UK: A new data direction
The Department for Digital, Culture, Media & Sport ('DCMS') published its new public consultation document, 'Data: A new direction1', on 10 September 2021. Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild LLP, discusses the key points of the chapters of the document and the proposals set for consideration in the consultation.
Rt Hon Oliver Dowden CBE MP, the Secretary of State for the DCMS, stated that:
"Now that we have left the EU, we have the freedom to create a bold new data regime: one that unleashes data's power across the economy and society for the benefit of British citizens and British businesses whilst maintaining high standards of data protection. Our ultimate aim is to create a more pro-growth and pro-innovation data regime whilst maintaining the UK's world-leading data protection standards."
1. Reducing barriers to innovation
Transfer recitals of the UK General Data Protection Regulation ('UK GDPR') into the body of the law so as to make them operative text and increase clarity.
Seek additional guidance from the Information Commissioner's Office ('ICO') regarding exceptions for scientific research.
Amend current legislation to support responsible research activity using personal data by:
- consolidating together research-specific provisions in the law to make the interpretation easier;
- incorporating a clearer definition of 'scientific research' into the legislation;
- alleviating the uncertainty around legal basis for scientific research by either: (i) creating a new legal basis; or (ii) clarifying the use of the reliance on public interest one;
- clarifying in legislation that data subjects should be allowed to give their consent to broader areas of scientific research when it is not possible to fully identify the purpose of personal data processing at the time of data collection; and stating explicitly that the further use of data for research purposes is both: (i) always compatible with the original purpose; and (ii) lawful under Article 6(1) of the UK GDPR;
- incorporating an amendment to the transparency obligation regarding the re-use of the data for a research purpose, including an exemption for controllers who did not collect data directly from data subjects, where it would be disproportionate to do so; and
- clarifying the scope of the compatibility test for the re-use of information for scientific research including: (i) clarifying that further processing for an incompatible purpose may be permitted when it safeguards an important public interest; (ii) clarifying the circumstances, if any, in which further processing can be undertaken by a controller different from the original controller, while ensuring fairness; and (iii) clarifying in law to confirm that further processing may be permitted, whether it is compatible or incompatible, when it is based on a law that safeguards an important public interest transparency.
Create a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test in order to give them more confidence to process personal data under this legal basis. For those activities not on the list, the balancing test would still be applied. The balancing test could also be maintained for the use of children's data, irrespective of whether the data was being processed in connection with an activity on the list.
The sample list includes:
- the reporting of criminal acts or safeguarding concerns to appropriate authorities;
- delivering statutory public communications and public health and safety messages by non-public bodies;
- monitoring, detecting, or correcting bias in relation to developing artificial intelligence ('AI') systems;
- using audience measurement cookies or similar technologies to improve web pages that are frequently visited by service users;
- improving or reviewing an organisation's system or network security;
- improving the safety of a product or service that the organisation provides or delivers;
- de-identifying personal data through pseudonymisation or anonymisation to improve data security;
- using personal data for internal research and development purposes, or business innovation purposes aimed at improving services for customers; and
- managing or maintaining a database to ensure that records of individuals are accurate and up to date, and to avoid unnecessary duplication.
AI and machine learning
- Address 'fairness' in AI and considering the development of a substantive concept of outcome fairness in the data protection regime.
- Where bias monitoring, detection, or correction can only be undertaken with the use of sensitive personal data, either: (i) make it clear that the existing derogation can be used for this type of processing; or (ii) create a new condition which specifically addresses the processing of sensitive personal data as necessary for bias monitoring, detection, and correction in relation to AI systems.
Automated decision making and data rights
- Clarify the limits and scope of what constitutes 'a decision based solely on automated processing' and 'produc[ing] legal effects concerning [a person] or similarly significant effects.
- Broaden the safeguards under Article 22 of the UK GDPR to include partly automated processing (not just solely), and/or alleviating some of the cases with limitations on fully automated processing when those are disproportionate, OR do away with Article 22 completely.
- Enhance the approach to explainability and accountability for fair processing.
Data minimisation and anonymisation
Goal: Do more to help organisations understand what needs to be done to anonymise data.
- Include a clear test for determining when data will be regarded as anonymous: either by (i) placing Recital 26 of the UK GDPR that discusses anonymisation into the body of the legislation; or (b) creating a statutory test.
- Consider legislation to confirm that the question of whether data is anonymous is relative to the means available to the data controller to re-identify it.
Innovative data sharing solutions
Goal: Encourage innovation in the way data can be shared and encourage solutions that increase organisations' confidence and expertise in responsible data sharing practices and increase the overall portability of data and the innovative use of the data to improve both consumers' and business users' experience and provide them with financial savings.
Data intermediaries: Support the activities of data intermediaries in order to deliver more innovative data sharing solutions and enable more responsible and legally compliant data sharing and better understand the lawful grounds that might be used for the stewardship activities performed by data intermediaries.
2. Reducing burdens on businesses
Goals: Incentivise organisations to invest more effectively in the governance, policies, tools, people, and skills that protect personal data, so individuals can have even greater confidence that their personal data is being used responsibly. Organisations should focus on the right outcomes rather than just as a 'box-ticking' exercise, freeing them up to implement effective data protection policies and processes.
- Implement a more flexible and risk-based accountability framework which is based on requiring organisations to implement privacy management programmes tailored to their processing activities (reflecting the volume and sensitivity of the personal information it handles, and the type(s) of data processing it carries out). The privacy management program would need to include: roles and responsibilities in relation to personal data, oversight, data inventories, internal policies, and risk assessment tools; procedures for communicating with data subject about rights; procedures for handling breaches; and procedures for periodic review.
- Amend or remove specific compliance requirements in the UK GDPR, which are disproportionately burdensome for many organisations including:
- removing the obligation to designate a data protection officer;
- removing the obligation to conduct a Data Protection Impact Assessment;
- removing the mandatory requirement for prior consultation with the ICO;
- removing the requirement for record keeping under Article 30 of the UK GDPR;
- changing the threshold for reporting a data breach to the ICO so that organisations must report a breach unless the risk to individuals is not material; and
- introducing new voluntary undertakings process similar to Singapore's Active Enforcement regime which would allow organisations to provide the ICO with a remedial action plan, upon discovering an infringement.
Subject access requests
- Introduce a fee regime for access to personal data held by all data controllers (not just public bodies).
- Amend the 'vexatious' threshold for access requests.
Privacy and Electronic Communications
- Permit organisations to use analytics cookies and similar technologies without the user's consent with potential further safeguards for ensuring that such processing poses a low impact on users' privacy and a low risk of harm.
- Support the ability of users to express their privacy preferences through browsers, software applications, and device settings.
- Consider other approaches such as data fiduciaries or other trusted third parties that could play a role in managing an individual's consent preferences.
Extend the soft opt-in to electronic communications from organisations other than businesses where they have previously formed a relationship with the person, perhaps as a result of membership or subscription.
3. Boosting trade and reducing barriers to data flows
- Add more countries to the list of adequacy by progressing an ambitious program of adequacy assessments in line with the UK's global ambitions and commitment to high standards of data protection.
- Ensure that all adequacy regulations made under our current laws remain valid under any future regime
- Approach adequacy assessments with a focus on risk-based decision-making and outcomes, taking into account the likelihood and severity of actual risks to data subjects' data protection rights.
Redress: Amend the legislation to be clear that both administrative and judicial redress are acceptable as long as the redress mechanism is effective.
Alternative transfer mechanisms
- Proportionality: Clarify the legislation in order to facilitate more detailed practical support for organisations on determining and addressing risks.
- Flexibility: Explore amendments to the international transfers regime to give organisations greater flexibility in their use of transfer mechanisms.
- Interoperability: Make the UK regime compatible with any potential new international transfer regimes regardless of the mechanisms they use to transfer data, as long as they can provide the necessary protections for data subjects.
Reverse transfers: Exempt 'reverse transfers' ( transfers that have been received by an organisation in the UK and are being sent back to the original transferor) from the scope of the UK international transfer regime.
Adaptable transfer mechanisms
- Empower organisations to create or identify their own alternative transfer mechanisms in addition to those listed in Article 46 of the UK GDPR.
- Create a new power for the Secretary of State to formally recognise new alternative transfer mechanisms.
- Modify the framework for certification schemes to provide for a more globally interoperable market-driven system that better supports the use of certifications as an alternative transfer mechanism.
- Allow certification to be provided for by different approaches to accountability. For example, these could be based on privacy management programmes.
- Clarify that prospective certification bodies outside of the UK can be accredited to run UK approved international transfer schemes.
Derogations: Establish a proportionate increase in flexibility for use of derogations by making explicit that repetitive use of derogations is permitted other than for the derogation for compelling legitimate interests.
4. Delivering better public services
Goal: Improve the delivery of government services through better use and sharing of personal data.
- Clarify that private companies, organisations, and individuals who have been asked to process personal data on behalf of a public body may rely on that body's lawful ground for processing the data under Article 6(1)(e) of the UK GDPR.
- Clarify that public and private bodies may lawfully process health data when necessary for reasons of substantial public interest in relation to public health or other emergencies.
- Introduce compulsory transparency reporting on the use of algorithms in decision-making for public authorities, government departments, and government contractors using public data.
- Include in legislation a definition of 'substantial public interest' or add to or amend the list of specific situations deemed to always be in the substantial public interest.
5. Reform of the ICO
Goal: Improve the legislative framework that underpins the ICO by: setting new and improved objectives and a clearer strategic vision for the regulator; improving accountability mechanisms; and; refocusing its statutory commitments away from handling a high volume of low-level complaints and towards addressing the most serious threats to public trust and inappropriate barriers to responsible data use. In the future, the ICO should devote more resources to supporting those organisations that want to innovate responsibly and tackling poor practices by those that do not meet the UK's high standards for data protection.
- Introduce a new, statutory framework that sets out the strategic objectives and duties that the ICO must fulfil when exercising its functions. As an independent regulator, the ICO would continue to set its operational objectives in order to ensure it effectively delivers against this framework.
- Introduce a power for the Secretary of State for DCMS to prepare a statement of strategic priorities to inform how the ICO sets its own regulatory priorities.
- Introduce a new overarching objective for the ICO, in addition to its other functions, tasks and duties: (i) upholding data rights; and (ii) encouraging trustworthy and responsible data use.
- Introduce new duties on the ICO: (i) to have regard for economic growth and innovation when discharging its functions; (ii) to have regard to competition when discharging its functions; (iii) to have due regard to public safety when carrying out its functions; and (iv) to cooperate and consult with other regulators, in particular those in the Digital Regulation Cooperation Forum ('DCRF').
- Establish a new information sharing gateway to enable regulators, in particular those in the DRCF, to share information in support of cooperation across a broad range of issues.
- Introduce a new power for the Secretary of State for DCMS to periodically prepare a statement of strategic priorities to which the ICO must have regard when discharging its functions. This is not intended to conflict with the ICO's statutory objectives, duties, functions, and tasks, which would take precedence if any conflict were to arise.
- The ICO should deliver a more transparent and structured international strategy, as part of its accountability and transparency requirements.
- Include a new statutory objective for the ICO to consider the Government's wider international priorities when prioritising and conducting its own international activities
- Establish an independent board and a Chief Executive Officer at the ICO.
- Introduce a requirement for the ICO to develop and publish comprehensive and meaningful key performance indicators to underpin its annual report and requiring the ICO to report how it is delivering against its objectives and duties.
- Empower the DCMS Secretary of State to initiate an independent review of the ICO's activities and performance if, for example, the ICO's performance were to slip below a threshold or after prior notifications about shortcomings in performance.
- Oblige the ICO to undertake and publish impact assessments, as well as conduct enhanced consultation, when developing codes of practice, and complex or novel guidance.
- Introduce a power for the DCMS Secretary of State to require the ICO to set up a panel of persons with relevant expertise when developing codes of practice, and complex or novel guidance.
- The Government proposes introducing a requirement for the complainant to attempt to resolve their complaint directly with the relevant data controller before lodging a complaint with the ICO.
- Introduce guidance and exemptions in place in certain circumstances that allow the data subject to proceed directly to the ICO with their complaint; for example, following a period of undue delay from the controller, or in the context of complaints from or involving children or vulnerable people; and adding a requirement on data controllers to have a simple and transparent complaints-handling process in place to deal with data subject complaints.
- Introduce criteria by which the ICO can decide not to investigate a given complaint.
- Extent the ICO's powers with powers to: (i) commission an independently-produced technical report to inform investigations to obtain a view from a third party about aspects of a regulated organisation's activities; (ii) compel witnesses to interview in the course of an investigation; and (iii) issue a final penalty notice following a Notice of Intent after 12 months and the inclusion of a so-called ‘stop-the-clock' mechanism for gathering further evidence.
- Require the ICO to set out anticipated timelines for the phases of an investigation to the relevant data controller(s) at the beginning of an investigation.
Odia Kagan Partner and Chair of GDPR Compliance and International Privacy
Fox Rothschild LLP, Philadelphia