On September 10, 2021, the UK Government Department for Digital, Culture, Media & Sport (“DCMS”) launched a consultation on its proposed reforms to the UK data protection regime. The consultation reflects DCMS’s effort to deliver on Mission 2 of the National Data Strategy, which is “to secure a pro-growth and trusted data regime in the UK.” Organizations are encouraged to provide input on a range of data protection proposals, some of which are outlined below. The consultation will close on November 19, 2021, and the Centre for Information Policy Leadership (“CIPL”) will consult with members to prepare a formal response to the consultation.
Following its departure from the European Union, the UK is no longer bound by EU law and may adapt its existing data protection regime, which is currently based on the EU General Data Protection Regulation (“GDPR”). The GDPR was incorporated into UK domestic law prior to the UK’s departure from the EU in the form of the “UK GDPR,” which is supplemented by the Data Protection Act 2018 (“DPA”). Although DCMS has signaled that its proposed amendments will build on and refine the existing UK framework, rather than recast it, the reform could well be extensive.
DCMS stated: “Outside of the EU, the UK can reshape its approach to regulation and seize opportunities with its new regulatory freedoms, helping to drive growth, innovation and competition across the country. The UK needs agile and adaptable data protection laws that enhance its global reputation as a hub for responsible data-driven business that respects high standards of data protection.”
In its press release, DCMS also quoted CIPL’s President Bojana Bellamy, who referred to the UK government’s plan for reform as “bold and much needed in the modern digital and data driven age.”
Bellamy added: “It could be a win-win for all – organizations, individuals, and society. It enables organizations to leverage data responsibly, for economic and societal benefits and to build their brand as trusted data stewards. It gives individuals assurances and more effective protection from genuine harms. [An] accountability, risk- and outcome-based approach will be welcomed by all – these are the founding blocks of modern regulation and a modern regulator. I hope other countries follow the UK’s lead.”
Any departure from the existing data protection regime will be scrutinized by the European Commission as part of its review of the UK’s adequacy decision, due in four years’ time. DCMS notes in the consultation that: “European data adequacy does not mean verbatim equivalence of laws, and a shared commitment to high standards of data protection is more important than a word-for-word replication of EU law.”
Topics on which DCMS seeks input from respondents include:
-
whether provisions on use of personal data for research purposes, which are currently layered throughout the UK GDPR and DPA, should be consolidated to provide greater clarity on the range of relevant provisions and how they relate to each other;
-
an appropriate definition of “scientific research” under data protection legislation;
-
the appropriate lawful basis for scientific research, and whether it should be possible for data subjects to provide a broad consent when it is not possible to fully identify the purposes of processing at the point of data collection, as well as the compatibility of further processing for research purposes;
-
the creation of a limited, exhaustive list of legitimate interests for which organizations can use personal data without applying the balancing test;
-
whether the processing of personal data to monitor, detect and correct bias in AI systems should be included in any such list;
-
additional clarity on the application of legal obligations with regards to fairness when developing or deploying AI, and the possibility for the government to provide permission to use personal data more freely for the responsible training and testing of AI;
-
issues generally encountered when developing AI under the current data protection regime, e.g., with respect to limitations on data re-use;
-
clarifications and loosening of the limitations on automated decision-making;
-
the test to be used for determining whether or not data is anonymous;
-
the role of data intermediaries;
-
the move towards more flexible and risk-based privacy management programs, rather than prescriptive legal requirements;
-
whether the requirement to appoint a Data Protection Officer (“DPO”) should be updated;
-
the helpfulness of Data Protection Impact Assessments (“DPIAs”);
-
removal of record-keeping requirements under Article 30 of the UK GDPR;
-
adjustment of the threshold for notification of a data breach to the ICO under Article 33 of the UK GDPR;
-
the current impact of subject access requests, particularly with respect to whether organizations find them time-consuming or costly to process;
-
the categorization of cookies and similar technologies and potential legal bases for their use;
-
whether the “soft opt-in” for direct marketing available under the Privacy and Electronic Communications Regulations (“PECR”) should be extended to cover non-commercial organizations;
-
introduction of a “duty to report” on communication service providers with respect to suspicious traffic on their networks;
-
whether fines available under PECR should reflect those available under the UK GDPR, e.g., up to £17.5 million or 4% global turnover, whichever is higher;
-
whether future UK adequacy decisions should be risk-based and focused on outcomes;
-
strengthening of ongoing monitoring of adequacy regulations and relaxation of the requirement to review adequacy regulations every four years;
-
the extent to which redress requirements for international data transfers may be satisfied by either administrative or judicial redress mechanisms, provided such mechanisms are effective;
-
the importance of proportionality when assessing risks for transfer mechanisms such as Standard Contractual Clauses (“SCCs”);
-
an exemption from the UK GDPR’s transfer restrictions with respect to data originating from outside the UK (e.g., “reverse transfers”);
-
the ability for organizations to create their own alternative transfer mechanisms;
-
the ability for organizations to rely on derogations under Article 49 of the UK GDPR for repetitive transfers;
-
the introduction of a duty for the ICO to have regard to economic growth and innovation, competition, and public safety when discharging its functions;
-
providing the DCMS Secretary of State with the power to initiate an independent review of the ICO’s activities and performance; and
-
introduction of a requirement for a complainant to attempt to resolve a complaint directly with the relevant controller before lodging a complaint with the ICO.
Respondents to the consultation can provide their insight online here, or in written form at DataReformConsultation@dcms.gov.uk or Domestic Data Protection team, DCMS, 100 Parliament Street, London, SW1A 2BQ.