The Department for Culture, Media and Sport (DCMS) has finally published the UK government’s long-awaited response to the consultation on the future of the UK data protection regime.
The government set out very high level principles for a Data Reform Bill in the Queen’s Speech in May. If legislation is to be passed in this parliament, the bill will need to be introduced for scrutiny soon (although no announcements have been made as to when this will happen and interrelation with other areas such as the forthcoming AI white paper may further delay it). The areas set out in the response are likely to be in the bill.
Click here to see our analysis of the initial consultation proposals.
We set out below the key changes the government intends to proceed with:
Reducing barriers to responsible innovation
Research. Small changes will be made to move the definition of research, and a provision permitting a less specific form of consent to be used to obtain consent to scientific research (when it is not possible to fully identify the purposes at the point of collection) from the recitals to the main body of the UK GDPR, with the objective of making these easier to rely on in the face of potentially conflicting provisions in the main body. An exemption to the requirement to provide further fair processing information where personal data was collected directly from data subjects initially and is repurposed for research purposes later has also been identified, where to do so would involve disproportionate effort.
The instances where personal data can be re-purposed (used for a different purpose than was identified at the point the data was initially collected). Unspecified clarifications will be made, although there is a reference to the recitals being clearer (for example, GDPR recital 50 provides public interest examples of where processing can be used for an incompatible purpose). There will also be unspecified clarifications on whether processing by a new controller amounts to new processing or further processing.
A list of processing purposes that can be undertaken on the basis of legitimate interests without undertaking the “balancing test” will be introduced. An initial limited list, including the prevention of crime and reporting of safeguarding concerns that can be justified in the public interest will be included, with a power for the government to add other purposes subject to parliamentary scrutiny.
How should fairness be interpreted in the AI context? Many of the key AI questions have been deferred until the government publishes its AI white paper, including what the ICO should take into account and how the ICO should interact with other regulators in this context.
Processing special category personal data for AI bias mitigation purposes. A new processing ground will be introduced for monitoring and correcting bias in AI subject to safeguards, such as limitations on re-use and the implementation of privacy-preserving measures.
Reform of Article 22. Uncertainty about when automated decision making is “solely automated” and when “it produces legal effects or significantly affects” the data subject means the government is considering how to amend this provision, including recasting it as a right to specific safeguards rather than as a general prohibition on solely automated decision making. However, the precise approach will be set out in the AI white paper.
The standard of anonymization will be clarified. The test will be relative and it appears lower than under the EU GDPR, although the precise approach is not set out in the response.
Any rules relating to data intermediaries will be addressed in the rules for Smart Data Schemes.
Reducing burdens on businesses and delivering better outcomes for people
Key parts of the existing accountability framework will be replaced by more flexible, risk based “Privacy Management Programmes.” The comprehensiveness of the programme will be based on the level of processing activities and volume and sensitivity of personal data handled and will be less of a “box-ticking” exercise. As part of this:
- Data Protection Officers (DPOs) will no longer be required, but the role will be replaced by a senior responsible individual. The role has not yet been fully particularised, but it seems likely to be less formal than that of DPO and without the independence requirements.
- The requirements to maintain Article 30 registers and to undertake data protection impact assessments (DPIAs) will be removed, with more flexible requirements relating to risk management and data inventories. Personal data inventories setting out what and where personal data is held, why it has been collected and how sensitive it is will still be required and organisations will still need to demonstrate that they have identified and managed risks (just not in a prescribed form).
- Prior consultation for high risk processing will be now voluntary. However, such consultation is incentivised as it will be taken into account as a mitigating factor during any future investigation or enforcement action.
The threshold for refusing to respond to a data subject access request (DSAR) has been lowered from “manifestly unfounded or excessive” to “vexatious or excessive.” This is the formulation used to resist freedom of information requests and will therefore import that case law.
The requirement to obtain consent for cookies will be relaxed in relation to a broader class of purposes (but not for cross-site tracking). These could include audience measurement or fault detection on a site. Provisions will also be included so an opt out regime can be applied across all uses once browser-based and similar solutions are mature enough, although this is stated to be “in the future”.
“Soft opt-in” marketing consent will be extended to non-commercial entities, such as charities and political parties.
Restrictions on nuisance calls will be tightened. A further regulatory obligation for communications providers, requiring them to report on suspicious levels of traffic on their network, and a new right for the ICO to take enforcement action on the basis of calls generated, as opposed to calls connected.
The enforcement regime under the Privacy and Electronic Communications Regulations 2003 (PECR) will be increased to bring it in line with the GDPR. Currently fines under PECR are capped at £500,000.
Boosting trade and reducing barriers to data flows
A risk-based approach to adequacy decisions. The government will take forward reforms that enable the UK to approach adequacy decisions by taking a risk-based decision, accounting for the different cultural and legal traditions in which countries operate (and allowing it to take into account administrative as well as judicial redress in the assessment). Decisions will not be reviewed every 4 years.
Proportionality of appropriate safeguards. Unspecified reforms are proposed to allow data exporters to act pragmatically, practically and proportionally when using export mechanisms, whilst maintaining a high standard of protection for data subjects. This appears to be targeted at transfer risk/ impact assessments.
Power for the Secretary of State to recognise alternative transfer mechanisms. This is being included as a future proofing method but allows recognition of other countries mechanisms as sufficient.
Delivering better public services
More sharing of personal data to support public service delivery. Greater powers will be considered but any data sharing regulations would be subject to further public consultation and parliamentary scrutiny.
Non-public bodies delivering public tasks. It will be clarified which lawful processing grounds are available for non-public bodies to rely on when they are requested by a public body to help deliver a public task.
Processing in the substantial public interest. Special categories of personal data can be processed in the substantial public interest in the specific circumstances set out in Schedule of the Data Protection Act 2018. The government is considering further whether to add certain additional circumstances.
Aligning law enforcement and intelligence services processing with the UK GDPR and Data Protection Act 2018 provisions applicable to other controllers and processors. The government will look to create greater alignment, including allowing such bodies to produce codes of conduct for ICO approval.
Reform of the ICO
New strategy framework for the ICO. An overarching objective to uphold data rights and encourage trustworthy and responsible personal data use will sit above subsidiary duties to have regard to competition, growth and innovation and public safety. The secretary of state will set out a statement of strategic priorities for the ICO (which must be approved by parliament). The ICO will be required to respond to these priorities but will not be legally bound to act in accordance with the statement. The ICO’s governance will also be reformed and it will be renamed.
The ICO will have to set up expert panels to review codes of practice or guidance on complex or novel issues. The secretary of state will also be able to approve such codes or guidance.
Changes to ICO enforcement. Data subjects will have to attempt to resolve their complaints with the relevant data controller (who will be obliged to have a complaints handling process) before lodging a complaint with the ICO. The ICO will have discretion not to investigate certain complaints.
The ICO will have the power to commission third parties (at the expense of the controller or processor) to undertake technical reports as to the circumstances of a breach. It will also have the power to compel witnesses to attend and answer questions at interview. These are powers that the Financial Conduct Authority has and uses today.
Currently the ICO must issue a penalty notice within 6 months of issuing a notice of intent; if the investigation is complex it will be able to extend this period, but not otherwise. The ICO will also have to set out the anticipated timelines for phases of an investigation to the relevant controller at the beginning of an investigation.
Our take: A number of the more controversial proposals in the initial consultation have been dropped, such as abolishing the right to object to solely automated decision making completely and allowing repetitive use of export derogations. Within this apparently more conservative set of changes, the EU may still wish to focus on how the government reforms the re-use of personal data and anonymization tests, when it grants adequacy to any of its top 10 adequacy candidate countries or approves another countries’ export tools (before the EU does) and the level of direction the ICO receives from government ministers as to how to fulfil its duties. Although there is a risk of potentially costly regulatory divergence for businesses that offer services to the EU, it does appear (at this level of magnification) that over-compliance to an EU GDPR level would satisfy the majority of the changed requirements and the loosening/ clarification of the key provisions around data reuse, anonymization and solely automated decision making could make developing AI applications in the UK more attractive. The ICO’s powers to commission technical reports could add significant expense to responding to data breaches. The devil will be in the detail and we will report on that as it becomes available.