UK government consults on reforms to the UK’s data protection regime

September 9, 2021

The UK government is launching a wide-ranging consultation on reforms to create an “ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data”. The consultation proposes a number of significant changes to the existing regime, following a set of six guiding principles.

Details of the reforms

The suggested reforms deliberately build on the key elements of the current UK GDPR, such as its data processing principles, its data rights for individuals, and its mechanisms for supervision and enforcement. The government believes that these key elements remain sound and they will continue to underpin a high level of protection for people’s personal data and control for individuals over how their data is used. It says that organisations have invested in understanding, complying with and implementing this regime, and the ICO’s toolkit for supervision is fundamentally fit for purpose. The government wants to incorporate some of the recitals to the UK GDPR into the actual legislation. Now, they are used as a guide to interpretation but can create uncertainty.

The government also seeks to understand how current legislation could be amended to support responsible research activity using personal data and improve access to data.

It also intends to amend the legitimate interest ground for data processing and proposes to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test to give them more confidence to process personal data without unnecessary recourse to consent. The government proposes to stipulate in this list that processing personal data for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems constitutes a legitimate interest. It also intends to permit the processing of sensitive personal data as necessary for bias monitoring, detection and correction in relation to AI systems.

In terms of the use of AI, the government is concerned that there is uncertainty about the scope and substance of ‘fairness’ in the data protection regime as applied to the development and deployment of AI systems, and the ICO’s regulatory reach. The National AI Strategy to be published later this year will address these areas in more depth.

The government is also considering reforms to deal with automatic decision making and profiling and seeks more views on whether the relevant provisions of the UK GDPR are keeping pace with the likely evolution of a data-driven economy and society, and whether it provides the necessary protection. The Taskforce on Innovation, Growth and Regulatory Reform has recommended that Article 22 of the UK GDPR should be removed and that UK law should instead permit the use of solely automated AI systems on the basis of legitimate interests or public interests. The government is considering this proposal and is seeking views on it.

The government has also set out proposals on how to improve data anonymisation as well as asking for views on the role of data intermediaries.

Accountability framework reform

The government also proposes to reform the accountability framework. In particular, it intends to remove the requirements for organisations to appoint data protection officers and to undertake a data protection impact assessment, so that organisations may adopt different approaches to identify and minimise data protection risks that better reflect their specific circumstances. It is also considering whether to change the threshold for reporting a data breach to the ICO so that organisations must report a breach unless the risk to individuals is not material.  

It also seeks view on subject access requests and their most onerous aspects so that it can consider reforms such as a ceiling on costs for organisation and the threshold for a request being vexatious.

Privacy and electronic communications

Much has been reported in the media about cookies. The government is considering two main options for dealing with cookies. The first would permit organisations to use analytics cookies and similar technologies without the user’s consent. The second is asking for evidence on the risks and benefits of a second option, which could permit organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes.

The government proposes to extend the soft opt-in to electronic communications from organisations other than businesses where they have previously formed a relationship with the person, perhaps as a result of membership or subscription. Under the proposals, organisations relying on the soft opt-in must give a person the chance to opt out when they first collect the person’s contact details and in every subsequent communication they send. It must also be simple to opt-out – for example a person should be able to reply directly to an email message, or click a clear ‘unsubscribe’ link.

It also seeks views on bringing the fines under the Privacy and Electronic Communications Regulations 2003 SI 2003/2426 (PECR) for nuisance calls and spam into line with the those that can be levied under the UK GDPR, as they are currently significantly lower. Likewise the effectiveness of the enforcement regime generally under PECR. In addition, the government is considering changes to the rules around political engagement and welcomes views on two main issues. The first is whether communications from political parties which promote aims and ideals should continue to be treated as direct marketing for the purposes of PECR. The second is whether the lawful grounds for processing personal data, including personal data revealing political opinions, under Articles 6 and 9 of the UK GDPR, permit political parties and elected representatives to process personal data for the purposes of democratic engagement to the extent that is necessary in a healthy democracy.

Changes to public sector data use

The government also asks how personal data can be more effectively used in the public sector. For example, it proposes to clarify that public and private bodies may lawfully process health data when necessary for reasons of substantial public interest in relation to public health or other emergencies.  It also plans to introduce compulsory transparency reporting on the use of algorithms in decision-making for public authorities, government departments and government contractors using public data. The government also want to streamline and clarify rules on the collection, use and retention of data for biometrics by the police.

Reforms to the ICO

The government proposes to introduce a new overarching objective for the ICO, in addition to its other functions, tasks and duties. This would be to uphold data rights and encourage trustworthy and responsible data use. It also intends to place a new duty on it to have regard for economic growth and innovation as well as a new competition duty. The government proposes to introduce a new duty on the ICO to cooperate and consult with other regulators. Alongside that it wants the ICO to have due regard to public safety when fulfilling its functions and a new statutory objective for the ICO to consider the government’s wider international priorities when prioritising and conducting its own international activities. There are also proposals about new reporting duties and enhanced powers of the Secretary of State. The government proposes to oblige the ICO to undertake and publish impact assessments, as well as conduct enhanced consultation, when developing codes of practice, and complex or novel guidance. Significantly, it wants to allow the Secretary of State to veto such codes and guidance.  

The government is also proposing changes around 

  • complaints handling, that is, complainants should try to resolve their complaints with the data controller before involving the ICO as well as setting out criteria under which it does not need to consider a complaint.
  • a requirement on data controllers to have a simple and transparent complaints-handling process in place to deal with data subject complaints. 
  • enforcement such as technical notices and requiring witnesses to answer questions. Finally, it asks if the functions of the Biometrics and Surveillance Commissioners should be absorbed into the ICO’s remit.

Impact on EU adequacy

Many lawyers will be concerned about the impact of the proposals on the adequacy arrangements with the EU. The government appears to believe there is no problem here, saying

“the government believes it is perfectly possible and reasonable to expect the UK to maintain EU adequacy as it begins a dialogue about the future of its data protection regime and moves to implement any reforms in the future. European data adequacy does not mean verbatim equivalence of laws, and a shared commitment to high standards of data protection is more important than a word-for-word replication of EU law”. 

It remains to be seen whether the EU agrees; the adequacy arrangements are time-limited for four years and may not be renewed if the government’s new regime diverges too much. 

In terms of its own adequacy decisions, the government intends to approach its own adequacy assessments with a focus on risk-based decision-making and outcomes. The government intends to explore legislative change to ensure that the suite of alternative transfer mechanisms available to UK organisations in the UK GDPR is clear, flexible and provides the necessary protections for personal data.

The consultation ends on 19 November 2021.