UK: A new direction for data protection?
The UK Government published, on 10 September 2021, its consultation paper entitled 'Data: A new direction'1, identifying issues in the UK's data protection regime and outlining reform proposals, in an endeavour to deliver Mission 2 of the National Data Strategy2, i.e. to secure a pro-growth and trusted regime. Though it remains unclear precisely how the proposed changes will take form in a concrete legislative proposal, the consultation clearly outlines that the Government aims to deviate from the EU General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), including proposals to reform or remove some key GDPR requirements. OneTrust DataGuidance looks into these proposals, with accompanying analysis from Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, who explains how these could work in practice.
On her first impressions of the proposed reforms, Kagan noted, "I would summarise [with] the word "re-thinking" […] A considerable amount of thought and effort [has] gone into this and also the initiative, and boldness to consider new directions and approaches."
Below, we look into some of those new directions and approaches.
The consultation identifies a key issue around accountability; that, while the EU GDPR aimed at creating a regime that is focused on the accountability of organisations, in practice, this one-size-fits-all approach may sometimes prove counterproductive, as it can be perceived as a 'box-ticking' exercise, rather than a proactive and systemic approach, and can hinder innovation due to the imposition of unnecessarily high costs.
Privacy management programs
Thus, considering this issue, the consultation proposes to implement a more flexible and risk-based accountability framework which is based on privacy management programmes, similar to the approach taken by Singapore, Canada, and Australia. Specifically, under this framework, organisations would be required to implement a privacy management programme tailored to its processing activities. According to the consultation, privacy management programmes are based on a number of elements at the core of accountability, such as: leadership and oversight, risk assessment, policies and processes, transparency, training and awareness of staff, and monitoring, evaluation, and improvement. The consultation further highlights that organisations that have demonstrated this approach to accountability, have seen competitive benefits and reputational advantages.
To support the implementation of privacy management programmes, the Government proposes to amend or remove specific compliance requirements in the UK GDPR, which it considers to be disproportionately burdensome for many organisations. Specifically, the consultation proposes:
- removing the existing requirements to designate a data protection officer ('DPO') and authorising individual organisations to determine such requirements based on their discretion;
- removing the requirement for organisations to undertake a Data Protection Impact Assessment ('DPIA'), so that organisations may adopt different approaches to identify and minimise data protection risks that better reflect their specific circumstances. In addition to this, the consultation proposes removing the requirement for prior consultation with the Information Commissioner's Office ('ICO') upon identification of a high-risk data processing, but rather encourage a more proactive, open, and collaborative dialogue between organisations and the ICO;
- removing record keeping requirements under Article 30 of the UK GDPR, while granting organisations more flexibility about how to keep certain records in a way that reflects the volume and sensitivity of the personal information they handle, and the type(s) of data processing they carry out; and
- changing the threshold for reporting a data breach to the Information Commissioner's Office ('ICO') so that organisations must report a breach, unless the risk to individuals is not material.
Furthermore, the consultation notes that the UK's future data protection regime will not require organisations to change many of their current processes, if these already operate effectively, however it will provide the flexibility to do so if other processes can deliver the same or better outcomes in more innovative and efficient ways.
On the question of whether the proposed removal of EU GDPR's accountability mechanisms would impose a risk on people's privacy, Kagan states that, "A lot would depend on how the proposed privacy programme option for accountability will work in practice. How and what accountability looks like in practice is an area that would indeed benefit from more guidance. The structure of a privacy program, which echoes privacy frameworks like NIST and ISO 27001 is a welcome one and when done right, it would actually include a DPO or equivalent position, DPIAs, or similar risk assessments or a data inventory. The question is, how would it be enforced and how do you, without separate requirements, ensure that companies take the required steps."
Data breach reporting
Another proposal introduced in the consultation is reforming the breach reporting requirement under Article 33 of the UK GDPR. Specifically, the consultation highlights that the current requirement, as it stands, result in organisations' over-reporting to the ICO of breaches which are unlikely to result in a high risk, and which, at the same time, is costly and time-consuming for companies, and causes a significant workload for the ICO. To tackle this issue, the consultation proposes adjusting the threshold for notifying personal data breaches to reduce burdens on organisations, so that the latter must report a breach, unless the risk to individuals is not material. To support this proposal, the consultation invites the ICO to produce guidance on what shall be considered a 'non material' risk. On that note, Kagan comments that, "Having a separate duty to report [data breaches] to the regulator may create a tendency to over-report. While that may be a good thing, it ends up putting a lot of notification to be addressed by the regulator that may not have sufficient capacity. Putting the onus on companies […] may prove an effective path."
Having identified these issues, the consultation puts forward the below proposals aiming to relax cookie consent requirements:
- permit organisations to use analytics cookies and similar technologies without the user's consent;
- permit organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes; and
- use data fiduciaries or other trusted third parties to manage an individual's consent preferences.
With respect to issues that the above could pose for online service providers targeting non-UK residents, Kagan acknowledges that "this is a complex problem", additionally noting that "the approach to cookie regulation is not uniform across the EU member states and this creates many compliance difficulties for companies." Furthermore, Odia Kagan highlights, "While the layering of eprivacy compliance on top of GDPR compliance is a tall order and tilts the scales in favour of consent, there are regulators who already opined that analytics/audience measurement do not require consent in certain circumstances. It would be immensely helpful for companies if there were a way to harmonise the regulation in this area."
Further to the above, the consultation identifies a loophole in the provisions under Article 22 of the UK GDPR, relating to automated decision-making and profiling. According to the consultation, Article 22 only captures decisions that are based 'solely on automated processing', when in practice, most automated decisions have a human involved at some point, which, as a result, creates uncertainty about when and how certain safeguards shall apply in practice.
Another concern noted in the consultation, is the limited application of Article 22. Specifically, the consultation highlights that, as a result of the current terminology, a lot of profiling and AI-related processing activity, such as a decision which is 'partly' based on automated processing, rather than 'solely', or an automated decision which is taken based on 'non-personal data', will likely fall outside the scope of this Article. As a result, the consultation notes that, on the one hand, automated decisions with a 'legal or similarly significant effect' might not be subject to safeguards, when these might be needed, and on the other hand, the safeguards introduced for 'solely automated' decisions may be disproportionate and restrictive.
Based on the above identified issues and the need to ensure that the UK GDPR remains principle-based and future-proofed in light of evolving machine learning and AI technologies, the consultation outlines that the Government is considering the recommendation of the Taskforce on Innovation, Growth, and Regulatory Reform4 to remove Article 22 of the UK GDPR and instead permit the use of solely automated AI systems on the basis of legitimate interests or public interests. This would mean, according to the consultation, that solely automated decision-making in relation to personal data would be permitted, subject to it meeting other requirements of the data protection legislation, including the conditions of lawful processing in Article 6(1) of the UK GDPR and Articles 9 and 10, as supplemented by Schedule 1 to the Data Protection Act 2018, in relation to sensitive personal data, where relevant.
Kagan adds, in relation to the consultation's comments on partially automated decision, that this is a "known issue", and one which was mentioned in a recent guidance by the Singapore Personal Data Protection Commission ('PDPC'). Further to this, Kagan notes, "Another known issue is the fact that complying with GDPR requirements for DSARs and deletion request in connection with AI data (e.g. training sets) is very challenging and this is reflected in the ICO guidance on the topic. This issue seems to be at a standstill under GDPR with everyone acknowledging that compliance is extremely difficult, if not impossible, but that AI is important for innovation. Renewed and creative thinking in this area may forge a new path forward."
Kagan concludes, "Setting aside the issue of whether or not, and to what extent, the proposals deviate from the EU approach, I think that there is great merit in the following:
- the initiative, courage, and effort to rethink and take a fresh look at age-old concepts and 'we’ve always done it that way';
- creative solutions with an emphasis on clarity and simplicity such as the moving of recitals into the body of the document or grouping related provisions together; and
- putting an emphasis on stakeholder and public consultation and understanding what the public values and needs are. This is often highlighted for a DPIA process and so it is only fair that it be done as part of a regulatory rulemaking process.
Marina Ioannou Senior Privacy Analyst
Comments provided by:
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia