Other Author Kahroba Kojouri
On 10 September 2021, the UK Government's Department for Digital, Culture, Media and Sport (DCMS) launched a consultation outlining its proposals to extensively reform the UK's data protection and privacy regime, following its departure from the European Union ("EU").
The new data protection rules proposed for the UK would see the country deviate from the standards that apply in the EU under the European General Data Protection Regulation ("EU GDPR") and would loosen restrictions on the use of data in the UK, with the purpose of engendering growth and innovation.
The DCMS proposals fall into five broad categories:
- Boosting trade and reducing barriers to data flows
The UK Government seeks to boost international trade by removing unnecessary barriers to cross-border data flows and offering a more flexible and innovative approach to international data transfers. The proposals include the following:
- Establishing adequacy regulations for groups of countries, regions and multilateral frameworks which have shared, harmonised or common frameworks. The UK would implement an ambitious programme of adequacy assessments to expand the list of countries that are designated by the UK as offering adequate data protection to include countries such as the United States of America, Singapore, Brazil and Australia;
- Approaching adequacy assessments with a focus on risk-based decision-making and outcomes, providing businesses the flexibility to create their own alternative transfer mechanisms and amending legislation so that both administrative and judicial redress are acceptable mechanisms to address any shortcomings identified with respect to personal data being transferred overseas; and
- Exempting 'reverse transfers' (i.e. the transfer of data originating from a country outside of the UK, which is subsequently processed by a processor located in the UK, and is then sent back to the data controller operating outside of the UK) from falling under the scope of the UK international transfer regime.
- Reduction of administrative burdens on businesses
The UK Government proposes to move away from what it calls the "box-ticking" regime of the EU GDPR which places unnecessary burdens on businesses and ultimately hinders the UK's competitiveness. Proposals include the removal of the requirement to:
- designate a Data Protection Officer;
- conduct data protection impact assessments (DPIAs);
- meet the data mapping and record keeping obligations under Article 30;
- consult with the UK Information Commissioner's Office ("ICO") prior to high-risk processing; and
- inform the ICO of personal data breaches where the risk to data subjects is "not material".
Further, it is suggested that businesses should be able to charge fees with respect to their handling of subject access requests as these are time consuming and costly for businesses to respond to.
It is also proposed that businesses be permitted to use analytics cookies and other similar technologies without requiring the consent of users to reduce excessive cookie pop-ups on devices. Alternatively, organisations should be permitted to store data on, or collect information from, the devices of users without their consent for limited purposes.
- Reduction of barriers to responsible innovation
The UK Government seeks to clarify the scope of the 'legitimate interests' ground used for lawful processing under Article 6(1)(f) of the UK GDPR. It would provide an exhaustive list of pre-approved legitimate interests for which businesses can process data without the need to conduct a balancing test to determine if the rights and freedoms of data subjects override the interests of a business in processing data. For example, the processing activities that would be permitted under this ground would include the processing of data for internal research and development purposes or for the improvement of the safety of a product or service which a business provides.
Further, it is proposed that the requirement for human oversight in respect of automated decision-making be removed. Instead, automated decision-making would be permitted where one of the lawful grounds of processing under Article 6(1) are met.
Importantly, the UK Government has also proposed to make changes to the rules on anonymization. It plans to adopt a clearer test which can be used to determine when data will be regarded as anonymous, which will also establish, amongst other things, that the question of whether data is anonymous is relative to the means available to the data controller to re-identify it.
Delivery of better public services
The UK Government is considering expanding the list of situations in which special categories of personal data (i.e. those relation to an individual's health, race, political opinions or sexual orientation) can be processed. Further, it is proposed that public and private bodies should be able to process health data when it is necessary for reasons of "substantial public interest".
- Reform of the Information Commissioner's Office
The UK Government intends on setting a new legislative framework for the ICO which introduces the following new duties:
- ICO to have regard for economic growth and innovation when it is performing its functions;
- ICO to have regard to competition when discharging its functions; and
- ICO to cooperate and consult with other regulators in the UK.
Further, the UK Government is keen to reduce the burden on the ICO to investigate complaints. It is considering introducing a requirement for a complainant to attempt to resolve any complaints with the data controller prior to filing the complaint with the ICO, or a criteria by which the ICO can decide not to investigate a particular complaint so that it can focus on complaints that carry a higher risk of harm to individuals.
While the reforms proposed by the UK Government would relieve UK businesses from some of the more stringent requirements they are subject to under the UK GDPR, the substantive changes proposed to the UK data privacy regime may in fact pose a practical challenge for businesses that operate in both the UK and EU that will now be required to comply with two separate and different sets of rules. For this reason, ultimately, the loosening of rules in the UK may not bring much material benefit to businesses that operate in both the UK and EU if these businesses instead decide to continue to comply with the higher standards required under the EU GDPR across their European operations.
The most significant risk associated with an overhaul of the UK GDPR rules is that it puts the EU's adequacy decisions in relation to transfers of personal data from the EU to the UK at risk. The EU may decide that the watering down of the GDPR rules means that the UK no longer provides an adequate level of data protection and that data can no longer flow freely between the EU and the UK. The European Commission did warn the UK Government when issuing its adequacy decisions that its decisions could be revoked "immediately" if the UK Government weakens its data protection standards (please see our client alert about the European Commission’s adequacy decisions for the UK here). Given that approximately 45 percent of UK imports and exports are from/to the EU1, with the unrestricted exchange of data forming a crucial part of that trade, a revocation of the adequacy decision will not only prove challenging for UK and EU businesses, but would also be very costly. It is estimated that the cost to UK businesses alone can fall between £1.1 to £1.6 billion2.
It remains to be seen which of the proposals will be implemented by the UK Government and the scale of the changes that will be made to the UK GDPR; however, what is clear is that the significance of these changes to international businesses will be tied to the EU’s reception of the new rules adopted by the UK.
Organisations are welcome to respond to the UK Government's consultation until 19 November 2021. Details on how to submit a response to the consultation can be found here.
1 Department for International Trade. 2021. Trade and Investment Core Statistics Book. Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1018620/Trade-and-Investment-Core-Statistics-Book-2021-09-20.pdf