UK: Government publishes outcome of consultation on reform to UK data regime
The Department for Digital, Culture, Media & Sport ('DCMS') published, on 17 June 2022, the Government response to the consultation on proposals to reform the UK data regime, titled Data: A New Direction. In particular, the response reiterates the Government's intention to establish the UK as a global data marketplace, building upon the National Data Strategy. The response is divided into five chapters which correspond with chapters within the consultation proposals.
For proposals related to 'Reducing barriers to responsible innovation', the Government outlined that it had determined the following responses to be appropriate, among others:
- moving the definition for scientific research from the recitals to the operative text of the UK General Data Protection Regulation ('UK GDPR'), accompanied by definitions for historic research and statistical purposes;
- moving certain research sections, rather than creating an entire consolidated chapter on research provisions;
- dropping proposals to establish a new lawful basis for research;
- moving provisions concerning broad consent from the recitals into the face of the legislation;
- clarifying further processing for an incompatible purpose when based on a law that safeguards important public interest;
- clarifying distinctions between new processing and further processing;
- codifying that further processing cannot take place when the original legal basis is consent, other than in very limited circumstances;
- creating a limited, exhaustive list of legitimate interests for which organisations could use personal data, but starting with an initially limited number of carefully defined processing activities;
- considering the role that fairness should play in wider AI governance as part of the whitepaper on AI governance (although there is no current plan to legislate on this for the time being); and
- clarifying data regarded as anonymous through a test based on the Council of Europe's Convention 108+ wording;
For proposals related to 'Reducing burdens on businesses and delivering better outcomes for people', the Government determined the following responses to be appropriate, among others:
- moving to a framework based on privacy management programmes, subject to the same sanctions as under the current regime;
- replacing the requirement of data protection officers with a designated senior individual who oversees matters as part of the privacy management programme;
- removing the requirement to undertake Data Protection Impact Assessments as prescribed under the UK GDPR, although risk assessment tools must be in place for the identification, assessment, and mitigation of data protection risks;
- removing the requirement for record of processing activities, although organisations will need to maintain personal data inventories as part of their privacy management programme;
- replacing the mandatory prior consultation requirements for high risk data processing activities with a voluntary mechanism;
- dropping the proposal to introduce a new voluntary undertakings process similar to Singapore's Active Enforcement regime;
- dropping the proposal to introduce a nominal fee for data subject access requests;
- moving to an opt-out model of consent for cookies placed by websites, which would not apply to websites likely to be accessed by children; and
- aligning sanctions for the Privacy and Electronic Communications Regulations ('PECR') with the UK GDPR and DPA 2018.
For proposals related to 'Boosting trade and reducing barriers to data flows', the Government decided the following responses to be appropriate, among others:
- underpinning the UK's future approach to adequacy decisions with principles of risk assessment and proportionality;
- dropping proposals to remove reverse transfers from the scope of the international transfer regime; and
- dropping proposals to allow organisations to create or identify their own transfer mechanism.
In relation to reform of the Information Commissioner's Office ('ICO'), the Government intends to continue with various proposed changes to the ICO, such as establishing a new statutory framework for its objectives and duties.
The ICO published, on 16 June 2022, its statement regarding the Government's response to the consultation on the upcoming data reform, generally welcoming the responses. Among other things, John Edwards, UK Information Commissioner noted that "We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the Bill".