After an eye-raising consultation with a proposed list of significant changes to UK GDPR, which had the potential to risk the UK's adequacy decision, we can all stop holding our breath. The Government's response to the "Data: a new direction" consultation has not moved the dial on distinctions with the EU GDPR. Data protection practitioners breathe a sigh of relief, on behalf of all their clients.
For all UK organisations who have spent time and effort on their GDPR compliance to date, this is not a GDPR v2 requiring anything like the effort to achieve compliance back in 2018. More tweaks and learning some new names.
The extra good news for any pan-European businesses looking to achieve a harmonised approach is that compliance with an amended UK GDPR will mean you are still compliant with EU GDPR.
So has the Government moved the dial at all? On two issues, yes:
- Cookie fines increased and less consents: The maximum fine that the ICO can raise under PECR is increased from £500,000 to greater of 4% of worldwide turnover or £17.5million. Not a surprising result. The message: marketing practices will be under much greater scrutiny and potentially not just for the cold callers and spammers who have received most of the ICO's attention to date. Consent will also not be required for analytics cookies.
- Changes to the governance of the ICO: Specifically, greater political influence in the Information Commissioner's Office ("ICO") with an independent board who will be appointed by the DCMS Secretary of State and any new guidance having to be approved by the DCMS Secretary of State before being laid before Parliament. This takes us further down the direction of travel that was indicated when Jonathan Edwards took over as the ICO from Elizabeth Denham.
There is of course a world of detail in the changes that the Government will make to UK GDPR. We have summarised the full breadth of the changes in the article below.
The Government published its response to the consultation 'Data: a new direction' on 17th June 2022. This previews what is to be included in the upcoming Data Reform Bill, which the Government hopes to have finalised by Spring 2023.
The Government had outlined their themes for proposed changes in the consultation as follows:
- Reducing barriers to responsible innovation;
- Reducing burdens on businesses and delivering better outcomes for people;
- Boosting trade and reducing barriers to data flows;
- Delivering better public services; and
- Reforms of the ICO.
We have picked out the key issues from the consultation response in the sections below. At the end of the article, we have collected together a list of the proposals made in the consultation that the Government is not taking forward.
Reducing barriers to responsible innovation
- Clarity on use of data by researchers - approved. Government will introduce a statutory definition of 'scientific research' and combine the research provisions into a single chapter.
- Ability to process data for incompatible purposes - approved. Government will make clearer when data can be re-used lawfully if it is based on a law that safeguards an important public interest, or when the data subject re-consents.
- Clarity on meaning of "legitimate interests" - partial approval. Government will create a narrow list of circumstances where no balancing test is required, such as prevention of crime or reporting safeguarding concerns. However, they will not create an exhaustive list of what can be a 'legitimate interest'.
- Mitigating bias in AI system - partial approval. This will not form part of the list where no balancing test is required under legitimate interests, but the Government will introduce a new condition into Schedule 1 of the DPA 2018 to enable the processing of sensitive personal data for the purpose of monitoring and correcting bias in AI systems.
- Changes to Article 22 profiling prohibition - approved. The prohibition will be converted into a right to specific safeguards.
- Clarity on anonymisation - approved. The UK will adopt the Council of Europe's test for anonymisation to avoid setting an impossibly high bar and to assist understanding of when data can still be related to a living individual.
Reducing burdens on businesses and delivering better outcomes for people
- Privacy Management Programme - approved. This programme will be based on the level of processing activities and the volume of sensitivity of personal data that an organisation handles. Government recognises all the effort undertaken by organisations to be 'accountable' to date, so have given comfort that this work will enable meeting this new requirement, which is intended to be more flexible and less box ticking (which funnily enough is exactly what was said about GDPR back in 2018).
- Abolish Data Protection Officers - approved. The statutory DPO role will be abolished but in its place is a designated individual appointed to oversee an organisation's compliance with data protection with responsibilities very similar to a DPO. This is meant to remove cost for smaller organisations who had to buy in a third party service and instead let it sit at a senior level in an organisation and embed privacy into the culture of an organisation.
- Abolish Data Protection Impact Assessments - approved. However, replaced with a requirement to perform risk assessments to identify and manage risks. So same activity, different name.
- Cookie reforms - approved. This is an area of significant change and does diverge with Europe, albeit that the long-awaited e-Privacy Regulation is still not yet in force.
- The Government intends to move to an opt-out model for cookies, but only once website technology is able to give users control over cookies across website.
- Government will also treat analytics cookies in a similar way to "strictly necessary" cookies under PECR by removing the requirement for consent.
- The requirement for consent will be removed in circumstances where the controller can demonstrate legitimate interest for processing the data and where the controllers are using cookies in compliance with an ICO-approved sector code or regulatory guidance.
- Cookie fine increases - approved. The maximum £500,000 fine has been replaced with GDPR-level fines for non-compliance with PECR i.e. greater of £17.5m or 4% of a business's global turnover).
- Soft opt-in for charities and political parties - approved.
Boosting trade and reducing barriers to data flows
- More political power in international transfers - approved. In order that the UK can respond rapidly to international developments, the Government plans to give the DCMS Secretary of State ("SoS") a new power to recognise new alternative transfer mechanisms. This will allow for new UK mechanisms for transferring data overseas or to recognise other international data transfer mechanisms in UK law. In addition, adequacy decisions will now be reviewed on an ongoing basis rather than every four years with the aim of safeguarding data subjects more efficiently.
Delivering better public services
- Clarity for public bodies on lawful bases for processing – approved. Government will clarify that organisations can rely on Article 6(1)(e) UK GDPR when carrying out an activity which includes processing personal data at the request of a public body. Government is going to specify new situations in Schedule 1 of the Data Protection Act 2018 to permit certain activities on the ground of substantial public interest.
Reforms of the Information Commissioner's Office
- Reforms - largely approved. The reforms continue the trend of the increased politicisation of privacy post Brexit, as privacy is seen as an area where divergence from Europe can bear fruit economically and assist in establishing the UK as a friendly place to develop AI (although the Government withdrew from including AI specific provisions in the Data Reform Bill). There are various aspects to the reforms:
- a new statutory framework setting out the ICO's strategic objectives and duties, which will include:
- an overarching duty for the ICO to uphold data rights and to encourage trustworthy and responsible data use,
- a duty for the ICO to have regard to economic growth, innovation and competition issues; and
- A duty for the ICO to have regard to public safety.
These new objectives carry the scars of recent events: economic growth (Brexit) and public safety (COVID-19).
- Corporate restructuring, moving away from the corporation sole structure and establishing an independent board who will be appointed by the DCMS SoS consisting of: a chair, and a chief executive. It is hoped that this will bring with it greater independence and diversity in the ICO's leadership, but also clearly political influence.
- New guidance and codes of practice must be reviewed by a panel of experts and there will be a new process for the DCMS SoS to approve statutory codes of practice and statutory guidance ahead of laying them in Parliament;
- New powers in breach investigations to:
- Issue technical report notice at its discretion to aid the investigations;
- Compel a witness to interview and answer questions; and
- Issue a penalty beyond the six month statutory deadline in certain circumstances.
Rejected proposals
- Creating a new lawful ground for processing for research purposes
- Including process necessary for the purpose of ensuring bias monitoring, detection and correction in the list of "legitimate interests".
- Developing a safe regulatory space for the responsible development, testing and training of AI
- To remove Article 22 of UK GDPR and solely automated decision making permitted where it meets a lawful ground in Article 6(1) (and Article 9-10 (as supplemented by Schedule 1 to the Data Protection Act 2018) where relevant) and subject to compliance with the rest of the data protection legislation
- Raising the threshold for when data breaches are notifiable to the ICO under Article 33 (1) of the UK GDPR
- Introducing a new "voluntary undertakings" process
- Introducing a cost ceiling for complying with subject access requests
- Introducing a nominal fee for subject access requests
- Excluding political parties and elected representatives from PECR's rule on direct marketing by electronic means
- Exempt "reverse transfers" from the scope of the UK ITR
- Empowering organisations to create their own alternative transfer mechanisms (ATMs)
- Allowing certification for international transfers to be provided for by different approaches to accountability and clarifying that prospective certification bodies outside the UK can be accredited to run UK-approved international transfer schemes
- Establishing a proportionate increase in flexibility for use of derogations by making explicit that repetitive use of derogations is permitted
- Defining "substantial public interest" as distinct from "public interest"
- Clarifying that health data can be lawfully processed when necessary for reasons of substantial public interest in a public health or other emergency without oversight by healthcare professionals
- Introducing compulsory transparency reporting providing information on how public authorities and government use complex automated tools to support decision-making
- Establish a new information sharing gateway to support regulatory cooperation
- Requirement for the ICO to deliver a more transparent and structured international strategy
- New statutory objective for ICO to consider wider HMG international priorities
- Chief executive to be appointed by the DCMS Secretary of State. Alternative recommendation is for this to be an ICO Board appointment, in consultation with the DCMS Secretary of State.
- A power for the DCMS Secretary of State to initiate an independent review of the ICO's activities and performance
- Changing statutory deadline for ICO to issue a penalty from six to 12 months
If you have any questions, please contact Jocelyn Paulley.