UK: Breakdown of ICO response to UK data regime review
Following the Department of Digital, Culture, Media & Sport's launch of a public consultation on its review of the UK data protection legal framework and regulatory regime, the Information Commissioner's Office ('ICO') promised to consider the detail of the proposals and publish its response as soon as possible. On 7 October 2021, the ICO released its 89-page response covering areas in which it largely supports and welcomes the proposals for change to the UK data regime, while also pointing out several areas where further consideration may be required.
This Insight breaks down some of the areas outlined for further consideration by the ICO.
The ICO outlined that it is largely welcoming of the new reforms and of the effort to rejuvenate the UK data protection regime as a whole. In her foreword to the response, Elizabeth Denham CBE, UK Information Commissioner, summarised, ''The devil will be in the detail. It will be important that Government ensures the final package of reforms clearly maintain rights for individuals, minimise burdens for business and safeguard the independence of the regulator''. In some areas the ICO has proposed that the Government carry out additional investigations and research in order to provide further detail on how the reforms might work in practice, and to ensure that innovation is enabled, not threatened, by data protection frameworks.
Areas where the ICO welcomed reform but called for some form of supplementary action include the following, as explained in detail further below and through the links provided:
- On accountability and recordkeeping, the ICO recommended that:
- privacy management programmes require more work given the potential level of disruption;
- the data protection officer ('DPO') role requires development, support, and recognition of its value;
- the consultation requirement with the ICO should be retained; and
- comprehensive risk assessments should be required if the data breach reporting threshold adjusted.
- On international data transfers, the ICO recommended that:
- the adequacy review process, if not every four years, should be clarified; and
- it is important to maintain the EU adequacy decision for the UK.
- On data subject rights, the ICO recommended that:
- the Government should ensure equality in ability to exercise right of access; and
- Article 22 of the UK GDPR should be extended rather than removed.
- On legitimate interests the ICO recommended that:
- further detail is required on the proposal to remove balancing of interests requirement.
- On cookies, the ICO recommended that:
- stronger ICO enforcement powers should be considered to ensure businesses respect user preferences in proposed pop-up free environment; and
- the Government should considering legislating to ban cookie walls.
- On direct marketing, the ICO recommended that:
- the Government consider extending the UK's existing Privacy and Electronic Communications (EC Directive) Regulations 2003 ('PECR') legislation to operate on an extra-territorial basis, like the UK GDPR.
- On ICO-related proposals, the ICO recommended that:
- the Government reconsider proposals that might have the effect of undermining ICO independence.
For more information on the consultation, see our previous Insights covering the same:
Chapter 2 of the response details the ICO response to reforms which aim to reduce burdens on businesses and deliver better outcomes for people.
Privacy management programmes
On the suggested revisions to the approach to ensure organisations are accountable and are able to demonstrate accountability, the ICO stressed that the law must maintain the statutory requirement for the same. The ICO recognised that privacy management programmes may require more work, given the level of disruption that would follow a change to the approach to accountability. Additionally, the ICO recommended that the voices and experiences of affected organisations, particularly small-and-medium sized organisations, should be heard.
The ICO outlined that current requirements for appointing a DPO might be 'overly prescriptive and challenging' for organisations. However, it also noted a preference for an investment in the development and support of the role, highlighting the value, expertise, and assurance it can provide.
Replacing the requirement to conduct a Data Protection Impact Assessments ('DPIA') with a more general requirement to assess and mitigate risk to individuals from data processing was also addressed within the response. Notably, the ICO stated that it is important that a more flexible approach does not reduce the robustness or quality of the risk assessments. Furthermore, the ICO noted the need to retain a requirement to consult the ICO about the impacts of high-risk processing.
In this aspect, the ICO considered the importance of retaining its ability to accept or reject a remedial action plan or take action, even where an effective management plan is in place. Additionally, as part of the proposed approach, the ICO also noted the necessity of it being able to access and receive information about an organisation in order to assess its compliance with a given voluntary undertaking. As general exemptions, the ICO recommended that this should only be an option where an organisation proactively raises the infringement and, thus, that it should not be an option to avoid a sanction following an ICO investigation into an infringement.
The ICO supported exploring the most appropriate threshold for data breach reporting, while noting that a comprehensive risk assessment must take place and that the societal harm caused by certain data breaches should be considered as part of the changes to the reporting threshold.
Chapter 3 of the response is dedicated to responding specifically to proposals regarding data flows.
Recalling the importance of maintaining UK adequacy from the EU, the ICO requested more detail on how a risk-based approach would work in practice and how adequacy decisions might consider the manner in which legal and cultural traditions impact data protection standards.
Looking at the domestic adequacy regime, the ICO asked for more detail about how the Government proposes to deploy its approach to extending its ability to make adequacy assessments to include groups of countries, regions, and multilateral frameworks. Furthermore, the ICO highlighted its concerns regarding the removal of the four-year periodic review of adequacy decisions, with the ICO indicating that this might reduce the ability to direct changes and, as such, requesting further information regarding how reviews would be conducted.
The ICO also considered it important to identify where the responsibility for carrying out different aspects of risk assessments for data transfers may lie, and volunteered to provide guidance on the kinds of safeguards that might be appropriate for different scenarios.
Reverse transfers remain a complex area where the ICO expressed support for the maintenance of some restrictions in specific cases. Consequently, the ICO asked that the Government explore how effective a blanket exemption might actually be in reducing complexity.
The ICO further outlined that bespoke alternative international transfer mechanisms, although allowing more flexibility for businesses, simultaneously involve a risk for inconsistent levels of protection for personal data and should be appropriately assessed to mitigate this risk. Regulatory approval for high risk transfers was also suggested as a remedy.
The ICO remarked that a fine balance must be struck for additional safeguards if the increase in flexibility for the use of Article 40 derogations is permitted. Whilst there may be transfers that are repeated which present an opportunity to implement appropriate protections for personal data, there may also be instances where it is not possible, but the transfer should nevertheless be executed. The ICO proposed to work alongside the Government on alternative additional measures in such cases.
Throughout the document, the ICO repeated the importance of ensuring any reforms respect the rights provided to data subjects under the UK GDPR.
The response first ponders the effectiveness of the present implementation of Article 22 of the UK GDPR, given its limited application. The ICO raised its concern for the proposal to remove the right to human review of automated-decision making as provided by Article 22, adding that attempting to resolve the complexities of this matter through this method is not in people's interests and is likely to reduce public trust in the use of artificial intelligence ('AI'). Instead, the ICO suggested extending Article 22 to cover partly, as well as wholly, automated decision-making. In addition, the ICO encouraged consideration of how the current approach to transparency could be bolstered to ensure that any human review carried out is actually meaningful.
The ICO also addressed fairness regarding the development and deployment of AI systems. While registering and welcoming the intention to further explore this by developing the National AI Strategy, the ICO also recorded its reservations about any clarification or changes to the data protection regime that removed the centrality of fairness in how people's data is used.
Reforms to subject access requests ('SARs') are addressed with high importance in the context of neighbouring proposed changes which would increase the collection, use, and re-use of personal data. Further still, the ICO cited that 46% of complaints received to the ICO between 2019 and 2020 pertained to the fulfilment of SARs. To manage this issue, the ICO called for more evidence to be gathered from relevant sectors to assess the benefit and risks of any changes to the right of access, including assessing the proposed introduction of a nominal fee and cost limit in order to avoid disproportionate outcomes for people, particularly the most vulnerable.
In light of this, the ICO concluded that any finalised changes must be accompanied by safeguards to ensure equality in the ability to exercise the right of access and as such the Government should consider how such safeguards might function.
The consultation proposes reforms in relation to the legitimate interests legal basis for processing. Specifically, the Government has proposed to remove the requirement for organisations to carry out a balancing test between legitimate interests and rights and freedoms of data subjects when relying on such legal basis, with the Government instead proposing to provide a list of examples itself where the impact on people's rights would not outweigh the interests of the organisation seeking to use their data. Though acknowledging the desire to provide greater clarity and certainty in this area, the ICO remarked that 'these proposals is that they do not remove the need for an assessment of the balancing test [but rather] shift the responsibility for doing so from organisations to Government'.
Further, the ICO posited that 'the types of processing are too broad to provide the necessary certainty' and encouraged the Government to set out the nature of the specific types of processing in more detail, and how it has assured itself that those included in the list will not have a negative impact on people without the need for further case by case consideration of the balance at the point data is to be processed.
The ICO also noted that it would like clarification on how this proposal will interact with the exercise of people's rights, e.g. the right to object, where a data controller can only refuse a request if they have a compelling reason that overrides people’s interests, rights and freedoms.
In particular, the ICO highlighted that it agreed with the Government's remarks in the consultation document that the current approach does not work for people or businesses and welcomes the commitment to improving this, highlighting its view that current cookie consent mechanisms do not provide effective transparency or meaningful control for people.
Cookies without consent – analytics and legitimate interests
The ICO welcomed the proposal to collect analytics cookies without consent, enabling organisations to measure the quality and effectiveness of their online services, subject to the adoption of appropriate safeguards.
In relation to the proposal to permit organisations to store information on, or collect information from, a user's device without their consent when necessary for legitimate interests, such as (according to the Government's examples) detecting technical faults or enabling use of video or other enhanced functionality on websites, the ICO highlighted that any changes would need appropriate safeguards. In addition, the ICO noted that many of these purposes are already exempt under the strictly necessary category, and are recognised as such in ICO guidance.
The ICO also called for clarification on how these proposals would work in the context of the wider reforms outlined in this consultation, noting that the inclusion of analytics in the list of data processing activities for which no balancing test is required could have the impact of removing safeguards.
Browser and software solutions – with stronger enforcement powers
The ICO also welcomed the consultation's inclusion of the use of browser and non-browser-based solutions, which would allow people to choose to go pop-up free.
The ICO, however, posited that in order for any changes to be effective there would need to be a mechanism for requiring organisations to respect user preferences, with appropriate sanctions where this is not the case. Accordingly, the ICO invited the Government to further discussion to ensure that the ICO has the enforcement powers it needs to make this solution work for people, and to ensure that businesses seeking to do the right thing are not undermined for those who gain unfair advantage in the market by failing to respect user preferences.
Recommendation to legislate against cookie walls
The ICO further outlined its recommendation that the Government should go beyond the proposals outlined in the consultation document and consider legislating against the use of so-called cookie walls, which require users to accept tracking as the price of entrance to websites. According to the ICO, this might remove the risk that some sites choose to force people to change their preferences and drive a change in practice.
As with the Government's proposals on cookies, the ICO welcomed the consultation proposals related to unsolicited direct marketing calls and fraudulent calls, noting that this is a priority area for the ICO and that it has called on successive governments to give the ICO more powers to tackle spam and nuisance calls.
Specifically, the Government's proposals include increasing fines that can be imposed under PECR (which govern this activity) so they are the same level as those under the UK GDPR, and to allow the ICO to issue assessment notices to companies suspected of infringements of PECR, so that it can carry out on-site audits of their processing activities.
Though embracing these proposals, which it believes would help investigations and reduction of harm caused to people by unsolicited calls, the ICO suggested that the Government should go further still with its reforms and align the whole of the PECR enforcement toolkit with that of the Data Protection Act 2018 ('DPA 2018'). This would include, for instance, modernising the ICO enforcement powers relating security audits in line with the DPA 2018.
To further bolster its capacity to effectively enforce, the ICO also recommended that the Government consider extending the UK's existing PECR legislation to operate on an extra-territorial basis, like the UK GDPR.
Though the ICO emphasised its approval of the proposals in the consultation to strengthen its supervision and enforcement powers and agreed with the Government's assertion that flexibility to regulate in a way that allows ICO to hold both government and businesses to account and respond to a rapidly changing external context are crucial, it expressed several reservations over some of their proposals, in particular as regards their potential to undermine its independence.
Notably, the ICO stressed that 'independence, within a framework of strong accountability to Parliament, is important'. Further to this point, the ICO outlined that giving the Secretary of State the power to approve or reject codes of practice and complex or novel guidance 'would reduce the ICO's independence' and 'reduce regulatory certainty for organisations and wider trust and confidence in the ICO’s guidance'.
The ICO furthermore emphasised that it should be able to issue its own guidance, with a commitment to take account of the views of stakeholders and the impact on economic growth, while also outlining its belief that this proposal reduces the ability of government to effectively hold the ICO to account.
The ICO's independence, it also stated, would be threatened by the Government's proposal to itself appoint the Chief Executive Officer of the ICO, noting that this proposal 'would give the ICO a constitution less independent from government than that of other economic regulators, despite its role in overseeing the public sector and government'. The ICO therefore put forth its opinion that the ICO Board should be responsible for the appointment of Executive level roles, including the Chief Executive, further recommending that the Secretary of State is consulted as part of a public appointment process, rather than the appointment being made by Ministers.
Prior consultation with the ICO on high-risk processing
The Government consultation notably proposes to remove the requirement for organisations to consult the ICO prior to carrying out 'high-risk' processing, arguing that this would more proactive, open, and collaborative dialogue between organisations and the ICO.
However, the ICO, as with the proposed changes to its structure and governance, presented a number of concerns to this proposal, noting many benefits to the current requirement. In particular, the ICO highlighted that the process creates an opportunity for the ICO to provide early and effective advice to organisations engaging in the most high-risk processing, giving assurance and support to innovation, whilst also ensuring that it can work with those organisations to mitigate harm to people before it happens.
Further to the above, the ICO suggested that removing the consultation requirement would reduce its ability to prevent people experiencing harm, restricting its role to taking action after that harm has occurred. It furthermore highlighted that this would not be good for businesses or public service innovation, would reduce regulatory certainty and, if it results if it encourages a retrospective approach to implementing privacy measures rather than a Privacy by Design approach, could undermine public confidence, damage reputations, and increase costs.
Accordingly, the ICO recommended that rather than removing the requirement, a more agile and flexible threshold for when prior consultation is required should be established.
Alexis Galanis Lead Privacy Analyst
Amelia Williams Privacy Analyst