UK data protection reform - a way forward following Brexit?

Following Brexit, the UK government announced its vision to develop a separate data regime from the EU data protection laws in its mission statement and consultation, which closes on 19 November 2021.

Mission Statement

On 26 August 2021, the UK Government published its mission statement entitled  “International data transfers: building trust, delivering growth and firing up innovation“, containing its intentions to enter into adequacy agreements to facilitate the transfer of data between the UK and third countries. The aim is to provide UK organisations with the most efficient way to transfer personal data without alternative mechanisms. The UK Government identified ten priority countries for those deals. These territories include Australia, Brazil, Colombia, The Dubai international financial centre, India, Indonesia, Kenya, The Republic of Korea, Singapore, and the United States of America.

Adequacy between two countries is not meant to undermine the level of protection under the UK GDPR when transferring personal data internationally. To determine whether a third country has the appropriate and equivalent level of security, the UK Government will consider the overall effect of a third country's data protection laws, implementation, enforcement, and supervision. To assist organisations with the assessment, the Government published:

• The Manual Template containing questions to guide the collection of relevant information relating to a country's data protection; and

• The Manual Guidance to assist with the identification and recording of relevant information.

The adequacy decisions are subject to monitoring and under review every four years.

In addition, John Edward who has been nominated as the preferred candidate to be the UK's next Information Commissioner, indicates the Government's intention to adopt a new direction to the data protection regime.

Consultation Paper

On 10 September 2021, the UK Government published its consultation on proposals to reform the UK's data protection regime. The consultation is focused on five objectives:

1. Reducing barriers to responsible innovation

The aim of lowering barriers is to provide clarifications to help organisations establish the legal basis of processing in research, legitimate interests, AI and Machine learning, data minimisation, and anonymisation.

By simplifying the legislation concerning scientific research and AI systems, it will provide a more appropriate avenue for assessing fairness and outcomes. The UK Government proposes creating an exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test to give them more confidence to process personal data without unnecessary recourse to consent. Whilst the balancing test may still apply for certain activities, the rationale behind such an approach is to create a better balance between protecting individuals and not impeding responsible data use in these specific circumstances.

2. Reducing barriers on business and delivering better outcomes for people

also known as the accountability framework. The proposal intends to provide a proportionate and flexible approach by replacing the existing requirements to designate a Data Protection Officer, removing the requirement of a Data Protection Impact Assessment and the provisions under Article 36 of the UK GDPR for prior consultation with the ICO for higher risk processing. It also allows the organisations to provide the ICO with a remedial action plan and a more flexible record-keeping model set out in Article 30 of the UK GDPR. The threshold for reporting to the ICO will be whether the risk to the individuals is material instead of non-material risk.  

The consultation paper recognises the needs of individual organisations and proposes introducing a fee regime identical to that of the Freedom of Information Act 2000 for data subject access requests (“DSAR”), which will include a cost ceiling to address organisations’ capacity constraints. Additionally, the proposal includes amending the threshold for response to a DSAR enabling organisations to refuse vexatious requests.

The UK Government’s proposals also include recommendations to improve to the Privacy and Electronic Communications Regulation 2003 ("PECR") which complements the UK GDPR and addresses privacy rights on, amongst other things, cookie policies. For instance, it is proposed that explicit consent will not be a requirement for using analytics cookies and storing or collecting information from a user's device for another limited purpose since such a requirement is not risk-based and tends to be interpreted very narrowly.

3. Boosting trade and reducing barriers to data flows

The Government is committed to reducing the obstacles organisations face when transferring personal data overseas. The goal is to explore a legislative change to ensure that alternative transfer mechanisms are available to UK organisations under the UK GDPR, which is transparent, flexible and provide personal data protection. Organisations will be allowed to create alternative transfer mechanisms in addition to the mechanisms listed under Article 46 of the UK GDPR and derogations (under Article 49 of the UK GDPR) will continue to be permitted although it is proposed that there should be an increase in flexibility in use.  

4. Delivering better public services

The Government proposes to amend the existing lawful bases for processing personal data for private organisations who help deliver public tasks provided for under Article 6 of the UK GDPR. The government proposes to clarify that private companies, organisations and individuals who have been asked to process personal data on behalf of a public body may rely on that body’s lawful ground for processing the data under Article 6(1)(e) of the UK GDPR and need not identify a separate lawful ground.

5. Reform of the ICO

The Government’s objective is for the ICO to be an agile and forward-looking regulator. To achieve this the consultation paper recommends several changes, including a new information-sharing gateway, a transparent complaints-handling process, and introducing a threshold for data subjects to make complaints to the ICO by first attempting to resolve the complaints directly with the relevant data controller. Furthermore, new powers are introduced for the ICO to enable the commission of an independently produced technical report to inform investigations to provide the ICO with discretion to decide not to investigate a complaint to reduce the burden on the ICO.

The consultation is open until 19 November 2021.

Comments

Both papers are constructive and demonstrate the UK Government's intention for a new direction in data protection laws within the UK. Although there will be challenges ahead, with the European Commission making it clear that it will closely monitor the UK data protection laws and the practicality of the adequacy principle when an organisation is subject to both the UK and EU GDPR, it is a delicate balancing act for the UK Government which seeks to maintain the privacy rights of individuals but to also encourage growth and innovation in the UK

It is encouraging that the ICO welcomes the review of the UK data protection legal framework and regulatory regime. However, Information Commissioner Elizabeth Denham, in her response to the government's consultation paper published on 7 October 2021, underlines that the "devil will be in the detail". She emphasises the importance of maintaining rights for individuals, minimises burdens for business, and safeguarding the ICO's independence.

We will be closely monitoring the developments of both the consultation paper and the mission statement and report further updates and the effects it might have on your organisation.