There have been many headlines today about the UK Government’s plans to reform UK data protection law. We are still reviewing the (near 150-page) consultation document, but set out below a dozen proposals that we thought might pique the interest of readers of our blog.
- The government claims that the reforms will net over GBP 1 billion. The government states that “[o]ur initial economic analysis shows that our reform package will have a net direct monetised benefit of £1.04 billion over 10 years, even after accounting for potential costs incurred through any future changes to the UK’s EU adequacy decisions.” The government states that this financial benefit will be “driven by unlocking more research and innovation, while easing the cost of compliance for businesses.” (The draft impact assessment is here.)
- Speaking of the EU’s adequacy decision… The UK government seems confident that there is scope to reform UK law without jeopardizing the EU’s adequacy decision that allows data to flow freely from the EU to the UK (see our post on the adequacy decision, here, and recent post on the political dimension, here). The government “believes it is perfectly possible and reasonable to expect the UK to maintain EU adequacy as it begins a dialogue about the future of its data protection regime and moves to implement any reforms in the future.” The document goes on to cite Israel as an example of a country that has been granted adequacy status “while pursuing independent and varied approaches to data protection, reflecting their unique national circumstances, cultures and heritages.” As my U.S. colleagues say, “stay tuned”…
- The government wishes to clarify when data can be processed on the basis of “legitimate interests” – including drawing up a “limited, exhaustive” list of legitimate interests for which organizations can use personal data without applying the balancing test, e.g., for certain cookies and in relation to AI. The government is concerned about over-reliance on consent as a legal basis for processing personal data, and consequently individuals suffering from “consent-fatigue.” It considers that uncertainty over when organizations can rely on the “legitimate interests” basis may be driving over-reliance on consent. The government notes that Singapore, for example, has defined specific activities that would be regarded to be in the legitimate interests of a data controller, and suggests that UK legislation should include a similar list. Among other activities, the government proposes including on the list “using audience measurement cookies or similar technologies,” and processing “for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems.” The government proposes that the legitimate interests “balancing test” should be retained for processing children’s data, but asks for input on this.
- The government aims to simplify the rules on using (and re-using) data for research. The government acknowledges that the UK GDPR provides specific allowances and derogations for research. However, it appears to be swayed by evidence that it has heard that “the rules for some organizations to use and to re-use personal data for research are difficult to navigate, despite the public being generally in favour of their personal data being used for scientific research that can deliver real benefits to society.” We have highlighted some of the challenges in this area (see our prior blog, here, for example, on the European Data Protection Board (EDPB) guidelines last year). Among other things, the government proposes to consolidate and bring together research-specific provisions that currently are set out in different parts of the legislation, incorporate a clearer definition of “scientific research,” and clarify which lawful bases controllers may rely on when using personal data for research. In relation to “further processing,” the government proposes that data subjects should be allowed “to give their consent to broader areas of scientific research when it is not possible to fully identify the purpose of personal data processing at the time of data collection.”
- Using personal data more freely for the purpose of training and testing AI and machine learning. The government proposes several potential reforms in relation to AI and machine learning, including clarifying legal obligations in relation to “fairness.” It also asks for views on whether the government should permit organizations “to use personal data more freely, subject to appropriate safeguards, for the purpose of training and testing AI responsibly.”
- Amending the right not to be subject to a decision based solely on automated processing. GDPR provides data subjects with “the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her” (Article 22, our emphasis). As has been widely reported in the press today, the government is considering a proposal to amend UK law and permit the use of solely automated AI systems on the basis of legitimate interests or public interests. Such a change would remove the right not to be subject to a decision resulting from ‘solely automated’ processing if that decision has legal or ‘similarly significant’ effects on data subjects.
- Including a clear test for determining when data will be regarded as anonymous. Infosec professionals may feel underwhelmed upon learning that one option for “a clear test” to determine when data will be regarded as anonymous is simply to place recital 26 of the legislation into an operative provision. Potentially more promising is the government’s apparent willingness to clarify that the test for anonymisation is a relative one, i.e., relative to the means available to the data controller to re-identify it.
- Removing the current requirement to designate a data protection officer (DPO). The government states that the current requirements to designate a DPO “do not necessarily drive the intended outcomes of the legislation,” and notes that some organizations struggle to appoint individuals with the requisite skills. The government proposes to replace DPOs with a requirement to designate a suitable individual, or individuals, to be responsible for an organization’s “privacy management programme.” This is part of introducing a “more flexible and risk-based accountability framework based on privacy management programmes.” It’s not yet clear how much of a difference this and other proposed changes – such as removing requirements to conduct Data Protection Impact Assessments (DPIAs), as defined under current law – may make in practice, especially for multinational companies operating across Europe, but some of the proposals are interesting.
- Changing the threshold for reporting a data breach to the ICO so that organizations would only be required to report a breach if the risk to individuals is material. Currently, organizations across Europe, including in the UK, must report a personal data breach unless it is unlikely to result in “a risk.” Given the current tendency for over-reporting, and the unnecessary burdens this places on organizations and the ICO, the government proposed to raise the bar.
- Introducing a fee regime in relation to data subject access requests. Pre-GDPR, under the UK Data Protection Act 1998, individuals had to pay a £10 fee to make a data subject access request (DSAR). GDPR banned this subject to certain exceptions (Article 12(5)). The government is considering reintroducing a fee regime on the basis that (i) responding to DSARs takes up “significant levels of resource” for organizations, and (ii) in some cases, DSARs may be used “in ways whereby the processing of personal data does not appear to be the sole or primary reason for exercising the right of access,” e.g., to circumvent strict disclosure protocols. Ideas under consideration including introducing a cost ceiling, whereby organizations would only be required to deal with a request to the extent possible within a cost limit.
- Structural changes: recitals to become articles. The government is concerned that although recitals in the UK GDPR (like the GDPR) are intended to act as an explanatory or interpretative guide to the articles, there are so many recitals that it can result in ambiguity and confusion. To address this, the government proposes to transfer certain recitals into the operative provisions (the articles) of the legislation.
The above is an initial snapshot of the UK government’s wide-ranging plans. The consultation document addresses various other interesting issues, such as introducing a new statutory framework for the ICO, and clarifying the legal bases available to private organizations that process data on behalf of a public body. Various aspects of the proposals in relation to data transfer rules and UK adequacy decisions are also likely to attract significant attention.
The government’s response to this consultation will be published “in due course” following its closure on November 19, 2021. The Covington team will continue to monitor these and other legislative developments in the UK and across EMEA.