The UK government has published the outcome to its consultation about reforming data protection laws in the UK. It consulted in 2021 about reviewing the UK’s data protection laws, “to secure a pro-growth and trusted data regime as part of the UK’s National Data Strategy”.
The proposals were set out under five headings:
- Reducing barriers to responsible innovation.
- Reducing burdens on businesses and delivering better outcomes for people.
- Boosting trade and reducing barriers to data flows.
- Delivering better public services.
- Reform of the ICO.
The government says that overall, responses indicated support for the government’s proposals in many areas, including:
- changes to research provisions, especially the proposal to consolidate and bring together research-specific provisions, to create a statutory definition of ‘scientific research’ and the changes proposed to notification requirements;
- removal of consent requirements in relation to audience measurement cookies;
- the principle of proportionality outlined in the reform agenda across adequacy and Alternative Transfer Mechanisms;
- reforming the ICO, and emphasis on the importance of maintaining its regulatory independence;
- standardising the terminology and definitions used across the data processing regimes;
- increasing clarity and transparency of the existing rules on police collection, use and retention of data for biometrics, to improve transparency and public safety; and
- extending data sharing powers under section 35 of the Digital Economy Act 2017, to include businesses, as this could be beneficial in terms of joined-up public services.
There were some potential concerns raised about:
- introducing a nominal fee for subject access requests;
- whether the government should have a role enabling the activity of responsible data intermediaries;
- removing the need for data controllers to carry out the legitimate interests balancing test for specified activities if children’s data were involved;
- removing the right to human review of automated decisions;
- whether to exclude political parties and charities from rules on direct electronic marketing;
- removing requirements for Data Protection Impact Assessments and Data Protection Officers; and
- the potential impact of reforms on the ICO’s independence.
Three main themes arose out of the consultation responses:
- Respondents highlighted the importance of maintaining data subject rights.
- Respondents made clear the benefits they saw from the effective use of personal data that the reforms aim to deliver, while emphasising the need for this to be done responsibly.
- Respondents raised the importance of data flows with the EU, and how the changes will affect this, especially regarding the UK’s EU data adequacy decision. Many respondents recognised the benefits of the government’s approach to making these reforms within the existing framework, and some went as far as expressing a preference for these reforms to be mirrored in the EU GDPR. The government has reiterated that it believes that it is possible and reasonable to expect the UK to maintain EU adequacy as it designs a future regime, that the UK is firmly committed to maintaining high data protection standards and that protecting the privacy of individuals will continue to be a national priority. It also says that EU adequacy decisions do not require an ‘adequate’ country to have the same rules, and the government’s view is that reform of UK legislation on personal data is compatible with maintaining flows of personal data from Europe.
Some of the headline changes
In view of the above, some of the headlines from the consultation response are that the government plans to proceed with removing the requirements:
- to designate a data protection officer.
- to undertake data protection risk assessments.
- for record keeping provisions.
The government believes that “providing a new framework which encourages organisations to focus on the design of their privacy management programme, rather than meet a prescriptive tickbox list, will also lead to greater transparency practices”.
Regarding anonymisation, the UK will adopt the Council of Europe’s test for anonymisation into legislation.
It has decided to retain the current data breach thresholds for reporting to the ICO, but to ask the ICO to provide more guidance about when to report a breach.
With regard to subject access requests, the government plans to proceed with changing the current threshold for refusing or charging a reasonable fee for a subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’, which will bring it in line with the Freedom of Information regime. The government does not intend to introduce a cost ceiling for subject access requests. Neither does it intend to introduce a fee for processing subject access requests.
The government is not going to proceed with removing the requirement to provide human oversight when making automated decisions set out in Article 22 of the UK GDPR but will clarify its scope and limits. It will be publishing a white paper on AI governance.
The government intends to legislate to remove the need for websites to display cookie banners to UK residents. In the immediate term, the government will permit cookies (and similar technologies) to be placed on a user’s device without explicit consent, for a small number of non-intrusive purposes. In the future, the government intends to move to an opt-out model of consent for cookies placed by websites. In practice, this would mean cookies could be set without seeking consent, but the website must give the web user clear information about how to opt out. The opt-out model would not apply to websites likely to be accessed by children.
For email marketing, the government intends to extend the soft opt-in to non-commercial organisations such as charities.
With regard to nuisance calls, there was support for measures to allow the ICO to take enforcement action against organisations on the basis of the number of calls they generate (rather than purely on the number that are connected, which is the position under the current legislation). There was also support for the introduction of a ‘duty to report’ on communications providers, to require them to inform the ICO of suspicious levels of traffic on their networks. The government plans to proceed with both proposals. In addition, the government is not ruling out placing further requirements on telecoms companies to block a greater volume of nuisance calls at source, if the proposed measures do not produce tangible results.
The government is also proceeding with measures to harmonise the UK GDPR and the Privacy and Electronic Regulations in terms of penalties. The PECRs will allow the ICO to levy fines of up to £17.5m or 4% of a business’s global turnover. The ICO will be able to be able to serve assessment notices and carry out audits on organisations suspected of infringing the PECRs, in line with the powers under UK GDPR and DPA 2018.
The government plans to consider further whether political communications should remain within the scope of PECR’s direct marketing rules for democratic engagement.
The government intends to proceed with relaxing the requirement to review adequacy regulations every four years. It will also ensure that data exporters can act pragmatically and proportionally when using alternative transfer mechanisms, whilst maintaining a high standard of protection for data subjects. It also intends to allow the Secretary of State to formally recognise new transfer mechanisms and ensure that new mechanisms must meet the same high data protection standards as the other alternative transfer mechanisms.
Any personal data sharing regulations made under Part 5 of the Digital Economy Act 2017 would be subject to further public consultation and parliamentary scrutiny.
The government will work with policing authorities to promote high standards and best practice in the responsible and effective use of new technologies, including supporting the development of policing-led guidance such as new codes of conduct.
The government sees the ICO’s remit as increasingly important for competition, innovation and economic growth, and therefore intends to ensure that it is required to have regard to competition, growth and innovation. It also intends to proceed with its proposal to move away from the corporation sole structure and introducing a statutory board with a chair and chief executive. The chief executive role will be appointed by the ICO’s board in consultation with the DCMS Secretary of State. The government plans to proceed with introducing legislative requirements for the ICO to report on its approach and performance. It will also give the ICO more powers, including a power for the ICO to commission technical reports, a power to compel witnesses to attend and answer questions at interview and it will also amend the statutory deadline for the ICO to issue a penalty following a notice of intent. It will also reform the roles of the Biometrics and Surveillance Commissioners, merging some of their functions into other authorities, and may change the name of the ICO as well.
The Information Commissioner, John Edwards, has issued a statement on the consultation response. He says “I share and support the ambition of these reforms. I am pleased to see the government has taken our concerns about independence on board. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms. We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the Bill”.
