriously concerned about the Government’s proposals to reform the ICO itself. In particular, it highlights the ICO’s concerns that the current proposals – which envisage that the Secretary of State would have powers to appoint the new ICO CEO and also to approve (or not approve) ICO guidance – seriously and immediately threaten the independence of the ICO. These are in my view entirely legitimate concerns. One of the ICO’s greatest assets is its essential independence from Government. It strikes me as being inimical to the public interest and the achievement of genuinely effective data protection regulation to move towards a system whereby the ICO operates to any significant extent under the sway of the Government.

No doubt there is more in the response that is worthy of excavation and discussion. However, the crucial question is how will the Government itself respond to the heavily data-subject centric stance adopted by the ICO. As to that, only time will tell.

Anya Proops QC