What's the issue?
The UK's data protection regime has not changed since Brexit and remains in line with the EU's – a fact recognised by EU when it granted the UK adequacy for the purposes of data transfers. The UK is, however, free to depart from the EU regime and, in some cases, has to strike out on its own.
What's the development?
The government has set out its plans for data protection suggesting a move away from the EU in some areas. In a package of plans the government has announced:
- a focus on agreeing new adequacy arrangements, initially with six priority countries – the USA, Australia, Republic of Korea, Singapore, Dubai International Finance Centre, and Columbia. After that it will look at India, Brazil, Kenya and Indonesia.
- a mission statement on the UK's approach to international data transfers and a UK Adequacy Manual which will be used to inform the assessment of a territory's commitment to high data protection standards. This includes an international data transfers toolkit which sets out existing and planned transfer mechanisms (see our article on the planned International Data Transfer Agreement or IDTA, which will replace Standard Contractual Clauses and is currently the subject of a separate consultation)
- plans for an International Data Transfers Expert Council to support the facilitation of international data flows<
- John Edwards as the government's preferred nominee as the new ICO with an enhanced role. Mr Edwards is currently the Data Protection Commissioner of New Zealand
- a consultation on the future of the UK's data protection regime which includes proposals to drop mandatory DPOs, DPIAs and Article 30 record keeping requirements.
What does this mean for you?
The consultation on the UK's data protection regime suggests an intention to depart from the EU GDPR in a number of areas. In addition to reducing some of the accountability requirements, the UK is looking to reduce "box ticking" and to create a "light touch" regime according to Culture Secretary Oliver Dowden.
Other issues tackled include the question of repeated consent, particularly regarding cookies, issues around purpose limitation and scientific research, and the use of legitimate interests as a lawful basis, not to mention a proposal to allow organisations to create their own data transfer mechanisms. Data-rich businesses should consider feeding into the consultation which closes on 19 November 2021.
Needless to say, the EU is unimpressed and has warned that it will suspend the UK's adequacy agreement should the UK diverge significantly from EU data protection standards and that's really the main issue – how far can the UK move without losing EU adequacy?
The 146 page consultation asks for views on a range of issues to support the government's stated aims of fostering innovation while protecting privacy, facilitating data exports, empowering the ICO, fostering collaboration between the private and public sector, particularly around healthcare, while protecting privacy. The government is confident this can be done without losing EU adequacy.
Reducing barriers to responsible innovation
- Bringing together research-specific provisions to put them all in the same place, and defining "scientific research".
- Clarifying the lawful bases to use for research purposes and when they can be used, possibly introducing a new lawful basis for this purpose together with safeguards.
- Widening the scope of consent for re-use of research data for further purposes and clarifying the issue of when further processing is compatible with the original purpose, for example by allowing it where it is in an important public interest.
- Creating a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test. Examples of what might go on the list include: audience measurement cookies; processing for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems; improving network security; de-identifying data; and some internal functions.
- Reforms around AI and machine learning including clarification of the fairness principle in relation to AI systems. Views are sought on whether there should be scope to use data to train and test AI systems more freely, subject to safeguards.
- Potentially reforming Article 22 UK GDPR (the right not to be subject to a decision based solely on automatic processing where the decision has a legal or similarly significant effect). The government is not making proposals on this until it has the results of the consultation but it does ask for views on removing Article 22 and allowing such processing where the processing has a lawful basis under Article 6(1).
- A clear test to determine when data is "anonymous" which is potentially relative to the controller's ability to re-identify the data.
Reducing burdens on businesses and delivering better outcomes for people
- Reforming the accountability framework to create a more flexible, risk-based framework based on privacy management programmes which will reduce the number of "disproportionately burdensome" specific compliance requirements, for example by:
- removing the requirement for a designated DPO and replacing it with a requirement for all organisations to designate an individual or individuals responsible for the organisation's privacy management programme
- removing requirements to conduct data protection impact assessments and to engage in prior consultation with the ICO, and allowing organisations to adopt different approaches to identifying and minimising privacy risks
- removing the Article 30 processing record requirements.
- Changing the data breach notification threshold so that breaches would need to be reported to the ICO if the risk to individuals is material.
- Re-introducing a fee for data subject access requests.
- >Reforming cookie rules to reduce consent fatigue, either by allowing a wider range of cookies to be used without consent, or requiring consent for certain stipulated purposes such as invasive tracking, micro-targeting and real-time bidding.
- Extending the scope of the soft opt-in for marketing purposes to include non-commercial organisations.
- Updating PECR's enforcement regime to bring it in line with UK GDPR levels.
Boosting trade and reducing barriers to data flows
- Setting out the basis for future adequacy decisions.
- Updating the suite of alternative transfer mechanisms.
- Amending the international transfers regime to make it more flexible and suitable for specific circumstances.
- Exempting reverse transfers from the scope of the international transfers regime ie data originating outside the UK, sent to the UK and then sent back to the originating jurisdiction.
- Possibly allowing organisations to create or identify their own alternative transfer mechanisms.
- Updating the certification regime.
- Allowing the derogations (other than legitimate interests) from the requirement to have a transfer mechanism to be used on a repetitive basis.
Delivering better public services
- Allowing private companies carrying out processing on behalf of public bodies to rely on the lawful basis used by the public body.
- Allowing private and public bodies to lawfully process health data when necessary for reasons of substantial public interest in relation to public health or other emergencies.
- Compulsory transparency reporting on the use of algorithms in decision-making for public authorities, government departments and government contractors when using public data.
- Clarifying what is meant by "substantial public interest".
- Clarifying rules on the collection, use and retention of biometric data by the police.
- Facilitating better private and public sector collaboration on law enforcement and national security.
Reform of the ICO
- Codifying and extending the ICO's remit, including to require it to consider economic growth and innovation, competition and public safety when carrying out its duties, as well as the government's international priorities.
- Establishing an independent board and CEO at the ICO.
- Introducing greater oversight of the ICO.
- Revising when a complaint can be made to the ICO and when it must be investigated
- Reforming enforcement powers.
- Absorbing the roles of the Biometrics Commissioner and Surveillance Camera Commissioner into the ICO.
The consultation covers a wide range of issues and as such, it is likely to be some time before any changes are put in place.