UK Data Reform: Evolution not revolution
Following its 2021 public consultation on reforming the UK's data protection laws, the UK Department of Digital, Culture, Media and Sport (DCMS) has published its response. Despite being positioned as "a new direction", the response signals more of an evolution of the current regulatory framework than a revolution. It seeks to remove some of the UK GDPR's "prescriptive requirements" without diluting the protection of personal data. Retaining the European Commission adequacy decision was clearly front of mind. We review the key proposals.
The vast majority of the existing UK GDPR will live on, but with less red tape
A key theme throughout the response is that of 'reducing burdens of business'. The result is the creation of an as-yet-undefined 'privacy management programme' which will replace certain UK GDPR compliance obligations. However, some of the bolder proposals in the consultation did not make the final cut, such as those relating to automated decision-making and data breach reporting thresholds.
Amongst the proposed changes, DCMS will remove the requirement to undertake data protection impact assessments (DPIAs) and the obligation to consult with the ICO when undertaking high risk processing. Organisations will also have some flexibility in terms of how to maintain record of processing activities (RoPA). In place of a data protection officer (DPO), data protection responsibilities will be able to be absorbed by a designated senior member of the business. It remains open for organisations to continue with their current DPIAs, RoPAs and DPOs.
For organisations that operate internationally, particularly those which have designed a pan-European or wider privacy management programme, it remains to be seen whether these proposals will lead to material changes to privacy compliance programmes.
Pre-approved legitimate interests
A pre-approved list of processing activities will be exempt from the requirement to conduct a legitimate interest balancing test. However, the response suggests that the list of such processing activities will be narrower than respondents requested. It remains to be seen whether key processing activities, such as anti-fraud, anti-money laundering and network security, make the list. It does not appear that DCMS took on board comments that to the extent processing was justified under a condition within Schedule 1 of the UK Data Protection Act, it should automatically be considered as satisfying the legitimate interests test.
DCMS has provided some much sought after clarity on the test for anonymised data, again seeking to establish a practical threshold. They have confirmed that the test for whether data can be deemed anonymous is whether the data subject can be re-identified based on the 'reasonable means' available to the controller (rather than to a third party) to re-identify the data. This proposed relative test of anonymisation will also bring alignment with the Council of Europe's views.
Major reform of cookie compliance
A more substantial departure from the EU model is the approach to cookies. DCMS intends to implement a three-phase plan. The first step in the "immediate term" will be to permit cookie use on websites and connected devices without explicit consent for a small number on non-intrusive purposes (such list is yet to be published). Secondly, it will transition to an opt-out model of consent for website cookies and remove the requirement for cookie consent banners (other than for websites likely to be accessed by children). In the third phase, DCMS will explore the possibility of relying on browser-based and other automated technologies to enable users to manage online preferences.
Changes to Data Subject Access Requests
DCMS proposes to change the threshold at which an organisation can legitimately refuse to comply with, or be entitled to impose a fee for responding to, a data subject access request (DSAR). Instead of the current threshold of "manifestly unfounded or excessive" (Article 12(5) UK GDPR), the DSAR regime will change to "vexatious or excessive" which DCMS states will align it to the Freedom of Information Act 2000 (FOIA). Section 14 FOIA, as interpreted by caselaw and ICO guidance, sets a very high threshold for considering a request vexatious. Considering current ICO guidance on "manifestly excessive", which is reasonably permissive, it remains to be seen whether this proposed change will move the dial in terms of reducing the burden on data controllers of complex and resource-intensive DSARs.
PECR fines: aligned to UK GDPR
DCMS proposes to increase fines under the existing Privacy and Electronic Communications Regulations from £500,000 to £17.5m or 4% of global turnover (whichever is greater), in line with the UK GDPR and Data Protection Act 2018. DCMS will also introduce new measures to allow regulators to take enforcement action sooner and more effectively against nuisance calls.
The response includes proposed changes to the UK's international transfer mechanisms. For instance, clarifying that either judicial or administrative redress is acceptable for international transfers or relaxing the requirement to review adequacy regulations every four years. DCMS clearly took into consideration the need to balance supporting international data transfers (an acknowledged element of the UK's international trade policy) and maintaining its adequacy decision from the European Commission.
Interestingly however, the response proposes requiring the Secretary of State to consider an additional factor of "the desirability of facilitating international data flows" when making an adequacy decision under Article 45(2) UK GDPR. The key issue will be the weight the Secretary of State gives to this factor and whether the European Commission considers it dilutive of the other (compliance-focused) factors.
The response also proposes to give the Secretary of State powers to create and recognise "alternative transfer mechanisms". In essence, this would allow the Secretary of State to develop new mechanisms to transfer personal data outside the UK. The response proposal also points out that there will be changes in the law "which ensure that data exporters can act pragmatically and proportionally when using alternative transfer mechanisms". This might allude to a lighter-touch transfer impact assessment (TIA) regime. Given the importance placed on onward transfers, the European Commission would likely take into consideration the impact of any such alternative transfer mechanism when reviewing its adequacy decision.
We now await the text of the Bill implementing those proposals, the timing of which is not yet clear.
Although outside the scope of the consultation, DCMS is also considering options for a new name for the UK's data protection supervisory authority (the Information Commissioner, supported by the Office of the Information Commissioner) as it evolves from being a "corporation sole" to an organisation similar in structure to other statutory regulators such as the CMA and Ofcom, with a chief executive, chair and a board.