On September 10, the U.K. government launched a consultation “Data: A New Direction” (Consultation), which proposes significant changes to the U.K.’s data protection framework.
The U.K. government has signalled its intention, following Brexit, to revisit the U.K. General Data Protection Regulation (UK GDPR) — which is nearly identical to the EU GDPR. It aims to craft a bespoke “pro-growth and pro-innovation regime whilst maintaining…world-leading data protection standards.” The Consultation sets out in detail, for the first time, the reforms which the U.K. government seeks to implement.
Organizations will have to await the outcome of the Consultation for the final set of legislative reforms. However, it is clear that some level of regulatory divergence between U.K. and EU data protection laws is now inevitable. The extent of this divergence, and the response of the EU Commission and the European Data Protection Board, will determine whether the price of divergence is the end of the free flow of personal data between the EU and the U.K.
The Consultation groups its proposed reforms around five key themes: (1) reducing barriers to innovation; (2) reducing burdens on businesses and delivering better outcomes for people; (3) boosting trade and reducing barriers to data flows; (4) delivering better public services; and (5) reform of the UK regulator, the Information Commissioner’s Office.
The reform package is guided by a desire to give businesses additional clarity on what is required of businesses and increased flexibility in how businesses meet those requirements. This is intended to address two perceived drawbacks of the current regime (based on the EU GDPR): (1) that its high-level, principles-based approach is too vague and ambiguous for businesses to implement in practice, while, at the same time, (2) being too prescriptive in specific areas by adopting a “one size fits all” approach to data protection that is not appropriate for all businesses.
We have summarised the most significant proposals below.
- A more flexible and risk-based accountability framework based on privacy management programmes. Under this proposal, Article 24 of the UK GDPR would be revised so that businesses would be required to develop and implement a risk-based privacy management programme that reflects the volume and sensitivity of the personal data handled and the type of processing carried out. As part of this reform, certain specific compliance requirements of the UK GDPR would be removed or amended.
- Data Protection Officers. The requirement to designate a Data Protection Officer would be replaced with a requirement to designate a suitable individual to be responsible for the privacy management programme and for overseeing the business’s data protection compliance. The key difference appears to be that the person designated would not have the independent, quasi-regulatory role and related obligations which a Data Protection Officer has under the EU/UK GDPR.
- Data Protection Impact Assessments. These would no longer be required in the same form and processes for deciding when and how to conduct assessments would be for businesses to determine as part of their privacy management programme.
- Record-keeping requirements under Article 30. These requirements would be removed, leaving it to businesses to determine as part of their privacy management programme, based on their data processing activities.
- Data breach reporting thresholds would be amended with a new materiality threshold. The intention of this proposed reform is to reduce over-reporting (given the low legal threshold which currently exists) which places a considerable burden on the time and resources of businesses and the ICO.
- Requirement for prior consultation with the ICO. This would be removed so that businesses would not face any direct penalties for failing to consult the ICO in advance of carrying out the processing.
- Legitimate interests. A limited exhaustive statutory list of legitimate interests would be created, setting out circumstances where businesses can use personal data without applying the balancing test. These interests would potentially include reporting criminal acts or safeguarding concerns to appropriate authorities; monitoring, detecting or correcting bias in the development of AI systems; using audience measurement cookies or similar technologies; improving or reviewing a business’s system or network security; de-identifying personal data through pseudonymization or anonymization to improve data security; and using personal data for internal research and development purposes or business innovation purposes.
- Rights of a data subject not to be subject to a decision resulting from solely automated processing if that decision has legal or similarly significant effects. These rights would be removed, and such a decision would be permissible where it is based on a valid legal basis for processing (e.g., consent, public interest, legitimate interest, etc.).
- Clear statutory test for data anonymization. The statutory test would be based on existing guidance and case law, focusing on the means available to the data controller to re-identify such data.
- Research-specific provisions across the U.K.’s data protection framework. These would be consolidated in the hope that this would help researchers navigate their data protection obligations more easily given that the current requirements are dispersed across the UK Data Protection Act 2018 and the UK GDPR. This reform would be coupled with other, related reforms in the field of scientific research, such as clarifying in legislation how university research projects can rely on “tasks in the public interest” as a lawful ground for processing; creating a new, separate lawful ground for research; permitting data subjects to give their consent to broader areas of scientific research when it is not possible to fully identify the purpose of the processing at the time of data collection; and permitting further processing (re-use of data) in certain circumstances where there is an important public interest.
- International data transfers mechanisms. The U.K. Government aims to improve such mechanisms, for example, by:
- Increasing the number of countries benefitting from an adequacy decision and implementing an adequacy assessment framework focused on risk-based decision-making and outcomes.
- Exempting “reverse transfers” (i.e., transferring data back to the original transferor outside the U.K.) from the scope of the international transfer regime.
- Empowering businesses to create their own alternative transfer mechanisms without prior ICO approval providing they can fulfil their transparency and accountability obligations.
- Increasing flexibility in the use of derogations by clarifying that repetitive use of derogations may be permitted.
- New fee regime for data subject access requests. This re-introduces the right for data controllers to charge a (nominal) fee for data subject access requests, which was permitted in the U.K. prior to the GDPR.
- Analytics cookies. Under a new risk-based approach, the requirement for consent would be removed for certain analytics cookies, for example those tracking the number of users to a site, pages visited and duration of the visit. In effect, these would be treated in the same way as “strictly necessary” cookies, which do not require the user’s consent.
- New voluntary undertakings process. Under this process, organizations that are able to demonstrate a proactive approach to accountability could provide the ICO with a remedial action plan on discovering an infringement. The ICO could then accept it, without taking any further action, as part of the voluntary undertakings process.
- UK ICO’s role and governance. For example, the Consultation proposes:
- Introducing criteria by which the ICO can decide not to investigate a given complaint.
- Requiring the ICO to set out anticipated timelines for the phases of an investigation to the relevant data controllers at the beginning of an investigation.
- Introducing a requirement for a complainant to attempt to resolve their complaint directly with the relevant data controller before lodging a complaint with the ICO (which is already a procedural requirement in some EU member states) coupled with a requirement for data controllers to have a simple and transparent complaints-handling process in place to deal with data subject complaints.
Significance of the Proposed Changes and Practical Impact
The Consultation does not propose to comprehensively rewrite the fundamental building blocks of the U.K.’s data protection regime: the data protection principles, the notion of accountability, the legal grounds for processing and data subject rights. Consequently, the backbone of the U.K.’s data protection framework, even supposing all or the majority of the reform proposals are implemented, will remain largely the same. To this extent, the future U.K. framework and the EU GDPR will remain largely aligned in structure and principle. However, the more pragmatic, risk-based approach may permit greater flexibility for businesses operating in the U.K. and potentially result in lower compliance burdens. That is certainly the underlying aim of some of the proposals (and the Consultation is accompanied by a detailed assessment of the potential impact and cost savings for organizations). That said, the potential cost savings for businesses operating internationally in the U.K. and one or more EU member states may be marginal, given the need to comply with two separate and potentially increasingly divergent regulatory regimes.
Future of U.K. Adequacy Under EU GDPR
If the reforms are implemented, the U.K. would take its first meaningful steps in a different regulatory direction. This is unlikely to be welcomed by the EU authorities.
The EU Commission recently granted the U.K. “adequacy” status under the EU GDPR which allows businesses to export personal data from the EU to the U.K. without implementing any additional safeguards such as standard contractual clauses or binding corporate rules. Mindful of the U.K.’s intention to reform its data protection framework, the EU took the unprecedented step of including a sunset clause into the U.K. adequacy decision by which it will automatically cease to have effect after four years unless proactively renewed by the EU authorities. However, the EU could take action sooner if it views the reforms set out in the Consultation as substantively weakening the U.K.’s data protection regime.
The U.K. government argues that adequacy does not mean “verbatim equivalence of laws” and that “a shared commitment to high standards of data protection is more important than a word-for-word replication of EU law.” To this end, the Consultation attempts to provide real world examples of the types of reform it would like to see which already form part of the data protection frameworks of other EU “adequate” jurisdictions. For example, Canada’s approach to privacy management programmes is expressly invoked in connection with the Consultation’s proposed reform to the accountability framework in this area.
The risk is that the costs of losing “adequacy” status for the U.K. outweigh the anticipated benefits of any reformed U.K. data protection framework, at least for multinational businesses with significant cross border data flows. If adequacy is lost, organisations would face significant, additional compliance costs in carrying out data transfer impact assessments and implementing data transfer agreements between their EU and U.K. operations or with their U.K. counterparties.
Similarly, at a time of rapid data protection reform across the world, some will query whether another distinct set of data protection obligations is a positive development for multinational businesses which are already facing very significant challenges implementing global data protection compliance programs across multiple, sometimes competing jurisdictional frameworks.