The Department for Digital, Culture, Media & Sport (DCMS) has this month launched a public consultation proposing reform to the current UK data protection regime. The consultation is designed to help the UK Government deliver Mission 2 of the National Data Strategy to promote innovation, growth and competition by seizing the opportunity to reshape its approach to regulation by making a move away from the EU GDPR approach. The UK Government aims to mould a data protection regime that is ambitious and trusted, whilst supporting spirited competition and economic growth.
The UK Government is very much of the view that creating a new data protection regime that can be agile and adaptable against varying backdrops has the potential to enhance the UK’s global reputation – the thinking being that if the UK becomes known for its responsible processing of data-driven business whilst maintaining a high level of data protection, the UK has the opportunity to influence the way data protection laws develop internationally. The stated hope is to create a regime that can maintain public trust whilst eradicating onerous burdens for business which act as barriers to innovation and international data transfers.
The proposals are potentially far reaching and, if adopted, would result in significant changes to UK data protection law, including the Data Protection Act 2018, the UK GDPR and the Privacy and Electronic Communications Regulations (PECR).
Seven of the most notable areas under review are outlined below.
1. Accountability reforms
The DCMS is hoping to reduce the burden that businesses face in terms of data protection compliance by reforming the accountability principle. In pursuit of this aim, organisations would be required to implement a privacy management policy that would be tailored to the organisation’s specific data processing activities. This would be a form of compliance governance framework intended to be more flexible by adopting a risk-based approach to accountability. As part of this, the DCMS proposes potentially revoking obligations on organisations to perform data protection impact assessments, maintain records of processing and appoint a data protection officer. It is fair to assume that many organisations would not be sad to see these obligations disappear.
2. Grounds for processing
The DCMS is considering various reforms to the lawful grounds for processing, including:
- clarifying that private companies, organisations and individuals who have been asked to process personal data on behalf of a public body may rely on that body’s public task lawful ground for processing the data rather than having to identify a separate lawful ground
- adding new situations for processing in the ‘substantial public interest” or amending existing situations to provide greater specificity
- creating an exhaustive list of “legitimate interests” under which organisations can use personal data without having to perform a balancing test
- streamlining and clarifying rules on the collection, use and retention of data for biometrics by the police
3. Reporting of data breaches
The DCMS is concerned by an over-reporting of data breaches, due in part to the perceived low legal threshold for reporting and incentives for organisations to over-report. Over-reporting is also regarded as costly for organisations and results in a significant workload for the ICO. In light of this, the DCMS is looking at changing the threshold for reporting a data breach to the ICO so that organisations must report a breach unless the risk to individuals is not “material”.
4. Subject Access Requests
Consideration is being given to introducing a fee regime for access to personal data held by all data controllers. This could be based on the charging regime which applies under the UK’s freedom of information laws to help alleviate the compliance burden on organisations.
Views are also being invited on whether the ‘manifestly unfounded’ threshold to refuse a subject access request is too high. The DCMS is considering whether the test should instead be whether a request is vexatious, again in keeping with the approach adopted in the UK’s freedom of information regime.
5. Cookies and electronic communications
One option under consideration by the DCMS is removing the requirement for websites to obtain consent before serving analytic cookies. This would not, however, relieve controllers from their obligations to provide clear information regarding cookies and similar technologies. Another option would be to permit organisations to store or collect information from a user without their consent but for limited purposes. This would include, for example, processing data that is necessary for the controller to pursue their legitimate interests, as long as the impact on privacy is minimal.
The “soft opt-in” for marketing could be extended to cover those situations where a previous relationship exists between a marketer and customer.
The DCMS is also inviting views on aligning sanctions for breach of the PECR with the UK GDPR. This would mean increasing the current maximum penalty of £500,000 for PECR breaches to the higher of 4% of global turnover or £17.5 million.
6. International data transfers
A new approach to international data flows outlined in the paper would rely on a risk-based approach with regards to adequacy findings. The overall intention being to ensure that appropriate safeguarding mechanisms are capable of being tailored in direct proportion to the risk assessment of the relevant country.
As far as alternative transfer mechanisms are concerned, the DCMS is looking at whether organisations should be able to create or identify their own alternative transfer mechanisms, creating a new power for the Secretary of State to formally recognise new alternative transfer mechanisms and permitting certification bodies outside the UK to be accredited to run UK approved international transfer schemes.
7. Data protection and artificial intelligence
The DCMS is considering whether to set out additional clarity on the legal obligations applicable to fairness when deploying and developing AI systems. The intention being that this would create a safe regulatory space for AI to be developed and tested more responsibly, allowing a greater freedom to experiment. Consideration is also given to reforming the current obligations controllers have in relation to solely automated decision making.
The DCMS is also proposing introducing compulsory transparency reporting on the use of algorithms in decision-making for public authorities, government departments and government contractors using public data.
When does the consultation close?
The public consultation opened on 10 September 2021 and closes at 11.45pm on 19 November 2021. This public consultation creates an unprecedented opportunity for the public to influence the development of UK data protection framework following Brexit. The consultation paper is available here.