Data protection in the UK: "In a new direction" – but to where?

With the discussion paper published on 10 September 2021, the United Kingdom wants to use its new freedom gained by leaving the European Union and "take a new direction" in data protection only three months after the European Commission's adequacy decision. Trend-setting reform or pure provocation? One thing is clear: Brussels will be watching closely.

Introduction

The withdrawal of the United Kingdom (“UK”) from the European Union ("EU"), better known as "Brexit", is undoubtedly one of the biggest incidents in the history of the EU. One is still prompted to wonder as to how the state that had already joined the European Economic Community, a predecessor organisation of the EU, in 1973 could have taken this step.

The beginning of the end of what many Britons saw as a union of convenience began on 23 June 2016 with a referendum in which the citizens of the island state voted on EU membership. With a turnout of almost 72 %, a majority of 52 % voted to leave. Following this, the negotiations between the EU and the UK on the so-called "Brexit deal", which was to determine the framework conditions of the withdrawal, dragged on until the end of 2018. Due to domestic political resistance, however, there were numerous renegotiations, so that the final withdrawal did not take place until the end of 31 January 2021.

Status quo: Adequate level of data protection

The withdrawal from the EU also brought changes in data protection law. Until then, data processing in the UK - as in all other 27 member states – was governed by the General Data Protection Regulation ("GDPR"), which harmonised data protection law in the EU and ensured an adequate level of data protection. However, due to its withdrawal, the UK is no longer a member of the EU or the European Economic Area ("EEA"), but a so-called "third country", with the consequence that with regard to data transfers, Art. 44 et seq. GDPR must be observed to ensure an adequate level of data protection.

The level of data protection shall be deemed adequate if an adequacy decision has been adopted by the European Commission ("EU Commission") pursuant to Art. 45 (3) GDPR. If the EU Commission has issued such a decision, the level of data protection in the third country is deemed to be sufficiently high for a data transfer. In this case, the data processors do not have to take action themselves to ensure an adequate level of data protection. According to the decision of the European Court of Justice in "Schrems I" (C-362/14), the criterion for determining the adequate level of protection is not whether the data protection provisions of the GDPR have been implemented identically in terms of content. Rather, they must be equivalent in substance.

Such an adequacy decision has been in place for the UK since 28 June 2021. The reasoning that runs through the entire adequacy decision is essentially based on the fact that the UK has hardly changed its data protection law since leaving the EU and has transposed the provisions of the GDPR into national law in the form of the "UK General Data Protection Regulation" ("UK-GDPR") and the "Data Protection Act 2018" in an almost identical form. The adequacy decision has a sunset clause limiting its validity to four years, during which the EU Commission intends to monitor the legal situation and possible deviations with regard to the level of data protection.

Planned changes to UK data protection law

After less than three months, there is already a need for this: In a discussion paper published on 10 September with the title "Data: A new direction", which caused a stir within the EU, the Department for Digital Affairs, Culture, Media and Sport attempted to set a new direction in data protection in almost 150 pages. Among the goals of the new direction were the strengthening of the UK as a "scientific superpower", as a "global hub for the free and responsible flow of personal data" and the "empowerment of businesses to grow and innovate". Even though the importance of data protection is emphasised, the paper leaves no doubt that data protection regulations, which are often perceived as holding back within the UK, are to be streamlined in the future along the lines of the GDPR. Selected proposals for change will be presented and evaluated in the following.

Changes of legal bases for processing

The discussion paper seeks a significant change in the area of legal bases. As can be read in the section " Reducing barriers to responsible innovation ", processing on the basis of legitimate interests (Art. 6 (1) lit. f UK-GDPR) is to be reformed to the effect that a balancing of interests in the narrower sense is no longer to be carried out for certain activities. These are to be included in a list, which is to be regularly adapted.

As examples, the paper mentions, among other things, the reporting of criminal acts (cf. 61 lit. a) and public health information (cf. 61 lit. b), processing in the context of pseudonymisation and anonymisation (cf. 61 lit. g), but also the use of personal data for improving services for customers (cf. 61 lit. h) or the use of cookies to measure target groups or improve websites (cf. 61 lit. d). This is intended to reduce the need to obtain declarations of consent and thus simplify data protection law in practice.

Another interesting amendment provides for the extension of Art. 6 UK-GDPR by creating a new legal basis for research to facilitate the work of organisations processing data for research purposes.

Changes in the area of compliance

Under the section entitled "Reducing burdens on businesses", there are some proposals for adjustments in the area of compliance. For example, the existing requirement to appoint a data protection officer is to be deleted, as smaller organisations in particular would often have difficulties finding one (cf. 162 et seq.). Instead, "suitable individuals" are to monitor compliance with data protection.

The obligation to carry out a data protection impact assessment pursuant to Art. 35 UK GDPR is also to be abolished in favour of giving companies the freedom to choose other approachesin identifying and minimising data protection risks that are better suited to their specific circumstances (cf. 165 et seq.). In addition, the requirement to consult the supervisory authority ("Information Commissioner's Office", short "ICO") is to be removed, documentation requirements are to be softened and the use of analytic cookies is to be made possible even without the consent of the data subjects.

In the event that these proposals are not implemented, however, the discussion paper also contains much more moderate alternatives (cf. 184 et seq.). For example, the abolition of the data protection commissioner merely means the abolition of the obligation for all public authorities to appoint a data protection commissioner.

Risk of losing safe third country status

That these potential changes would have an impact on the EU Commission's hard-won adequacy decision is obvious and the ministry was well aware of it: thus, in the "analysis of expected impact" published alongside the discussion paper, it already included the possibility of losing safe third country status.

One sticking point could be the envisaged reforms within the framework of the balancing of interests. However, one should not be tempted to reject all proposals out of hand and thus miss the opportunity to improve the existing data protection law. In fact, the use of the formally equivalent legal basis for processing under Art. 6 (1) UK GDPR (or Art. 6 (1) 1 GDPR) is very consent-heavy in practice, which does not necessarily cause jubilation from the point of view of both companies and data subjects. A shift towards a balancing of interests can therefore make sense and would not necessarily be associated with a reduction in the level of data protection. However, it is doubtful whether the proposed list of exceptions to the balancing of interests in the narrower sense is the right instrument for this: Especially the use of personal data to improve services for customers or the use of cookies for target group measurement are areas where there is definitely potential for abuse.

The reform efforts in the area of compliance along the lines of Canada, Singapore and Australia are also likely to trigger scepticism on the part of the EU Commission - not least, there is no adequacy decision by the EU Commission with regard to the latter two. In particular, the abolition of the obligation to appoint a data protection officer would not only weaken the internal control of data protection compliance on the whole, it would also hardly do smaller companies any favours. Of course, they would still have to comply with data protection regulations and be accountable for them. So they would have no choice but to either continue to look for well-qualified individuals for this purpose or to bear the risk of a breach. Thus, no added value of the regulation can be recognised. Less problematic - and probably more realistic in terms of implementation - would be the paper's weakened alternative proposals. However, even there, if the data protection law were to be redesigned too extensively, there would be a danger that the standard of the GDPR could not be maintained, at least in the eyes of the EU Commission.

Conclusion

Contrary to what one might assume, the discussion paper is by no means to be understood as a pure provocation against the EU. Rather, even if it overshoots the mark in some places, it represents a credible attempt to streamline data protection law in comparison to the GDPR.

However, it is questionable whether the UK will master the fine line between the desirable reduction of regulations and the erosion of a level of data protection that has meanwhile established itself worldwide as the "gold standard". Moreover, it is doubtful whether the EU Commission, which already pointed out in the context of the adequacy decision that it would keep a watchful eye on developments in data protection in the UK, will go along with the experiment for long.

Just as unhelpful as the discernible trend in rhetoric from London to put distance between itself and EU regulations in this context is the announcement of a potential recognition of numerous states, which in the view of the EU Commission do not achieve the level of data protection of the GDPR, as safe third countries. These include Australia, Colombia, Singapore, South Korea and, remarkably, the United States of America.

With all that said, however, it should be remembered that this is only a discussion paper. The deadline for submitting comments is 19 November 2021. A first detailed statement by the ICO is already available, and further ones can be eagerly awaited. One thing is clear: the topic of Brexit will not rest in the Advent season.