UK Government Issues Response to its Data Reform Consultation

On June 17, 2022, the UK Government’s Department for Digital, Culture, Media and Sport (“DCMS”) issued a final response (“Response”) to the consultation, ‘Data: a new direction’ (“Consultation”), which launched on September 10, 2021, to receive input from stakeholders on the DCMS proposals to reform the UK’s data protection regime. In its Response, the DCMS indicates which of the proposals it intends to take forward when drafting the anticipated “Data Reform Bill” — a bill with grand aims of growing the economy and improving society by harnessing the power of data. The announced reforms are largely business-focused and aim to reduce compliance burdens. They also aim to reduce barriers to data use for innovation and to international data flows. Further, the DCMS will introduce changes to improve public services and to reform the UK Information Commissioner’s Office (“ICO”).

Background

The Consultation forms part of the UK’s post-Brexit National Data Strategy, which outlines the UK’s agenda to unlock the value of data across the economy by encouraging the sharing of data amongst businesses, government, civil society, and individuals. Having left the European Union, the UK plans to position itself internationally such that it is able to influence the global approach to data sharing and use. In the Queen’s Speech on 10 May 2022, the UK Government announced that it intends to introduce a “Data Reform Bill” before the UK parliament in the next year reflecting the outcome of the Consultation.

The Proposals for Reform

The proposals for reform focus on the following areas: (i) reducing barriers to responsible innovation; (ii) reducing burdens on businesses and delivering better outcomes for people; (iii) boosting trade and reducing barriers to data flows; (iv) delivering better public services; and (v) reform of the ICO. We outline below the key proposals.

  1. Reducing barriers to responsible innovation

The DCMS aims to create more certainty for organizations about personal data use to ensure UK laws keep pace with the development of cutting-edge, data-driven technologies. The proposal include the following:

  • Creating a statutory definition of scientific research, improving clarity and certainty for researchers.
  • Incorporating broad consent for scientific research into legislation, allowing scientific research to use a less specific form of consent when it is not possible to fully identify the purpose of the processing at the point of data collection.
  • Clarifying existing rules on further processing for research by making it clear to organizations how personal data can be re-used lawfully, and giving transparency to data subjects to understand how their data may be reused.
  • Extending the “disproportionate effort” exemption on transparency requirements for further processing for research purposes of personal data collected directly from the data subject.
  1. Reducing burdens on businesses and delivering better outcomes for people

The DCMS seeks to reduce disproportionate burdens on businesses and deliver better outcomes regarding the processing of personal data. The proposals intend to strengthen accountability requirements while providing organizations with more flexibility to find the most effective and proportionate means of meeting the required outcomes; these include:

  • Removing the requirements to undertake data protection risk assessments. Organizations will no longer be required to undertake data protection impact assessments as prescribed in the UK GDPR, but they will be required to have other risk assessment tools in place for the identification, assessment, and mitigation of data protection risks.
  • Removing the requirement to designate a Data Protection Officer (DPO). There will be a new requirement to appoint a “senior responsible individual” who will ensure data protection is established at all levels of the organization but who need not be independent.
  • Removing the requirement to maintain records of data processing activities. Organizations will still need to have personal data inventories, but they will soon have more control over the manner in which they record their activities.
  • Removing the requirement for prior consultation with the ICO on high risk processing. Voluntary prior consultation with the regulator will be made a mitigating factor that the ICO may take into account when taking any enforcement action against an organization.
  • Removing the need for websites to display cookie banners to UK residents. In the immediate term, the DCSM will permit cookies (and similar technologies) to be placed on a user’s device without explicit consent for a small number of non-intrusive purposes. In the future, once automated technology is widely available to help users manage online preferences, the DCSM intends to move to an opt-out model of consent for cookies placed by websites. The opt-out model would not apply to websites likely to be accessed by children.
  • Amending the Privacy and Electronic Communications Regulations’ (PECR) enforcement provisions to bring them in line with the UK GDPR and the UK Data Protection Act 2018.
  1. Boosting trade and reducing barriers to data flows

The DCMS intends to create an autonomous framework for international data transfers that reflects the UK’s independent approach to data protection and that helps drive international commerce, trade, and development. Proposals for reform include:

  • Reforming the DCMS Secretary of State’s adequacy-making power to enable the UK to approach adequacy assessments by focusing on risk-based decision-making and outcomes.
  • Relaxing the requirement for the DCMS Secretary of State to conduct a review of adequacy decisions every 4 years.
  • Creating a new power for the DCMS Secretary of State to formally recognize new alternative transfer mechanisms, providing a route for cross-border transfers of personal data to countries that are not subject to an adequacy decision.
  1. Delivering better public services

Drawing from the lessons learned from the COVID-19 pandemic on the power of using personal data in the public interest, the DCMS seek to deliver better public services through improved use of and access to personal data. Proposals for reform include:

  • Introducing legislation to clarify which lawful grounds for processing are available to organizations under Article 6 of the UK GDPR when they are requested by a public body to help deliver a public task.
  • Clarifying rules on the collection, use, and retention of biometric data by the police.
  1. Reform of the ICO

Finally, the DCMS turns its attention to reform of the ICO. This chapter contains proposals to implement a new, modern governance framework, with an independent board. Proposals for reform include:

  • A new statutory framework setting out the ICO’s strategic objectives and duties.
  • New duties requiring the ICO to: (i) have regard to economic growth and innovation; (ii) have regard to competition issues; (iii) consult with relevant regulators and any other relevant bodies when exercising its duties; and (iv) have regard to growth, innovation, and competition.
  • Setting out in legislation the criteria the ICO can use to determine whether or not to pursue a complaint, providing clarity and enabling the ICO to take a more risk-based and proportionate approach to complaints.
  • Changing the statutory deadline for the ICO to issue a penalty from 6 to 12 months.

Impact on European Commission’s Adequacy Decision for the UK

A widely discussed concern relating to the UK’s data protection reform is the possible revocation of the UK’s adequacy finding by the EU. The European Commission’s adequacy decision regarding the UK contains a “sunset-clause”, limiting the duration of the adequacy decision to four years, and provides for close and continuous monitoring of how the UK regime evolves. If the UK deviates too far from the EU’s standard of protection, it may lose its adequacy status. In its Response, the DCMS states that “it is perfectly possible and reasonable to expect the UK to maintain EU adequacy as it designs a future regime” and that “reform of UK legislation on personal data is compatible with maintaining flows of personal data from Europe”. The UK Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez, explained that the DCMS is engaging with the European Commission in regular discussions, including on the new policy paper. The changes proposed by the DCMS appear to be more cautious than expected by some, but it remains to be seen how the EU will react to the reform.

Next Steps

The changes to the UK data protection framework have yet to be converted into a statutory instrument, so there is no need for organizations to take any action at this stage. Moreover, the DCMS has confirmed that organizations that comply with the UK’s current regime will already substantially comply with the future regime. It appears that the UK’s data protection regime will continue to be principally based on the GDPR framework even after the reform, and any additional requirements will be limited. The more flexible and outcome-focused approach to data protection adopted by the UK will be welcomed by UK businesses. That said, given international organizations generally prefer a regional approach to compliance, it is likely that the EU GDPR requirements will continue to be applied to personal data processed in the UK. As a consequence, it is unclear how much impact the reform will have in practice.