The ICO says that the opportunity to reflect on and review the UK data protection legal framework and regulatory regime is a welcome one.
The ICO has issued a detailed response to the DCMS’ consultation on reforming data protection law. It points out that three years have passed since the introduction of the Data Protection Act 2018, and the pace and scale of innovation means the data landscape has changed significantly. It is looking to the UK government to ensure any changes to further support economic growth:
It says that these are the foundations on which those wider social and economic benefits are built.
In particular, the ICO welcomes the proposals to introduce a statutory requirement for the ICO to have regard to principles including economic growth and competition as well to introduce a statutory requirement for the ICO to have regard to public safety.
Ensuring changes deliver for people
The consultation set out proposals to reform the rules on nuisance calls and cookies. The ICO welcomes these proposals but says that they could go further. In relation to cookies, it says that to be effective there would need to be a mechanism for requiring organisations to respect the preferences of individuals, with appropriate sanctions where this is not the case. This is an issue that would require international cooperation to address. It also recommends that the government go further and consider the pros and cons of legislating against the use of cookie walls. This would reduce the incentive for organisations to put in place barriers that undermine how people have said they would like their data to be used. In terms of nuisance calls, it would like its powers under the Privacy and Electronic Communications Regulations 2003 to be aligned with those under the GDPR.
The ICO has concerns about the government’s proposals to remove the requirement to consider whether the legitimate interests being pursued by an organisation or third party when processing data are outweighed by the impact on the fundamental rights and freedoms of individuals. It considers that these require more work and clarification.
In addition, it says that further work is required in clarifying the scope and substance of “fairness” in the data protection regime as applied to the development and deployment of AI systems. The ICO would be deeply concerned about any clarification or changes to the data protection regime that removed the centrality of fairness in how people’s data is used. It is also concerned by the proposal from the Taskforce on Innovation, Growth and Regulatory Reform to remove the right to a human review of automated decision-making, which is being considered as part of the consultation. It believes that the right to human review should be extended rather than limited.
The ICO also considers the government’s proposed changes to the regime for subject access requests. The largest proportion of complaints the ICO receives from the public are about subject access requests. If the government makes changes, there must be safeguards to ensure that everyone, whatever their circumstances, is able to exercise this right.
In some cases, organisations may identify that their processing poses a high risk to people that they are unable to reduce. At the moment, they are required to consult with the ICO before that high risk processing takes place. The ICO thinks that the threshold for such consultation could be made more agile, but if the requirement were removed altogether, the unintended consequence could also be that the ICO will need to fall back on its formal investigative approach to address any potential harms from such processing.
There are a number of proposals in the consultation that would enable greater re-use or re-purposing of data. While individually these proposals could bring benefits, the ICO points out that it is important to consider the collective impact of the proposals, which taken together could increase the re-use of people’s data in ways that they may not anticipate or expect.
Ensuring organisations are accountable
The ICO welcomes the intention in the consultation for the government to explore options that would better support certifications as a data transfer mechanism. It also welcomes the proposals to require an organisation to try to resolve complaints before they are referred to the regulator and introduce a proportionate requirement for organisations to report on the nature and volume of complaints they receive. It is crucial to retain in law the requirement that organisations should be both accountable and able to demonstrate accountability.
The government proposes to remove or amend the requirement to appoint a data protection officer. The ICO says that the current requirements for appointing a DPO are overly prescriptive and can be challenging for organisations. However, the introduction of DPOs has brought significant experience and professionalism to data protection compliance. The government also proposes changes to the requirement to carry out data protection impact assessments - it is important that the government retains a reformed requirement to consult the regulator about the impacts of high-risk processing.
The ICO supports the proposal to introduce compulsory transparency reporting on the use of algorithms in decision-making for public authorities, government departments and government contractors using public data. However, it thinks that the government still needs to provide more detail on the proposals to allow organisations to use data more freely by developing a safe regulatory space for responsible development, testing and training of AI
While the UK can now change its laws, it does not exist in a vacuum. The government needs to ensure that data protection laws are aligned with best practice rules overseas, as well as facilitating data transfers for businesses.
Maintaining an effective and independent regulator
The ICO welcomes the proposals in the consultation to strengthen its supervision and enforcement powers. It also supports clear statutory objectives for the ICO and a clear parliamentary articulation of the ICO’s regulatory framework. However, some of the proposals risk undermining the independence the ICO needs to need to carry out its responsibilities under both data protection and freedom of information legislation to oversee government and the public sector. The regulator also needs to be independent for the UK to secure future global trade deals and adequacy agreements.
Giving the Secretary of State the power to approve or reject codes of practice and complex or novel guidance would reduce the ICO’s independence. It would also reduce regulatory certainty for organisations and wider trust and confidence in the ICO’s guidance. It could also lead to more legal challenges, such as judicial review. In such challenges it would need to be clear who the respondent would be in the context of a challenge to guidance that the Secretary of State had determined. The ICO says that, as an independent regulator, the ICO should be able to issue its own guidance, with a commitment to take account of the views of stakeholders and the impact on economic growth. The proposal also reduces the ability of government to effectively hold the ICO to account. The proposal for the appointment of the Chief Executive does not sufficiently protect the ICO’s independence either.
The ICO is open to the proposals to expand its role to take on the functions of the current Biometrics Commissioner and Surveillance Camera Commissioner.