UK: Government launches consultation on reforming UK data protection regime
The Department for Digital, Culture, Media & Sport ('DCMS') announced, on 9 September 2021, that the Government had launched a public consultation, proposing reform to the UK's data protection regime, aiming to deliver Mission 2 of the National Data Strategy to secure a pro-growth and trusted data regime. In particular, the reform proposals include reforming the accountability framework and related requirements established under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and changes to cookie and data transfer rules.
Further to the above, the reform proposals specifically include:
- reforming the accountability framework by implementing a more flexible and risk-based framework which is based on privacy management programs. Under this framework, organisations would be required to implement a privacy management program tailored to their processing activities and ensure data privacy management is embraced holistically rather than just as a 'box-ticking' exercise. To achieve this, the consultation notes that some specific compliance requirements in the UK General Data Protection Regulation ('UK GDPR') would be amended or removed. These proposals include:
- removing the existing requirements to designate a data protection officer ('DPO') and authorising individual organisations to determine such requirements based on their discretion;
- removing the requirement for organisations to undertake a Data Protection Impact Assessment ('DPIA'), so that organisations may adopt different approaches to identify and minimise data protection risks that better reflect their specific circumstances. In addition to this, the consultation proposes removing the requirement for prior consultation with the Information Commissioner's Office ('ICO') upon identification of a high risk data processing, but rather encourage a more proactive, open, and collaborative dialogue between organisations and the ICO;
- removing record keeping requirements under Article 30 of the UK GDPR, while granting organisations more flexibility about how to keep certain records in a way that reflects the volume and sensitivity of the personal information they handle, and the type(s) of data processing they carry out; and
- changing the threshold for reporting a data breach to the ICO so that organisations must report a breach, unless the risk to individuals is not material.
Cookies and electronic communications
The proposed reforms related to cookies and electronic communications include the following:
- permitting organisations to use analytics cookies and similar technologies without the user's consent, thereby treating such cookies in the same way as 'strictly necessary' for which consent is not required. The consultation further outlines a second option for tackling the identified issues and welcomes evidence on the risks and benefits of a second option; i.e. permitting organisations to store information on, or collect information from, a user's device without their consent for other limited purposes; and
- extending the soft opt-in to electronic communications from organisations other than businesses where they have previously formed a relationship with the person, perhaps as a result of membership or subscription.
Additional proposed reforms
Other notable reforms proposed by the Government include:
- creating a new condition within Schedule 1 to the Data Protection Act 2018 which specifically addresses the processing of sensitive personal data as necessary for bias monitoring, detection, and correction in relation to AI systems;
- consolidating and bringing together research-specific provisions and incorporating a clearer definition of scientific research, among others. This proposal follows stakeholders' concerns regarding the fact that the UK GDPR can create barriers to responsible innovation because of the ambiguity of some definitions and lack of explanatory case law or regulatory guidance, particularly with regards to the rules for using and re-using data for research purposes; and
- creating a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test in order to give them more confidence to process personal data without unnecessary recourse to consent.
In addition to the above proposals, the consultation reiterates the Government's intention to reform the UK's data transfer regime. Notably, the consultation outlines the Government's intention to add more countries to the list by progressing an ambitious program of adequacy assessments in line with the UK's global ambitions and commitment to high standards of data protection. Furthermore, the consultation notes the Government's intention to relax the requirement to review adequacy regulations every four years, as well as explore amendments to the international transfers regime to give organisations greater flexibility in their use of transfer mechanisms.
Furthermore, the consultation proposes a new governance model for the ICO, including introducing a new, statutory framework that sets out the strategic objectives and duties that the ICO must fulfil when exercising its functions, introducing a power for the Secretary of State for DCMS to prepare a statement of strategic priorities to inform how the ICO sets its own regulatory priorities, and establishing an independent board and a CEO at the ICO.
In response to the consultation, the ICO published, on 9 September 2021, a statement, whereby the Information Commissioner, Elizabeth Denham, welcomed the Government's intention to ensure a legislative framework that is fit for the future, and noted that the ICO will provide constructive input and feedback as the work progresses, including through their public response to the consultation, ensuring that the ICO can effectively regulate this legislation.