Data Protection Report - Norton Rose Fulbright

On 10 September 2021, the UK Government published its consultation paper on proposals to reform the UK’s data protection regime.  The deadline for responding to the consultation is 19 November 2021.

In August, the Government announced that it intended to “seize the opportunity” afforded by the UK’s exit from the European Union to makes some changes (see our blog The UK Government unveils its post-Brexit plans to shake up data protection laws | Data Protection Report).  It has seized it with gusto, announcing more than 70 proposals and calls for views and publishing its economic analysis of expected impact.  The proposals range from clarifications to provide greater certainty, proposals positioning the UK within a non-EU data protection world of Singapore, Australia, New Zealand and Canada (indicating the direction of international travel for the UK), and proposals to facilitate innovation in light of the Government’s stated goal to empower UK business to grow and innovate.

The consultation is structured around 5 objectives: reducing barriers to innovation; reducing burdens on business and delivering better outcomes for people; boosting trade and reducing barriers to data flows; delivering better public services; and reform of the ICO.  For organisations in the private sector, we have picked out some relevant proposals from these.

Core elements of the GDPR: legal bases / conditions

For the most part, proposals around the legal bases / conditions are clarifications to help organisations establish the legal basis for processing; others are more aligned with the Government’s goal of facilitating innovation and promoting research.

On the test for processing for a secondary purpose in Article 6(4), the Government believes there may be benefits to improving the clarity around the test, to make it clearer that further processing is also permissible where the secondary purpose safeguards an “important public interest” or is based on a law that does that.  It also seeks views on whether it would be useful to clarify the circumstances, “if any”, in which further processing for an incompatible purpose can be conducted by a second controller. The context here is enabling innovative data use involving data sharing by different controllers, rather than clarification.  This particular item should be considered carefully as the test in question links to the Article 5 purpose limitation (so not just a legal basis issue).

On legitimate interests, the Government proposes disapplying the legitimate interest balancing test for certain activities.  Suggested activities include monitoring, detecting or correcting bias in AI systems; using personal data for internal R&D or “business innovation purposes aimed at improving services to customers”; and using audience measurement cookies to improve webpages.  The proposal is framed to provide organisations with certainty around these activities (and avoid seeking of consent).  Organisations should note that it is proposed as a disapplication of the balancing test rather than a rebuttable presumption (that the balancing test is met).  Depending on the activity in question, organisations would have to consider how disapplying the balancing test would work in light of a request to exercise those rights which require reconsidering the legitimate interest.

For those organisations processing for research purposes, the Government proposes creating a new legal basis for research with safeguards, along with other proposals to clarify and consolidate the research related provisions of the UK GDPR and DPA, to help the UK’s research sector.

Compliance program

The Government proposes introducing a flexible and risk-based accountability framework requiring an organisation to implement a privacy management programme (ie a compliance program) which would reflect the type of personal data and type of processing an organisation does.  The Government cites Singapore, Canada and Australia as having more flexible and risk-based frameworks than the UK GDPR.  Yet it also recognises that there is no explicit requirement in Article 24 to implement a compliance program, and views its proposals here as expanding on Article 24.

Either way, many of the proposed requirements are likely to already form part of an organisation’s existing compliance program (such as policies and processes; training and awareness of staff; monitoring and continuous improvement).  There is emphasis here on risk management, as there is throughout the consultation on risk-based compliance, as the program must include “risk assessment tools for the identification, assessment and mitigation of privacy risks”.  One of the key issues will be the extent to which an organisation can be sanctioned for not having or having a deficient policy or process, absent any other enforcement issues.

Other proposals seemingly just reframe, rather than remove, existing requirements: on the one hand, the Government will take away requirements for a DPO, ROPA and DPIA, but with the other hand, it will give organisations requirements for a designated individual responsible for the privacy compliance program, a personal data inventory, and risk management processes and tools.

Complaints and DSARs

The Government takes a three pronged approach to complaints from individuals.  An individual will have to attempt to resolve their complaint directly with the controller before lodging it with the ICO (aligning data protection with other areas such as UK financial services).  A controller will be required to have a complaints handling process (as Singapore already requires), and also publish the type and volume of complaints received.  Organisations will need to factor this in as part of their compliance program.  As for the ICO, it will be given a power to refuse to investigate a complaint based on certain criteria.

The only data subject right / request that the Government discusses are DSARs and its proposals will be relevant to the internal DSAR handling process and require upskilling on any new tests introduced.  It proposes introducing a fee regime similar to the UK’s Freedom of Information Act (FOIA) fee regime. This would allow controllers to charge a fee for responding to a DSAR over a certain cost limit, but not give them grounds for refusal of the DSAR.  The Government also proposes introducing a threshold of vexatiousness (as in FOIA) for DSARs to allow the controller to refuse to deal in whole or in part with the DSAR .  This has the effect of lifting the veil on the (mostly) purpose-blind DSAR regime.

AI, automated decision making and algorithms

On AI, there is detailed and thoughtful discussion yet only limited proposals – that bias monitoring, detection and correction in relation to AI systems would be on the list of legitimate interests which disapply the balancing test, and updating Schedule 1 of the DPA to reflect this  for special categories of data and criminal offence data.  This is because the Government recognises that data protection is not a one stop shop intended to comprehensively govern AI.  Instead, it uses the consultation to focus on the interplay of AI and data protection law.  In particular, there is recognition that there are multiple and overlapping concepts of fairness in the UK which could give rise to uncertainty on how to assess fairness in the context of AI.

On solely automated decision making under Article 22, the Government appears to be considering two wildly contrasting alternatives but has not made any firm proposals.  It calls for views on whether Article 22 should be clarified and future-proofed, in light of uncertainties around its operation, terminology and narrow scope.  It also wants views on the alternative, to remove Article 22 altogether as recommended by the Taskforce on Innovation, Growth and Regulatory Reform.  Privacy campaigners and those bringing challenges to the gig economy’s reliance on Article 22 are likely to have strong views on these.

On algorithms used in decision making by the public sector, the Government proposes to introduce compulsory transparency reporting for “government contractors using public data”, as well as for public bodies.  This would mean providing information about technical specifications of the algorithms, what datasets are used and how ethical considerations are being addressed.  This could affect private sector organisations using public data or potentially any private sector organisation licensing the underlying software / algorithm to the public sector.

Finally, it proposes to clarify the test for anonymization by elevating the relative approach to determining whether data is anonymised or not in a particular controller’s hand into UK legislation so that such data can be used with more confidence outwith data protection constraints.

ICO role and enforcement powers

On the enforcement side, key proposals include granting the ICO power to commission independent technical reports similar to the power of the FCA under section 166 of FSMA for a skilled person’s report.  Key issues for organisations to consider would be the triggers for such a report, confidentiality over it, and cost implications.  The ICO’s deadline for issuing a final notice would also be extended from 6 to 12 months in light of more complex investigations.  It would be given the power to compel witnesses for interviews.

The Government’s goal is to ensure that the ICO delivers an innovation-friendly and streamlined regulatory landscape, and some of its proposals would align the ICO with other UK regulators.  It proposes a new statutory framework for the ICO’s strategic objectives, requiring it to have regard for economic growth and innovation, regard to competition, and also to require the ICO to consider the Government’s own international priorities when conducting its international activities.  Structural changes are proposed to the ICO itself, including creating a new independent board and CEO.

Data transfers

The Government makes a number of proposals in order to drive forward its goal to create an autonomous UK framework of international data transfers and independent adequacy decisions.  However, surprisingly, it now proposes to remove the requirement to review UK adequacy decisions every four years, in contrast to its Mission Statement last month.

On other transfer mechanisms, the Government wishes to ensure that there is a suite of transfer mechanisms available to organisations.  It is considering whether to allow organisations to build their own data transfer mechanism , exempting reverse transfers as the ICO also suggested in its own consultation earlier this summer, and making explicit that repetitive use of the derogations (but not legitimate interests derogation) would be permissible.

Our take

The consultation is considered and detailed, covering widespread reforms and policy goals.  It should be read closely with an eye to the effect of a relevant proposal in both legal and operational terms.  One key challenge to consider would be how proposals would work where an organisation is subject to both the UK GDPR and the EU GDPR but the UK GDPR now has an additional requirement – is there an unintended effect of gold-plating an international compliance program?  There may also be unexpected outcomes – will ever increasing complexity over data transfers (especially for organisations subject to both GDPRs) encourage multinationals to apply for Binding Corporate Rules or certification schemes to simplify the cost and burden around such compliance?

The elephant in the room is the effect any future changes would have on the UK’s adequacy status.  The Government states that it believes it is perfectly possible and reasonable to expect the UK to maintain EU adequacy.  However the associated impact analysis published alongside the consultation suggests it may be hedging its bets –  it has already done the maths for both an adequate UK and non-adequate UK post implementation of these reforms.