UK announces plans to depart from GDPR

What's the issue?

The UK's data protection regime has not changed since Brexit and remains in line with the EU's – a fact recognised by EU when it granted the UK adequacy for the purposes of data transfers.  The UK is, however, free to depart from the EU regime and, in some cases, has to strike out on its own.

What's the development?

The government has set out its plans for data protection suggesting a move away from the EU in some areas. In a package of plans the government has announced:

• a focus on agreeing new adequacy arrangements, initially with six priority countries – the USA, Australia, Republic of Korea, Singapore, Dubai International Finance Centre, and Columbia. After that it will look at India, Brazil, Kenya and Indonesia.
• a mission statement on the UK's approach to international data transfers and a UK Adequacy Manual which will be used to inform the assessment of a territory's commitment to high data protection standards. This includes an international data transfers toolkit which sets out existing and planned transfer mechanisms
• plans for an International Data Transfers Expert Council to support the facilitation of international data flows<
• John Edwards as the government's preferred nominee as the new ICO with an enhanced role. Mr Edwards is currently the Data Protection Commissioner of New Zealand
• a consultation on the future of the UK's data protection regime which includes proposals to drop mandatory DPOs, DPIAs and Article 30 record keeping requirements.

What does this mean for you?

Read more

Reducing barriers to responsible innovation

• Bringing together research-specific provisions to put them all in the same place, and defining "scientific research".
• Clarifying the lawful bases to use for research purposes and when they can be used, possibly introducing a new lawful basis for this purpose together with safeguards.
• Widening the scope of consent for re-use of research data for further purposes and clarifying the issue of when further processing is compatible with the original purpose, for example by allowing it where it is in an important public interest.
• Creating a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test.  Examples of what might go on the list include: audience measurement cookies;  processing for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems; improving network security; de-identifying data; and some internal functions.
• Reforms around AI and machine learning including clarification of the fairness principle in relation to AI systems. Views are sought on whether there should be scope to use data to train and test AI systems more freely, subject to safeguards.
• Potentially reforming Article 22 UK GDPR (the right not to be subject to a decision based solely on automatic processing where the decision has a legal or similarly significant effect).  The government is not making proposals on this until it has the results of the consultation but it does ask for views on removing Article 22 and allowing such processing where the processing has a lawful basis under Article 6(1).
• A clear test to determine when data is "anonymous" which is potentially relative to the controller's ability to re-identify the data.

Reducing burdens on businesses and delivering better outcomes for people

• Reforming the accountability framework to create a more flexible, risk-based framework based on privacy management programmes which will reduce the number of "disproportionately burdensome" specific compliance requirements, for example by:
  • removing the requirement for a designated DPO and replacing it with a requirement for all organisations to designate an individual or individuals responsible for the organisation's privacy management programme
  • removing requirements to conduct data protection impact assessments and to engage in prior consultation with the ICO, and allowing organisations to adopt different approaches to identifying and minimising privacy risks
  • removing the Article 30 processing record requirements.
• Changing the data breach notification threshold so that breaches would need to be reported to the ICO if the risk to individuals is material.
• Re-introducing a fee for data subject access requests.
• >Reforming cookie rules to reduce consent fatigue, either by allowing a wider range of cookies to be used without consent, or requiring consent for certain stipulated purposes such as invasive tracking, micro-targeting and real-time bidding.
• Extending the scope of the soft opt-in for marketing purposes to include non-commercial organisations.
• Updating PECR's enforcement regime to bring it in line with UK GDPR levels.

Boosting trade and reducing barriers to data flows

• Setting out the basis for future adequacy decisions.
• Updating the suite of alternative transfer mechanisms.
• Amending the international transfers regime to make it more flexible and suitable for specific circumstances.
• Exempting reverse transfers from the scope of the international transfers regime ie data originating outside the UK, sent to the UK and then sent back to the originating jurisdiction.
• Possibly allowing organisations to create or identify their own alternative transfer mechanisms.
• Updating the certification regime.
• Allowing the derogations (other than legitimate interests) from the requirement to have a transfer mechanism to be used on a repetitive basis.

Delivering better public services

• Allowing private companies carrying out processing on behalf of public bodies to rely on the lawful basis used by the public body.
• Allowing private and public bodies to lawfully process health data when necessary for reasons of substantial public interest in relation to public health or other emergencies.
• Compulsory transparency reporting on the use of algorithms in decision-making for public authorities, government departments and government contractors when using public data.
• Clarifying what is meant by "substantial public interest".
• Clarifying rules on the collection, use and retention of biometric data by the police.
• Facilitating better private and public sector collaboration on law enforcement and national security.

Reform of the ICO

• Codifying and extending the ICO's remit, including to require it to consider economic growth and innovation, competition and public safety when carrying out its duties, as well as the government's international priorities.
• Establishing an independent board and CEO at the ICO. 
• Introducing greater oversight of the ICO.
• Revising when a complaint can be made to the ICO and when it must be investigated
• Reforming enforcement powers.
• Absorbing the roles of the Biometrics Commissioner and Surveillance Camera Commissioner into the ICO.

The consultation covers a wide range of issues and as such, it is likely to be some time before any changes are put in place.