As we wrote about in a two-part update last year (see here and here), the Government published a consultation paper in September 2021 called “Data: A new direction”, which set out a number of proposals for reforming data protection and privacy laws in the UK. The Information Commissioner’s Office (ICO) published its response to the DCMS consultation paper in October 2021, and over 2,900 other respondents – including this law firm – made a formal response by the mid-November deadline. Last week, on 17 June 2022, DCMS published the consultation outcome with details of changes to UK data protection laws which will be included in a Data Reform Bill later this year.
This article considers some of the key changes that the Government will now take forward – and areas where, taking consultation responses into account, the Government has decided to leave things as is. In summary, the proposed reforms are evolutionary rather than revolutionary, and in some areas are a victory for common sense. However, questions remain over the status of the UK’s “adequacy decisions” (ie the European Commission’s decisions that the UK is a safe place to send personal data) in light of the UK’s data protection regime starting to divert from privacy laws in the EU.
The DCMS paper is divided into five sections, which form our headings below.
1. Reducing barriers to innovation
The DCMS consultation paper had said that the Government wants to shape data laws to enable “innovative uses of personal data” in the fields of science and technology, including artificial intelligence. This was met with wide support from consultation respondents, including the ICO. The reforms which will now be made include:
- Introducing a new statutory definition of “scientific research” (but there will not be a new lawful ground for processing for research purposes) – and the Council of Europe’s test for anonymisation will also be adopted into UK legislation;
- The Government will create a prescriptive list of legitimate interests for which organisations can use personal data without balancing the organisation’s interests / other interests against the privacy rights of the data subjects (but this will be a narrower list than originally proposed in the DCMS consultation paper); and
- The right for individuals not to be subject to automated decision-making (Article 22 GDPR) will survive but it will be re-cast as "a right to specific safeguards, rather than as a general prohibition on solely automated decision-making".
2. Reducing burdens on data controllers
This section of the consultation / outcome paper is likely of most practical interest to UK organisations. It confirms that:
- The accountability framework will be reformed, with risk-based “privacy management programmes” replacing formal GDPR requirements in relation to record-keeping, the designation of “data protection officers”, conducting data protection impact assessments, and prior consultation with the ICO for “high risk” data processing;
- The (Article 33 GDPR) threshold for reporting personal data breaches to the ICO will not be raised (meaning that it will still be necessary to report personal data breaches unless there is unlikely to be a risk to affected individuals’ rights);
- There will not be a cost ceiling for complying with subject access requests, and there will not be a return of the nominal fee (which was £10 under the Data Protection Act 1998) but the “manifestly unfounded or excessive” concept will be changed so that organisations can refuse or charge fees for responding to requests which are “vexatious or excessive”;
- Consent requirements for all types of cookies (under Regulation 6 PECR) will be removed “in the future… once automated technology is widely available to help users manage online preferences” and, in the meantime, opt-in consent will not be required for “non-intrusive” cookies, including analytics cookies. The Government will instead allow website operators to rely on their legitimate interests, rather than the user’s consent, to set cookies online;
- The “soft opt-in” rule will be extended to electronic direct marketing sent by non-commercial organisations (including political parties), meaning charities and not-for-profit organisations will sometimes be able to send promotional emails without the recipient’s consent; and
- The ICO will have expanded powers to enforce the PEC Regulations (including cookies and direct marketing rules) and the maximum PECR fines will increase to GDPR levels.
3. Easing international data flows
Having left the EU, the UK now benefits from European Commission “adequacy decisions” which essentially declare the UK a safe place to transfer personal data; and the UK has made several of its own “adequacy decisions” which confer the same status on selected countries and territories including the EU and EEA states. The Government’s ambition is now to progress more adequacy assessments – taking a risk-based approach – to support trade and make the UK “the most attractive global data marketplace”.
The Government will reform the DCMS Secretary of State’s powers to make “adequacy decisions” and formally recognise “alternative transfer mechanisms”, taking into account the “desirability” of international data flows (but removing the requirement to review those decisions every four years).
4. Delivering better public services
The DCMS consultation paper also included a number of proposals intended to “improve the delivery of government services through better use and sharing of personal data”. In this area, the Government has confirmed that:
- There will be express clarification that non-public sector bodies delivering services to a public authority can “piggyback” on that public authority’s lawful basis for data processing (ie so that the service provider’s processing is also in pursuit of a public task);
- The Government will add some more substantial public interest grounds for processing special category data to Schedule 1 of the Data Protection Act 2018 (but the Government will not add a definition of “substantial public interest”); and
- Key terms used in part 3 (law enforcement processing) and part 4 (intelligence services processing) of the Data Protection Act 2018 will be made more consistent with the GDPR.
5. Reforming the Information Commissioner’s Office
Finally, the Government will implement many of its reforms of the ICO, including:
- The establishment of an independent Board and Chief Executive, with certain appointments made and targets set by the Government (with powers vesting in that new body corporate, rather than in the individual who is appointed as the Information Commissioner);
- The creation of a new statutory framework setting out the ICO’s strategic objectives and duties, including new duties for the ICO to have regard to “economic growth and innovation”, and to “competition issues” (but the Government has abandoned its proposal to introduce a new power for the DCMS Secretary of State to initiate an independent review of the ICO’s activities and performance);
- The ICO may be required by Government to appoint panels of experts and publish impact assessments when creating codes of practice / statutory guidance, and the DCMS Secretary of State will have the power to approve codes of practice and statutory guidance before they are laid before Parliament;
- The criteria the ICO can use to determine whether to pursue a complaint will be clarified in legislation, to “enable the ICO to take a more risk-based and proportionate approach to complaints”; and
- The creation of a new power to commission a technical report to help with the investigation of legislative breaches.
While a number of these proposals will be welcomed by data controller organisations in the UK, there will be a sense of frustration in some quarters (for example, because there will still be no statutory limit on the costs that an organisation spends on a response to a subject access request) and a sense of unease for some (for example, the raising of the fines for PECR offences to GDPR levels will be concerning for organisations who question the basis on which recent ICO direct marketing penalties have been issued).
Affecting virtually all UK stakeholders, though, is the potential impact that these changes, perhaps especially those changes concerning the independence of the ICO, could have for the UK’s ‘adequacy decisions’ – which are due for review (and, hopefully, renewal for another four years) by 27 June 2025. Interestingly, though, the Information Commissioner John Edwards has expressed his support for the Government’s reforms and even commented that “The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator...” We hope that the European Commission agrees – and that the data protection reforms, once implemented, do strike a fair balance between innovation, a reduced compliance burden, and individuals’ privacy rights.
If you require further information about anything covered in this briefing, please contact Alan Baker or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, June 2022