A new dawn for UK data protection – the government sets out its plans for reform

In-depth analysis

What's the issue?

The UK government published a consultation, 'Data, a new direction' on its plans to reform UK data protection law in September 2021. Some of the more striking proposals under consideration included the introduction of a new lawful basis for scientific research, the ability for organisations to come up with their own data transfer mechanisms, and the removal of Article 22 which deals with automated decision making, as well as greatly extended governmental control of the UK's ICO.

The plans to depart from the current UK GDPR (which reflects the EU GDPR), raised fears that the proposed changes would put the UK's EU adequacy decision at risk, creating a future problem for EU-UK data transfers. Businesses were also concerned that the changes would lead to an increased rather than a decreased compliance burden on multinationals which would have to comply with an additional regime.

What's the development?

With relatively little fanfare, the UK government published its response to its consultation on reforming data protection law on 17 June 2022.

In a number of areas the government has stopped short of proceeding with wholesale change. So it has decided not to change the rules on reporting data security breaches or to create new lawful bases under Article 6. The framework for international data transfers under the UK GDPR remains broadly the same (albeit with a risk-based approach). The government also decided not to introduce a definition of substantial public interest for now, and not to proceed with requiring compulsory transparency reporting on the use of algorithms in decision-making for public sector bodies.

Perhaps the most notable changes relate to the Privacy and Electronic Communications Regulations (PECR) rather than to the UK GDPR; an end to cookie banners and an extension of the types of cookies for which consent is not required, ultimately resulting in the removal of the requirement for prior consent to drop cookies on websites once automated technology is widely available to help users manage online preferences.

Another significant change is the extension of soft opt-in for direct marketing communications to non-commercial organisations subject to appropriate safeguards. At least until the European Commission passes the ePrivacy Regulation, more significant amendments to PECR are probably less risky (from an EU adequacy perspective) than major changes to the UK GDPR would be. The EC's final position may change that but, in some areas, like increased fines, the EC is likely to agree with the UK's approach.

What does this mean for you?

This is not the full scale revolution that some commentators thought was coming. But, equally, there are significant changes. This means businesses will need to adapt, potentially to running parallel compliance regimes under UK and EU rules although the government is keen to stress that businesses which are already UK GDPR-compliant will not have to make too many changes. Of course, we need to wait for the draft Bill and what it looks like in its final form once it has gone through the UK Parliamentary legislative process before we know the full implications.

While the UK is no longer a member of the EU, any changes that the UK government makes to UK data protection law have to walk a fine line given the clear economic benefit of preserving the UK's adequacy status under EU law as well as maintaining a high standard of data protection for individuals.

There will be a new statutory definition of scientific research although, since this is going to be based on the language in recital 159 of the GDPR, there are unlikely to be any big surprises. Additionally, there will be clarification about the use of broad consent for research, clarity on further processing for research, and an exemption from the requirement to provide a privacy notice for data used in research when contacting individuals would involve a disproportionate effort. However, the government is not going to introduce a new lawful basis for research purposes given feedback from respondents that the existing framework under Article 6 is sufficient.

Legitimate interest

There will be an initial limited number of carefully defined processing activities where an organisation can rely on legitimate interest without having to carry out a balancing test. These limited processing activities will include prevention of crime and safeguarding although there will likely be additional safeguards where children's data is processed.

Article 22 and AI

Article 22 (concerned with solely automated decision making) remains. While there have been a number of voices in the UK calling for Article 22 to be removed and several respondents to the consultation found it confusing, the government is going to consider how to amend Article 22 to clarify when it applies and to align its use with the government's broader approach to governing AI-powered automated decision making. There will be a future government White Paper on AI governance although there are no current plans to legislate on fairness in AI governance. In response to specific concerns about bias mitigation in AI, there will be a new condition under Schedule 1 of the Data Protection Act 2018, to enable the processing of sensitive data for the purpose of monitoring and correcting bias in AI systems.

Anonymisation

There will be clarity on when data is anonymous. The test for identifiability will be a relative one based on wording from the Council of Europe's Convention 108. The government wishes to avoid setting an impossibly high standard for anonymisation.

Accountability

There will be a more flexible accountability framework underpinned by privacy management programmes. The aim is to reduce the amount of time and resources that organisations (especially SMEs) need to invest in compliance and introduce a more proportionate approach to comply with the law. However, there remains an emphasis on a high standard of protection so that organisations that process highly sensitive data will still be expected to implement a robust approach to accountability.

DPOs, DPIAs and ROPAs

All these requirements under the UK GDPR will be removed but there will be new obligations in their place. So, instead of a DPO, organisations will need to appoint a senior individual who is responsible for data protection compliance. Likewise, organisations will need to identify and manage risk under the new privacy management programme even if it's not documented as a fully-fledged DPIA (in the GDPR sense). And while the requirement to keep records of processing activities as defined under the UK GDPR will fall away, there will be a requirement to keep a personal data inventory as part of a privacy management programme.

Subject Access Requests

Organisations will be able to refuse SARs if the request is vexatious or excessive, replacing the current 'manifestly unfounded or excessive' threshold. However, there will be no reintroduction of the £10 fee for individuals making SARs.

Cookies, e-marketing and fines

The new legislation will remove the requirement to display a cookie banner and the government will permit cookies to be placed on a user's device without consent for a small number of non-intrusive purposes. Significantly, the intention in the future is to move to an opt-out model of consent for cookies placed on websites although this will take place only when the government is satisfied that there are robust solutions allowing individuals to manage their cookie and opt-out preferences.

Non-commercial organisations will be permitted to rely on the soft opt-in rule when sending email marketing although the government will ensure that appropriate safeguards are in place to protect individuals who do not wish to continue to receive communications. Organisations that flout the rules under PECR (the framework that governs e-marketing) will face GDPR-level fines rather than the current limit for PECR breaches of £500,000.

International data transfers

The focus will be on a risk-based approach to adequacy when the government assesses giving a third country adequacy status; there will be no requirement on the government to review adequacy every 4 years but there will be ongoing monitoring. The reforms in this area will ensure exporters can act pragmatically and proportionally when using alternative transfer mechanism but organisations will not (as was originally proposed) be able to create or identify their own transfer mechanism. Instead, the UK Secretary of State (DCMS) will be given a new power to recognise alternative transfer mechanisms as a form of future proofing.

The government is not, however, going to legislate to exempt reverse transfers (transfers from a third country into the UK and then back to the third country) from the rules on international data transfers under the UK GDPR. Nor is the government going to legislate to enable a more flexible approach to the derogations for international data transfers (Article 49).

The role of the ICO

The reforms to the ICO were some of the more controversial changes originally proposed by the government. In particular, concerns were raised that the reforms would undermine the ICO's independence. While the government will proceed to introduce new duties on the ICO (to have regard to competition, growth and innovation) as well as a new governance structure, it is not going ahead with all of its original plans. Although the Secretary of State will be given the power to issue a statement of strategic priorities to the ICO (even though most respondents disagreed with this), the ICO's primary objectives and duties will supersede these strategic priorities and they will not be legally binding.

In terms of the ICO's workload, there will be a new requirement for a complainant to resolve their complaint with the controller before escalating to the ICO which should reduce the flow of complaints to the regulator. As a result, organisations will need to provide a simple and transparent complaints handling process to individuals around handling of SARs and other rights requests. The law will also set out how the ICO can use its discretion to decide whether to investigate a complaint, thereby filtering out those complaints that are more vexatious.

What next?

Most of these changes will be introduced in the Data Reform Bill which was announced in the May 2022 Queen's Speech. It is expected to be published before the summer recess which beings on 21 July 2022.