UK: ICO's response to the DCMS consultation on UK data regime
The Information Commissioner's Office ('ICO') issued its Response to the Department of Culture, Media & Sport's consultation, "Data: A new direction"1, on 6 October 2021. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, provides an overview of the key takeaways from the ICO's response.
Further processing of personal data for scientific research is an important area where organisations would welcome further clarity. We support efforts to provide greater legal certainty on the re-purposing of personal data for research purposes.
Further processing generally
Where consent is the lawful ground it is also important that people retain control over whether and how their data is re-used. Any exceptions to this principle should be limited to circumstances of genuine important public interest (as already permitted under the current law). Any reforms should give people confidence that, in the limited circumstances in which their personal data can be re-used in ways that go beyond their consent, the legislative framework provides adequate transparency and properly considers and protects their rights and freedoms).
Given the importance of data protection to all of us, it is critical that the Government clearly and unambiguously sets out how its proposals would deliver for people, not just for businesses and society as a whole.
Cookie consents and pop-ups
The current approach does not work for people or businesses and commitment to improving this is welcomed.
The proposal should be supported to enable organisations to measure the quality and effectiveness of their online services (e.g. analytics) without the need to obtain prior consent, subject to appropriate safeguards.
- A friction-free online experience, in which users' preferences about how their information is used and shared are respected, would also be welcomed.
- The consultation's inclusion of the use of browser and non-browser based solutions is a good one. However, to be effective there would need to be a mechanism for requiring organisations to respect these preferences, with appropriate sanctions where this is not the case.
- It is recommended that the Government consider the pros and cons of legislating against the use of cookie walls, which require users to 'accept' tracking as the price of entrance. This would need careful consideration but would remove the risk that some sites choose to force people to change their preferences in order to access them and would help drive a change in practice.
- The initiative must ensure that the ICO has the enforcement powers we need to make this solution work for people.
- It is recommended that the Government consider extending the UK's existing Privacy and Electronic Communications (EC Directive) Regulations 2003 ('PECR') legislation to operate on an extra-territorial basis, like the UK GPDR. This would help the ICO to reach beyond the UK's borders to pursue instigators of calls from abroad that target UK citizens.
- On soft opt-in: There may be benefits to the proposals on the soft opt-in, subject to the retention of appropriate safeguards, and this may result in a more proportionate change.
- The proposal to increase fines that can be imposed under PECR (which govern this activity) so they are the same level as those under the UK GDPR is welcomed.
- The proposal to allow the ICO to issue assessment notices to companies suspected of infringements of PECR is welcomed.
- The discussions with the Government about the potential benefits and costs of aligning the whole of the PECR enforcement toolkit with that of the Data Protection Act 2018 is welcomed.
- There is concern, however, if there was any proposal for an expansion of the kinds of special category data political parties are able to process without consent. For example, if it was to include ethnicity or other data, either factual or inferred.
Additional welcome initiatives
- The proposal to require an organisation to try to resolve complaints before they are referred to the regulator;
- the proposal to introduce a proportionate requirement for organisations to report on the nature and volume of complaints they receive;
- the Government's commitment to ensuring the UK's data protection regime retains the principle of accountability at its heart and are open to alternative approaches to ensuring accountability; and
- the proposal to introduce compulsory transparency reporting on the use of algorithms in decision-making for public authorities, government departments, and government contractors using public data.
Proposals that require more work to ensure that they preserve high standards of data protection and reduce unnecessary regulatory burden on business
Remove the requirement to conduct a legitimate interest balancing tests
The proposals do not remove the need for an assessment of the balancing test. Rather they shift the responsibility for doing so from organisations to Government to come up with a list of situations where balancing test is not required. There are concerns that, as currently set out in the consultation, the types of processing are too broad to provide the necessary certainty. There are also concerns about how this interacts with the right to object.
Scope and substance of 'fairness' in development of AI systems
There are deep concerns about any clarification or changes to the data protection regime that removed the centrality of fairness in how people's data is used. The concept of fairness in data protection does not and should not operate in a vacuum. We recognise the role of other regulators in defining what fairness means in their specific context. We recommend that the ICO is charged with cooperating with these authorities, building on successful models such as the Digital Regulation Cooperation Forum.
Automated decision making and data rights
There are concerns about the proposal to remove the right to a human review of automated decision-making set out in Article 22 of the UK GDPR.
The consultation's focus on how to provide more clarity and guidance on what is a complex area is welcomed. We think that could include more guidance about what constitutes a legal or similarly significant effect.
- Resolving the complexity by simply removing the right to human review is not, in our view, in people's interests and is likely to reduce trust in the use of AI.
- A more effective approach would be to consider how the current approach to transparency could be strengthened.
- The Government should consider the extension of Article 22 of the UK GDPR to cover partly, as well as wholly, automated decision-making.
Data minimisation and anonymisation
We welcome the Government's proposal to provide further clarity and certainty about the test organisations must apply when deciding whether information can be considered anonymous and therefore outside the scope of data protection requirements.
We support the Government's intention to provide organisations with additional support in understanding risk and ensuring appropriate protections are applied.
Changes to subject access requests
The recognition in the consultation of the importance of subject access requests ('SARs') in delivering data protection rights is welcomed. Also, it is recognised that responding to some SARs can require significant resources for some organisations.
It is vitally important that more evidence is gathered from relevant sectors to assess the benefit and risks of any changes to this right.
- A fuller assessment is needed to understand the implications of introducing a nominal fee, which potentially has a wide-ranging impact on people. This will ensure that any change is not disproportionate.
- Poor record management or information handling should not be a reason for elevated cost estimates to avoid dealing with requests. This should be made clear to organisations.
- If changes are made, they must come with safeguards to ensure that everyone, whatever their circumstances, is able to exercise this right.
Cross border transfers
The Government's ambition to increase flows of data safely across jurisdictions, and the proposal to approach adequacy assessments with a focus on risk-based decision-making and outcomes is welcomed. It is important that the approach continues to ensure our existing high standards are maintained.
It would also be helpful to understand more detail about the proposals for future adequacy decisions to 'take into account the different legal and cultural traditions which inform how other countries achieve high standards of data protection'.
- A robust adequacy assessment process is also important for maintaining our position as a trusted jurisdiction for data from many other countries.
- We are supportive of providing organisations with the flexibility to develop mechanisms such as bespoke contracts, for which the ICO would provide guidance.
- If organisations are allowed to create or adapt their own transfer mechanisms, consideration should be given to risk-based oversight of these mechanisms to help manage this risk.
- We support the ability of the Government to create new mechanisms where these maintain the UK's high standards of data protection.
- We are supportive of the Government exploring options that would better support certifications as an alternative transfer mechanism. Any new or additional types of schemes should not have a negative impact on the existing market, which is increasing in importance.
- It is important to acknowledge that there are situations where a transfer is repetitive, but it is not possible to put in place an Article 46 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') transfer tool (wholly or partly). In these scenarios, reliance on a derogation may still be 'necessary and proportionate', and so the transfer should be allowed to go ahead. However, we also encourage the Government to consider whether there are additional measures that could be put in place to help protect people in these circumstances.
- We acknowledge that there may be a lack of clarity around the derogations, which may mean UK data exporters are reluctant to make certain transfers. We welcome any changes which would address this concern.
Prior consultation with the ICO on high-risk data processing
Rather than remove the requirement, we recommend introducing a more agile and flexible threshold for when prior consultation is required.
Removing the threshold would reduce our ability to prevent people experiencing harm, restricting our role in taking action after that harm has occurred. An unintended consequence could also be that the ICO will need to fall back on its formal investigative approach to address any potential harms from such processing
Data re-use and re-purposing
While individually these proposals could bring benefits, it is important to consider the collective impact of the proposals, which, taken together, could increase the re-use of people's data in ways that they may not anticipate or expect. We welcome the intention in the consultation for the Government to explore options that would better support certifications as an alternative transfer mechanism.
The proposals about joint controllership are high level and further information is required to understand how such changes would be affected in practice. In any more detailed proposals, we would want to guard against weakening the data protection regimes for policing and the intelligence services or introducing risks in the context of processing.
Privacy management programs
More work is required to demonstrate the additional value that privacy management programs ('PMPs') would deliver. Any substantial change to the approach to accountability would bring potential disruption and could create a burden for business. It is welcomed that the fact that the proposals for introducing a PMP include provision for organisations to be able to demonstrate compliance using the approaches and processes developed to comply with the existing law.
However, the Government is encouraged to continue to explore whether the benefits they are seeking to achieve through introducing PMPs could be achieved with more minor changes to the current accountability requirements
Removal of DPO requirement
It is reasonable for organisations to assess the most appropriate way of assigning responsibility for data protection compliance within their organisations. The current requirements for appointing a data protection officer ('DPO') are overly prescriptive and can be challenging for organisations.
It is important that the independent advice, skills, leadership, and links to board level governance brought by DPOs are not lost as a result of any changes.
Remove the requirement for DPIA
There is scope for more flexibility about the form that Data Protection Impact Assessments ('DPIA') take. However, it is important that this does not result in a reduction in the robustness or quality of those assessments related to risk.
Rather than remove the requirement, we recommend introducing a more agile and flexible threshold for when prior consultation is required. One that is better able to reflect emerging risks and public concerns
We support proposals under both approaches to clarify the threshold for reporting data breaches. We know organisations are sometimes unclear on when and whether to notify. We are also supportive of exploring the most appropriate threshold for data breaches. However, it is important that a comprehensive assessment of risk is used. While some breaches may cause little individual harm, they may cause significant societal harm due to the number or characteristics of people most affected.
There is scope to explore reducing prescriptive record keeping requirements, particularly for smaller organisations undertaking low risk processing. The ICO is well positioned to develop straightforward guidance for organisations to help them meet the new requirements.
Voluntary undertakings process
If introduced, it would be important that this approach would not reduce our ability to use the ICO's regulatory discretion to:
make a judgement as to whether to accept a remedial action plan as sufficient; or
- take action based on all the circumstances, even where an effective management plan is in place.
UK's international role
While we now have the freedom to adapt our laws to suit us, data protection legislation does not operate in a vacuum. It is important to ensure the UK's data protection framework continues to be aligned with the wider international move towards locking in high standards of data protection, such as those set out in the Amending Protocol to the Convention for the Protection of Individuals with regard to the Processing of Personal Data ('Convention 108+').
It is important that any reforms in this area ensure organisations are able to employ risk-based, practical approaches to balancing these requirements.
We welcome the proposals in the consultation to strengthen our supervision and enforcement powers. We are supportive of many of the proposed changes to the governance and accountability of the ICO, and the clear statutory objectives for the ICO and a clear parliamentary articulation of the ICO's regulatory framework.
However, some of the proposals risk undermining the independence we need to carry out our responsibilities under both data protection and freedom of information legislation to oversee government and the public sector. Giving the Secretary of State the power to approve or reject codes of practice and complex or novel guidance (chapter five) would reduce the ICO's independence. As an independent regulator, the ICO should be able to issue its own guidance, with a commitment to take account of the views of stakeholders and the impact on economic growth. The proposal for the appointment of the Chief Executive (chapter five) does not sufficiently protect the ICO's independence. This appointment should be made by the ICO Chair and Board, in consultation with the Secretary of State, as is the case at other independent UK regulators
Convention 108+ states that 'The supervisory authorities shall act with complete independence and impartiality in performing their duties and exercising their powers and in doing so shall neither seek nor accept instructions'. The method for appointing members and the adoption of decisions without being subject to external interference are both highlighted as elements that contribute to safeguarding the independence of the supervisory authority.
It is also important that the ICO has the resources it needs to deliver against any new legislative framework.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia