In September 2021, as part of the UK National Data Strategy, the Department for Digital, Culture, Media, and Sport (“DCMS”) launched a consultation on the reform of domestic data protection laws, with the aim of better promoting innovation and commercial growth.
The National Data Strategy was developed largely in response to lessons learned from the Covid-19 pandemic about the commercial advantages of faster and less inhibited information sharing. It also reflects the UK government’s appetite for a more independent regulatory landscape following the country’s departure from the European Union.
The existing data protection regime in the UK consists of the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA”), and the Privacy and Electronic Communications Regulations (“PECR”). The proposed reforms will amend these laws.
Summary of changes
The upcoming changes are widespread, but far less radical than many of those originally proposed. The direction of travel is towards an “opportunities” rather than a “threats-based” approach to data protection. This is predominantly good news for organisations, who are, overall, likely to benefit from the additional flexibility offered by the new legal framework.
The overarching aim of the new regime is to reduce the regulatory burden on UK organisations. By encouraging a smoother flow of data both within and outside of the country, the government hopes to grant UK businesses a competitive edge, positioning the country at the forefront of global economic growth.
Reforms will range from minor legislative “clarifications” (many of which will simply codify existing best practices) to more substantial changes which will require a review of existing procedures. Whilst mandated changes will be relatively few, organisations may well find that they benefit from the voluntary adjustments made possible under the new regime.
A draft bill is expected within the next few weeks. It will then pass through the usual parliamentary process. Whilst the general tone is unlikely to change, there is scope for minor adjustments before the bill is codified into law. Whilst there is currently no timescale set, it is highly unlikely that the process will be complete before next year at the earliest.
Clarity on the re-use of data
As part of the government’s move to reduce barriers to innovation, reforms will clarify when the “re-use” of data is lawful, thereby better facilitating new data-driven technologies. The “re-use” of data refers to the secondary use of personal information gathered and held by organisations. The key changes are:
- Public interest: Greater clarity will be provided in respect of when personal information can be lawfully re-used in order to safeguard the public interest.
- Changes in data controllers: Greater clarity will be provided in respect of changes to data controllers after the initial collection of information (for example, in the case of third-party digital marketing). The new legislation will clarify the distinction between when such changes amount to re-use or entirely new processing of information.
- Consent: The new framework will codify the existing presumption that, where the original legal basis of information gathering is consent, no re-use is permitted other than in very limited circumstances.
Exemptions for legitimate interests
Under the UK GDPR, any organisation handling and processing personal data must justify its use of this information by meeting a three-stage test. They must:
- Identify a legitimate interest for the processing of data;
- Demonstrate that the processing is necessary for this intended purpose, and cannot be achieved through less intrusive means; and
- Weigh up whether their interests in processing personal data outweigh the rights of data subjects (otherwise known as “the balancing test”).
Historically, organisations have documented this assessment process to demonstrate compliance. However, many report concerns around the accuracy of their application of the balancing test, as well as in respect of the time-consuming nature of the exercise. This cannot simply be resolved by bypassing the test in favour of seeking explicit consent in all cases, as doing so at such a scale is impractical and likely to lead to consumer fatigue.
The government will therefore now introduce an exhaustive list of exemptions to the balancing test. Initially, these are likely to include the prevention of crime, safeguarding concerns, and other public interest justifications.
AI and machine learning
Embracing data-driven artificial intelligence systems forms a key part of the move to reduce barriers to innovation, with the government heralding the potential of AI to “bring incredible benefits” to citizens’ lives.
A new “National AI Strategy” was published in September 2021, and this will soon be followed by a whitepaper on AI governance. Many of the proposed changes to AI laws have been dropped or moved to the remit of this whitepaper. The remaining changes are:
- Bias mitigation: Trustworthy AI systems rely on bias monitoring of datasets, which can involve the use of personal data. A new condition will be added to Schedule 1 of the DPA to clarify the lawfulness of this data use, subject to safeguards. The use of personal data in bias mitigation will always have to meet the balancing test.
- Automated decision making: Article 22 of the UK GDPR contains provisions governing solely automated decision-making and profiling by AI systems. However, there is a lack of clarity around the definition of “solely automated”. Article 22 will therefore become a right to specific safeguards instead of a general prohibition.
The current legislative framework around anonymisation in the UK relies on what is known as “the data minimisation principle”. Put simply, the use of personal data must be restricted to that which is adequate, relevant, and necessary for the purpose at hand.
There are various techniques currently used in order to achieve this, including pseudo anonymisation (which is within the scope of data protection law) and true anonymisation (which is not). Organisations have reported a lack of clarity in determining the difference between the two. The new legislation will therefore specify:
- When a living person is “identifiable” and therefore within the scope of the legislation;
- That the test for identifiability is relative to the means available to the data controller to re-identify the data after anonymisation; and
- That the test for identifiability will be based on the wording of the explanatory report to the Council of Europe’s Convention 108+.
In practice, this means that whether anonymisation has been achieved will hinge on factors such as the technology available to the organisation in question at the time. The aim is to ensure that the bar to meet this test is not set out of reach.
Changes to the accountability framework
The UK government has been clear in its view that the current requirements for demonstrating compliance under the GDPR are too onerous for organisations. Changes in this area are therefore designed to reduce this burden. Whilst there are few mandatory new requirements, many businesses are likely to benefit from the increased flexibility offered by the new rules. The main changes are:
- Privacy management programs: Compliance will now be demonstrated through “privacy management programs” which will offer greater flexibility to businesses, depending on the type and volume of data that they process. Provided that they are compliant with existing regulations under the GDPR, no additional steps will be required. However, small and medium-sized businesses that deal with low-risk data are likely to benefit from less stringent requirements.
- Removal of requirement for data protection officers (“DPOs”): DPOs will no longer be mandatory and will be replaced by the requirement for organisations to appoint a “senior responsible individual” who will oversee their responsibilities. There is scope for companies to retain existing DPOs if they choose, provided that these are subject to oversight from an appointed senior individual.
- Removal of requirement for data protection impact assessments: With consultation responses indicating a clear appetite for greater flexibility in the use of impact assessments, these will no longer be a requirement. Organisations will be free to identify and manage risk using their own methods.
- Removal of record-keeping requirements: Until now, organisations have been required to maintain a record of their data processing activities. This requirement will be abolished in favour of a more general requirement for “personal data inventories” which will reflect the specific type of data and processing undertaken.
- Removal of mandatory consultation requirements: Currently, Article 36 of the UK GDPR requires all organisations in the UK to notify the ICO before carrying out high-risk data processing. However, due to historically poor levels of compliance, this will now be replaced with a voluntary mechanism, the uptake of which will be taken into account as a mitigating factor in any subsequent enforcement action.
Privacy and electronic communications
This is the only area of reform relating directly to the PECR. Acting as a supplement to the UK GDPR, the PECR governs the use of internet cookies, direct marketing, and nuisance calls. There are some key changes occurring in this area that will be of relevance to any business operating with an online presence:
- Cookies: Under the PECR, cookies cannot be used without user consent (usually requested via a popup) with strictly limited exceptions. Organisations complain that this prevents them from collecting useful but harmless information about visitor numbers to their websites. In a major shift, the government now intends to remove the requirement to display cookie banners. This will be achieved in two stages:
- Effective immediately, cookies will now be permitted without explicit consent for a limited number of non-intrusive purposes - including on smartphone apps and other connected devices.
- Eventually, the law will move entirely to an “opt-out” model of consent. This will allow businesses to set cookies without seeking consent, on the condition that users are able to opt out. However, this will only be implemented when (and if) the technological solutions are available to support it - which, as IAPP points out, “may take longer than the expected lifespan of third-party cookies as behavioural advertising tools.”
- Direct marketing: Under the PECR, commercial organisations are permitted to operate a “soft opt-in” system for marketing activities, which allows them to communicate with users about related products as long as they were given the opportunity to opt out at the time of giving their details. This right will now be extended to non-commercial organisations (such as charities).
- Nuisance calls: Rogue marketing is an increasing problem in the UK, with large volumes of calls placed daily to non-consenting recipients. The following changes are being introduced in an effort to combat the problem:
The enforcement powers of the Information Commissioner’s Office (“ICO”) will no longer be based on how many nuisance calls are picked up. Instead, they will be based on the total number of calls generated by a company, whether they connect or not.
Communications providers will now be subject to a “duty to report” to the ICO when they identify suspicious traffic levels on their networks.
- Enforcement: Consultation responses indicated a general feeling that the current enforcement regime was inadequate as a deterrent. The ICO will now be granted powers to levy fines of up to £17.5m (or 4% of a business’s global turnover) and to issue assessment notices and carry out audits on those suspected of breaching the law. This will be in line with equivalent powers under the UK GDPR and DPA.
Facilitating the global exchange of data is central to the UK’s ambition to maintain its position as a leader in international commerce, trade, and development. Reforms in this area are therefore aimed, in general, at reducing barriers to cross-border data flows.
- Adequacy: Under current laws, all countries involved in data exchange with the UK are subject to adequacy assessments. The following changes are expected in a bid to create greater flexibility when it comes to international transfers:
Risk-based approach: Adequacy decisions will now be outcomes-based, underpinned by principles of risk assessment and proportionality.
The requirement to review: Currently, the government reviews adequacy regulations as a matter of law every four years. Acknowledging the fluidity of the international legal landscape, this requirement will now be relaxed in favour of an ongoing monitoring process.
Redress requirements: When assessing another country for adequacy, the UK will no longer stipulate the form of redress that that country can provide to UK data subjects, focusing instead on the effectiveness of the redress.
- Alternative transfer mechanisms: For countries that are not subject to adequacy decisions, alternative transfer mechanisms provide their own routes for the transfer of data which must also be risk assessed. The following changes have been announced in this area:
Proportionality of safeguards: New support and guidance will be introduced to emphasise the importance of proportionality when assessing risk for alternative transfer mechanisms.
Creating alternative transfer mechanisms: In order to future proof the UK’s approach to international transfers, the DCMS will be granted new powers to create new UK mechanisms for overseas transfers where appropriate.
Reform of the Information Commissioner’s Office
The ICO is the independent body for upholding information rights in the UK. In an increasingly data-driven landscape, the ICO is under ever-mounting pressure to handle a vast range of data protection requests and complaints.
The government has made its intention to reform the ICO’s legislative framework clear. Its primary objectives in doing so are to create a clearer strategic vision, extend investigatory powers, and shift focus from low-level complaints to more serious threats to public trust. There is a clear shift towards a proactive, risk-based approach. The key changes are:
- Strategic vision: A new statutory framework will be introduced. The ICO will be subject to new duties to have regard to growth, innovation, and competition in their decision-making, and to cooperate with other regulators. The DCMS will be granted a new power to set a “Statement of Strategic Priorities” for ICO activities.
- Governance: The ICO will no longer be a ‘corporation sole’ (i.e. in which all power and responsibility lie with the information commissioner). Instead, it will become a ‘body corporate’ (with an independent statutory board). This brings the ICO in line with other regulators, including OFCOM and the FCA.
- Accountability: The ICO will be required to publish its key strategies and processes, reporting annually on its enforcement activities. It must also undertake impact assessments (including review by an expert panel) for all new codes of practice and statutory guidance. The DCMS will have the final power of review.
- Complaints: The government is clear in its view that, under the current system, the ICO spends too much time dealing with minor complaints. The complaints system is therefore changing. Complainants must now attempt to resolve their issue with the relevant data controller before reverting to the ICO. Data controllers must have a transparent and accessible process for data subject complaints.
- Enforcement: The ICO will be granted new powers to commission technical reports and compel witnesses to attend interviews. They will also be able to extend the existing six-month period for investigation in certain circumstances. They must provide organisations with a timeline for each phase of their investigation.
Does the GDPR still apply?
The GDPR governs data protection law across all European Union (“EU”) member states. It was originally implemented into domestic law in the UK via the DPA. However, when the UK exited the EU on 31 January 2020, the GDPR was re-codified through the implementation of the new UK GDPR.
Until now, the UK GDPR has retained the same data regulations as were previously in place before the UK left the EU. However, Brexit granted the UK the independence to opt to review this framework in the future.
The draft legislation which is set to follow the recent consultation is expected to arrive in the form of a “Data Reform Bill”. This will amend the UK GDPR, along with the DPA and PECR. In this sense, the GDPR will still apply, but in an updated form.
It is important to remember that, while UK organisations may opt to take advantage of greater flexibility in domestic areas of law which are relaxing (such as accountability), the reality is that, because so many UK companies operate across borders, many will remain subject to the original provisions of the GDPR in respect of their dealings with the EU.
What do organisations need to do?
Because the draft bill is still awaited, the precise implications for organisations will depend largely on the wording of the new legislation. However, the good news is that previous efforts by businesses to comply with the UK GDPR will not have gone to waste. Most changes are likely to introduce greater flexibility, rather than more red tape.
In this sense, the implementation process is unlikely to involve extensive new compliance measures. Instead, it will offer businesses, particularly smaller and mid-sized organisations, the opportunity to benefit from those rules which have been relaxed. In the short term, it may be advantageous for organisations to take the following steps:
- Consider whether, and how, your organisation may wish to take advantage of greater flexibility offered under the new accountability rules.
- Appoint a “senior responsible individual” to either take the place of your DPO, or to oversee their activities.
- If you operate a website (including any connected technology such as smartphone apps), be aware that cookies are likely to be permitted without explicit consent for some non-intrusive purposes (details of these are yet to be provided).
- Be aware that, if you are a non-commercial organisation such as a charity, you are likely to be entitled to use “soft opt-in” direct marketing under the new rules.
- Ensure that you have a transparent and accessible process for data subject complaints in order to comply with changes to ICO complaints procedures.
To learn more and see how Didomi can help, get in touch with one of our experts: