The UK’s existing data protection regime has been heavily influenced by the UK’s previous membership of the European Union. In a post-Brexit Britain, the UK Government’s stated ambition is to ‘establish the UK as the most attractive global data marketplace.’ The UK Government believes that a new regime under an amended Data Protection Act will provide personal benefits to citizens and provide economic and wider societal benefits. An example of a personal benefit being increased powers for the Information Commissioner’s Office (ICO) to crack down on nuisance calls in an attempt to protect some of the more vulnerable people in society. A reduced compliance burden on businesses is also hoped to bring increased economic benefits and allow businesses to tailor their processing activities to meet their outcomes, rather than simply being a “tick-box” exercise.
The UK’s plans for reform do not constitute a complete legislative overhaul, but instead aim to build on the UK’s current regime, with the option to depart from the EU system, by which the UK was previously bound.
UK Government Response
The proposals in the UK Government’s response have been set up across thirty headings, split between the following five chapters:
- Reducing barriers to responsible innovation
- Reducing burdens on businesses and delivering better outcomes for people
- Boosting trade and reducing barriers to data flow
- Delivering better public services
- Reform of the ICO’s Office
Some of the key proposals from the five chapters are summarised below, and a more detailed account of the proposals from the Department for Digital, Culture, Media and Sport can be found here.
Reducing barriers to responsible innovation
Chapter 1 focuses on providing clarity to businesses in relation to the interpretation of the current laws regarding personal data processing. The proposals aim to increase confidence in personal data processing considering the use of the legitimate interest ground, enabling personal data access and personal data sharing. The aim of this Chapter is to provide more certainty to organisations especially in relation to the responsible use of personal data in relation to ‘cutting edge data-driven technologies.’
Reducing burdens on businesses and delivering better outcomes for people
Chapter 2 considers the ‘disproportionate burden on businesses and delivering better outcomes for people in relation to the processing of personal data.’ The proposals signal a move to an outcomes-based compliance approach, removing specific accountability requirements (for example the requirement for smaller businesses to have a data protection officer or undertaken a data protection impact assessment) and requiring organisations instead to have a privacy management programme. This reform in intended to help businesses save money by reducing their data burden.
Chapter 2 details the intention to reduce disproportionate impacts of subject access requests to businesses although the idea of introducing a small fee for subject access requests has been rejected. The UK Government intends to limit the use of cookie banners by amending the Privacy and Electronic Communications Regulations (PECR). The UK Government will allow cookies (and similar technologies) to be placed on a user’s device without explicit consent, for a small number of additional non-intrusive purposes. Going forward, the UK Government also proposes to move (not immediately) to an opt-out model of consent for cookies placed by websites provided web users are clear information about how to opt out.
To help protect consumers, the UK Government proposes to align the enforcement provisions in PECR with those under the UK GDPR and the Data Protection Act, with fines increased from £500,000 to the greater of £17.5 million or 4% of global turnover, whichever is higher.
Boosting trade and reducing barriers to data flow
Chapter 3 aims to create an ‘autonomous UK international transfers regime, which supports international trade and eliminates unnecessary obstacles to cross-border personal data flows.’ The aim of the reforms in this chapter are to drive international commerce, trade, and development. The proposals note that a more agile approach to the international transfer scheme will help UK businesses to connect with international markets and attract foreign investment.
Delivering better public services
Chapter 4 highlights the improved use of personal data allowing better public services to be delivered. The proposals focus on making better use of the data sharing gateways under the Digital Economy Act to allows for more joined up, and responsive public services. The chapter notes that lessons from the COVID-19 pandemic will be applied, and that the transparency of government processing activities will be increased through a simplified legal framework in relation to police collection, use and retention of biometric data.
Reform of the ICO
Some of the more substantial proposed changes relate to the change in structure and priorities of the ICO. There are proposals in Chapter 5 to move to a more corporate model, with the current Commissioner acting as the chair of the organisation and having a separate CEO and board. There are also proposals to implement a statutory framework that sets out the ICO’s strategic objectives and key priorities.
The proposals also suggest that the ICO deals with less low level complaints, and that instead controllers are encouraged to have a transparent complaint handling process.
While the proposals for reform have been acknowledged as a ‘post-Brexit win,’ some businesses have expressed reservations. A departure from the EU system could cause issues for organisations that do business internationally. Under Article 45 of the GDPR, the European Commission has the power to determine whether a country outside of the EU offers an adequate level of data protection. The effect of such a positive decision means that personal data can flow from the EU to a third country without any further safeguards being necessary. The UK is currently recognised by the EU as providing adequate protection but this finding could be threatened by the UK Government’s proposals for reform.
There are also concerns that the proposals are too focused on businesses, and not as focused on individuals and their data rights. Legislative change will bring about additional challenges for individuals and businesses, especially if legal advice is required to ensure that they are fully complaint with the reforms. While it is claimed that the proposals will, in the long term, save time and money, uncertainty may result in the short term.
The text of the UK Government’s bill is awaited with interest.
If you require any advice in relation data protection compliance, please contact a member of our specialist Data Protection & Cyber Security team.
This article was co-written by Maya Allen, Trainee Solicitor.