UK publishes proposals for new Data Protection Reform Bill
UK publishes proposals for new Data Protection Reform Bill
The UK Government has recently announced plans to reform UK data protection laws following its consultation "Data: A New Direction". The UK's current laws, (the UK GDPR, the Privacy and Electronic Communications Regulations and the Data Protection Act 2018), will not be repealed but will be subject to significant change. The rationale behind these proposals is an aim to establish the UK as "the most attractive global marketplace". The government believes that this can be achieved through an improved data regime that, amongst other things, promotes innovation and frees up valuable time and resources for businesses by removing some of the more prescriptive compliance requirements.
Reducing the compliance burden for businesses (and the end of the cookie banner)
Privacy Management Programmes: while considering the principle of accountability to be a fundamental part of protecting an individual's rights, nonetheless, the government seeks to reduce the "disproportionate burden" this creates for some organisations. "Privacy Management Programmes" will replace some of the more prescriptive elements of the UK GDPR. This includes removing the need to appoint an independent Data Protection Officer, replacing it instead with a requirement to appoint a senior responsible individual who is tasked with embedding an organisation-wide culture of compliance. While the requirement to identify and manage risks remains, the need to conduct DPIAs in their current form will go, as will the Art 30 requirement to maintain Records of Processing Activities (RoPAs). Interestingly, most respondents to the consultation disagreed with the proposal to scrap the use of RoPA's and so these are likely remain as the preferred method of evidencing data processing activities for some time to come.
Subject access requests (DSARs): the government plans to proceed with changing the threshold for refusing to respond to a DSAR from 'manifestly unfounded or excessive' to 'vexatious or excessive'. This brings the test in line with the Freedom of Information Act regime. The government has abandoned its plans to re-introduce a nominal fee payable by data subjects bringing a request and its proposal to introduce a cost ceiling for handling requests. The impact of this change may be minimal in practice although arguably it may narrow the circumstances in which a request can be refused.
Unlocking the power of data for innovation
A key focus of the consultation was the importance of innovation and the responsible use of personal data to drive scientific breakthroughs and enable cutting-edge technologies to deliver socio-economic benefits. The proposals in this area are designed to create greater certainty for organisations about how and when personal data may be used for these means and to ensure that UK laws keep pace with data-driven technologies. The proposals include:
- creation of a definition of "scientific research" based on recital 159 of the UK GDPR;
- clarification around the use of broad consent (which allows scientific research to use a less specific form of consent when it is not possible to fully identify the purpose of the processing at the point of data collection);
- clarification around the ability to further process personal data in situations where there has been a change of controller and to make clear that further processing cannot take place when the original legal basis is consent, other than in very limited circumstances;
- produce a limited number of carefully defined processing activities for which the balancing test need not be applied for the controller to rely on legitimate interest as the lawful basis for processing;
- AI and machine learning: several measures are proposed concerning AI including those relating to bias mitigation; and
- clarity around when data can be considered "anonymised".
International data transfers
On the subject of international data transfers the government said it will also take forward reforms "that better enable the UK to approach adequacy assessments with a focus on risk-based decision-making and outcomes, and continuing to support the UK's commitments relating to data flows". This includes a risk-based approach to adequacy decisions and powers for the Secretary of State to create new UK mechanisms for transferring data overseas or recognise in UK law other international data transfer mechanisms if they achieve the outcomes required by UK law.
Deliver better public services
The reforms in this area are designed to build on the lessons learned from the COVID-19 pandemic. The government identified current challenges to a joined-up and interoperable data ecosystem, which its proposals aim to address. These include topics such as non-public bodies delivering public services, processing health data in an emergency and measures relating to public safety and national security.
Shake up of the Information Commissioner's Office
A reform of the ICO is also planned, although the proposals are unlikely to have any direct consequences for individuals or organisations. Changes in the structure of the ICO favour a separate independent board, which provides direction to - and scrutiny of - the executive, as opposed to ultimate power sitting with a single Information Commissioner. It has also been proposed that the statutory guidance produced by the ICO will be subject to pre-approval by Government, which raises questions about the independence of the office.
We wait eagerly to see how proposals for the privacy management programme unfold and whether the same documentation and measures end up being used, for example, RoPA's, under a different name. The question everyone will be wanting to know the answer to is whether the European Commission will view the changes as a significant enough departure from EU legislation to call for a review of its adequacy decision in respect of the UK. While the government seems confident that there will be no such impact only time will tell whether this confidence is misplaced.
It also remains to be seen how the changes will be handled by companies that are subject to both the EU and UK GDPR. For example, if a company still requires a DPO under EU GDPR, how likely is it that they will stop using one in relation to their UK compliance needs even if this must be under the review of a senior responsible individual from within their organisation. The effect of the intended reduction of the compliance burden may be limited when companies are still subject to EU GDPR.
One final point, the need for companies not established in the UK but caught by Art 3 of the UK GDPR to appoint a UK representative has not changed. Vice versa, UK companies not established in the EU still need to appoint an EU representative. For more information on the role of a representative under EU and UK GDPR after Brexit see here.