The UK Government has published a consultation on reforms to the data protection regime in the UK. The consultation is open for responses until 19 November 2021. In this article, we focus on the parts of the Government’s proposals for reforms relating to data breaches and enforcement.
In broad terms, the Government considers that the EU’s General Data Protection Regulation (the EU GDPR), which the UK has adopted almost word for word post-Brexit in the UK GDPR, adopts too much of a “red-tape” and “tick-box” approach to compliance. At the same time, the Government wants to maintain high data protection standards to create public trust in the use of personal data by organisations.
Data security breach reporting
In balancing those objectives in terms of enforcement, the Government’s suggested approach is perhaps best illustrated by a proposal to adjust the data security breach reporting requirements. Currently there is an obligation to report a breach to the Information Commissioner’s Office (ICO) if there is a risk to data subjects rights arising out of the breach. The proposal is to change this to a requirement to report only those breaches that represent a material risk to data subjects. This is to deal with a perception of over-reporting of data security breaches to the ICO. The latest figures in the ICO’s Annual Report for April 2020 to March 2021 back this up to some extent. There were 9,352 data security breach reports in the period (down from 11,854 in 2019/20). No further action was taken in just over 74 per cent of them. However, a not insignificant number involved some form of follow-up such as an investigation (21.6 per cent), or informal action (3.9 per cent). However, there were only three fines for data security breaches, but they were significant, totalling £39.65m (issued to British Airways, Marriott and Ticketmaster for £20m, £18.4m and £1.25m respectively).
If this more relaxed reporting regime is adopted, organisations will still need to have regard to stricter reporting regimes in other jurisdictions where individuals might be affected, such as in the EU. This may mean that organisations are tempted to report to the ICO anyway in borderline cases where it is not clear that the new UK threshold is met, but the EU one undoubtedly is.
The Government also wishes to re-focus the work of the ICO. It wants the ICO to move away from handling a high volume of low-level complaints towards addressing more serious threats to public trust around data. In 2020/21 the ICO received 36,607 data protection complaints from individuals (slightly down from 38,514 complaints in 2019/20). The Government’s wish is for the ICO to devote more resources to supporting organisations that want to innovate responsibly and tackling poor practices.
In order to reduce the number of low-level complaints the ICO handles, the Government proposes to introduce a requirement in most cases for the complainant to attempt to resolve their complaint directly with the data controller before lodging a complaint with the ICO. This will be complemented by an obligation imposed on data controllers to have a simple and transparent complaints-handling process in place. In addition, the Government proposes to issue legislation to establish the threshold for when the ICO is obliged to pursue a complaint. Currently, the ICO is obliged to look into all complaints it receives.
To further streamline how complaints are resolved, the Government is proposing to follow a model adopted in Singapore whereby regulatory action following a data breach can be dealt with via a voluntary undertakings process. Under this model, the data controller will propose a plan to the ICO to remediate a breach, backed by an undertaking to implement it. If the ICO approves the remediation plan, then no further regulatory action will be taken.
Enhanced enforcement powers
In two main respects, the Government is proposing to increase the ICO’s enforcement powers.
The first involves a new power for the ICO to commission an independent technical report to inform its investigations into an organisation's activities. For example, if the ICO is not satisfied that an organisation has sufficiently investigated the causes of a data security breach it could commission its own technical report. The power is envisaged to be similar to the extensive powers that the Financial Conduct Authority has under Section 166 of the Financial Services and Markets Act, though it would be used in relatively few investigations and subject to clear criteria about when it can be deployed.
The second enhancement of the ICO’s powers relates to nuisance marketing. This is separately regulated under the Privacy and Electronic Communications Regulations (PECR). There were 35 PECR fines, totalling just over £2.3m, issued by the ICO in 2020/21 for nuisance marketing. The relatively low figure is because the maximum fine under PECR is £500,000. The Government is now consulting on whether to bring the maximum level of PECR fines in line with UK GDPR fines, increasing them to 4 per cent of an organisation’s annual turnover or £17.5m (whichever is the higher). This could be significant, given the ICO’s past focus on this area. However, we wait to see if the ICO continues with that focus once the new Information Commissioner (John Edwards) takes office from November.
Reform of data subject access requests
A final point to note relates to data subject access requests (DSARs). There has been a deluge of these since GDPR came into effect in May 2018 and the requirement to pay a fee was abolished. The Government is now consulting on whether organisations should be permitted to once again charge a fee for the costs of responding, no doubt with a view to dissuading some DSAR requests. The Government references the model for Freedom of Information Act requests (where fees in the range of £450 to £600 can be charged).
More significantly for litigators, the Government is also consulting on whether organisations should be able to refuse to respond to DSARs where the purpose of the request goes beyond an individual exercising their data protection rights, for example, where the individual is seeking to obtain information for use in litigation. DSARs have become an increasingly common tactic in litigation and employment related claims as a means to obtain early disclosure to support a claim (sometimes in circumstances where a court or tribunal might not require that extent of disclosure as part of its processes).
We will update you as these proposals develop once the consultation closes in November. If you wish to discuss any of these issues in the meantime, then do get in touch with us.
A copy of the full consultation entitled: “Data – a new direction” can be found here.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, October 2021