Background: how did we get here?
Only three and half years after the EU’s General Data Protection Regulation (EU GDPR) came into effect, bringing with it a compliance overhaul for many organisations, the signs are now clear that UK Government intends to diverge from the EU GDPR and shake up the legal framework that has been in place since May 2018.
Ministers put us on notice back in February 2021 that the Government proposed to “set a bold new approach” to data protection in the post-Brexit landscape, building on the National Data Strategy published by DCMS (the sponsoring department for the ICO) in late 2020.
As of now, the substance of EU law still prevails in the suite of UK laws regulating data protection. Principally, these are: the retained UK version of the GDPR (UK GDPR); the UK’s own Data Protection Act 2018 (DPA 2018), which was itself built around a framework of necessary and/or permitted derogations from the GDPR; and 2003’s Privacy and Electronic Communications Regulations (PECR), derived from an earlier European Directive (2002/58/EC) on direct marketing and cookies (and which still awaits reform at an EU level).
It is this continuity and close alignment with EU law that secured the UK’s (conditional, and time-limited) "adequacy decisions" adopted by the European Commission on 28 June 2021 – the relevance of which is considered further below.
On 10 September 2021, in his parting shot as the Secretary of State for DCMS, Oliver Dowden MP signed off on a 146-page consultation paper called Data: A new direction. In his Ministerial foreword, the outgoing minister hailed the importance of data in the modern world, but labelled aspects of the current data protection regime “unnecessarily complex or vague”.
The DCMS paper (supported also by a 28-page impact analysis) outlines various proposed reforms to UK data protection laws. Whilst stressing the Government’s commitment to high data protection standards, the paper’s focus is more on the economic and societal opportunities from the harnessing of data, rather than the associated privacy risks.
It is, put simply, a more permissive approach: one which would distinguish the UK regime from the EU GDPR, and some of the perceived burdens that come with it, now that – in domestic terms – the UK is free to make its own rulebook. Some have expressed real concern in this regard: the Financial Times, for example, criticised the UK’s “risky rush to cut Brussels rules”.
On 7 October 2021, however, when the ICO published its 89-page response to the DCMS consultation paper, it took the form of a cautious welcome to the paper: albeit pushing back on certain proposals, and raising flags in respect of others. For outgoing Information Commissioner Elizabeth Denham, it was – mirroring Oliver Dowden’s legacy – one of her last significant acts in the role, before New Zealand’s Privacy Commissioner John Edwards takes her place at the end of this month.
Our initial view
It would be easy to be cynical about the political reasons driving this initiative. However, the fact is that many of the changes proposed are genuinely constructive for both businesses and not-for-profit organisations. While undoubtedly lacking detail in some critical areas, the DCMS paper does not come across as a rush job for quick political capital, but rather (in the main) as thorough, thoughtful, and commercial in its scope.
Each of us is also a data subject, with rights and reasonable expectations as to the high standards to which organisations should be held in using and safeguarding our data. However, the paper seems to us to maintain a sensible focus on those aspects of the current law, as aligned with the EU GDPR, where the burden on controllers can be disproportionate to the benefits to individuals. This intention will come as a relief to many of our clients.
Like the ICO, we have our caveats: some areas where the proposals may be aspirational rather than practical, and others where there is a risk of being too "controller friendly" at the expense of data subjects’ rights. But if any controller clients had put together a wish-list of priority issues they might want to change about data protection law – short of dispensing with it altogether – then they may find these are all present and correct.
Accordingly, we intend to send out in coming days a series of articles aimed, sector-by-sector, at the specifics of change that may affect our clients – and indeed, where it may yet be worth making submissions to the consultation before it ends on 19 November 2021. Our litigation colleagues have already put out an initial review of the impact on enforcement.
The purpose of this article and its follow-up companion piece is to provide a framework overview of the areas under proposal, and a brief summary of the ICO’s position in response. (For those wishing to understand the ICO’s specific role in the consultation, this is set out in the Executive Summary to its response to the DCMS paper).
"Reducing barriers to responsible innovation"
The Government says it wants to shape data laws to enable “innovative uses of personal data” in the fields of science and technology, including artificial intelligence. The ICO is generally supportive of this – whilst emphasising the need to consult universities and other expert stakeholders involved in research.
The ICO appears to accept the Government’s case to clarify the rules about processing for research purposes. Whilst the GDPR sought to accommodate research by both applicable processing grounds and exemptions – subject to various safeguards – that in theory enable the re-purposing of such data for legitimate research and statistical aims, these rules are somewhat unwieldy in practice for organisations to put into effect. One area set to be clarified is when personal data can be deemed to have been effectively anonymised.
More generally, the DCMS paper notes the difficulties faced by some organisations hoping to rely on the "legitimate interests" ground for processing. One of the more ambitious aspects of the Government’s proposals is therefore to create a “limited, exhaustive list of legitimate interests” for which personal data can be used without the need to balance the interests of the organisation, and others, against the privacy rights of the data subjects (generally known as a “legitimate interests assessment”).
So, is this a short cut to compliance? The ICO prefers to take the view that “in fact, this proposal does not remove the need to undertake an assessment. Rather, it moves the responsibility for doing the relevant thinking from the business to Government” – and in due course, Parliament. For want of a better term, this is a policy of "oven-ready" legitimate interests. How limited the list will be, we cannot yet tell: but there is no indication from the paper that it will be restricted to research uses, and it may extend to commercial activities.
In addition, this section of the paper takes an honest look – echoed by the ICO – at how the much-misunderstood GDPR concept of “automated decision making” is working out in practice. It places the issue in the framework of concerns, and opportunities, around Artificial Intelligence (AI) and machine learning – potentially a further interesting area of divergence from EU law, given the intention of the EU (announced in April 2021 by way of a draft proposal) to regulate this technology in a manner similar to the GDPR.
"Reducing burdens on businesses"
This chapter of the DCMS paper is also strategically branded “…and delivering better outcomes for people”. Whilst due consideration is given in the proposals to the rights and impact on individuals, there is little doubt that the focus of the chapter is on cutting perceived "red tape" and reducing the scope for organisations to incur disproportionate costs.
This is a familiar mantra long used to argue against EU regulation: and, without comment on the realities of Brexit so far, data protection law is arguably one area that truly lends itself to delivering on this promise. Perhaps for this reason, when it comes to potential reforms of greatest interest to data controllers, this chapter provides the most talking points – covering as it does accountability, subject access, data protection impact assessments, data protection officers (DPOs), cookies and direct marketing.
Accordingly, we deal with this chapter in a stand-alone bulletin here.
Of huge importance to these proposed reforms – indeed, the elephant in the room – is whether the extent of proposed divergence could lead the UK to lose its EU adequacy decisions which underpin the free flow of personal data between the UK and the EU/EEA bloc, in respect of both commerce and national security. Uniquely, the UK’s adequacy status is subject to a "sunset clause" – the decisions will automatically expire four years after their entry into force, on 27 June 2025) – and the European Commission has stated it will continue to monitor the legal framework in the UK and could intervene at any point if the UK deviates from the level of protection currently in place.
Understandably, the Government’s proposal instead frames the reforms in terms of global opportunity: this chapter is titled “Boosting trade and reducing barriers to data flows”. It focuses on how the UK may capitalise on its independent status in pursuit of commercial opportunities with data – including “having the freedom to strike our own international data partnerships with some of the world’s fastest growing economies” – in order to make the UK “the world’s most attractive data marketplace”.
This means, in practice, relaxing some of the strictures associated with the international transfer mechanisms imposed by EU law: not just by the GDPR itself, but also the CJEU’s 16 July 2020 decision in Schrems II and the European Data Protection Board’s guidelines on how to comply with it (which have been a substantial complicating factor in any attempts to place reliable contractual protections on transfers to the US and elsewhere). The DCMS proposal sees more individual discretion handed back to private organisations in terms of risk-based decision-making and a focus on "real-world outcomes" rather than on-paper compliance. This includes a greater role for broader derogations from the usual rules than the UK GDPR allows, and scope for new alternative transfer mechanisms.
All this comes at a time when the ICO is, in parallel, consulting over its own proposals for UK standard contractual clauses (the International Data Transfer Agreement, or IDTA) and accompanying guidance, which includes a proposed short UK addendum to the EU’s recently-adopted GDPR Standard Contractual Clauses. The European Commission has yet to offer any official view on these documents; meanwhile the ICO’s response to the DCMS paper’s proposals in respect of reform in this area has been careful, cautious and political. It shows willing to engage in all aspects of these proposals, whilst requesting more detail, and quietly emphasising the stability and certainty brought to UK trade by the EU’s recent positive adequacy decisions (without directly indicating any risk to these from the new proposals).
In what may seem like a paradigm for Britain’s post-Brexit trade ambitions generally, the same aspects of these reforms that may make the UK regime more attractive for global data partnerships – and with the benefit that geographical distance is less critical in this area – are likely to prove counter-productive in terms of data flows with the EU/EEA bloc. The expected easing and cost-saving would only be of benefit to data transfer arrangements out of the UK. However, many organisations will already have significant transfer arrangements in place across Europe which will likely need revisiting and, in some cases, total re-assessment if material divergence occurs.
While organisations of all sizes have been impacted by COVID-19, use of personal data played a significant role – and broadly a positive one – in responses to the pandemic. Research went into overdrive, large datasets were collected, and by and large data subjects have been understanding of the need for their health data to be used in new and unexpected ways to combat the threat to public health and the economy.
At the same time, private employers suddenly faced new and tricky questions about testing, collecting and retaining health data, and vaccination status: so too schools, universities, charities, sports clubs, membership organisations, and many others.
Among proposals in this Chapter concerning trust and transparency in governmental use of data and technology, which will be of more interest to individual data subjects than to private organisations, there are certain proposals intended to broaden the lawful grounds by which private companies and organisations may use health data for purposes connected with public health crises. This could include, for example, "piggybacking" on both the lawful conditions (legitimate interests or otherwise) and the impact assessments used by public bodies “when they have been asked to undertake the processing by government departments in order to assist the delivery of public tasks” – namely, dealing with the imposition of new government rules and regulations during public health emergencies.
There is always a risk in rushed legislation in response to a crisis, and safeguards will clearly be necessary: but most organisations will be glad of one less thing to worry about during a pandemic when trying to prioritise staff and public health.
Reform of the ICO
The area where the ICO has pushed back on DCMS’ proposals most firmly, unsurprisingly, is over the question of its independence from Government. This is an internecine struggle of less interest to those on the ground, at least at this stage – although it may ultimately have far-reaching consequences in terms of how the law in this area is enforced and how codes and guidance are mandated.
At the same time, the ICO has – with equal predictability – welcomed wider enforcement powers (including bringing fines for direct marketing breaches in line with GDPR levels). One idea floated in the DCMS paper which greatly favoured the regulator was a proposal to set out specific criteria by which the ICO may exercise its discretion over which referrals or complaints it is obliged to follow up or investigate.
Some might say the ICO showed commendable restraint in its response by not biting Oliver Dowden’s hand off over this particular proposal, given its overload of case-work (and its current obligation to look into everything, no matter how petty). The ICO instead made all the right noises about carefully defining these criteria to ensure people’s rights were not adversely affected: however, it must have been privately delighted at this prospect.
Linked to this is the proposal to formalise the expectation that controllers and individuals sort out issues privately wherever possible, and for controllers to have more defined data complaints processes that data subjects can pursue first before involving the regulator. This is, arguably, an outlier in terms of DCMS policy proposals because it is likely to increase the burden and accountability on controllers in this area; but in a sense it is only a continuation of the ICO’s unofficial policy approach to dealing with minor issues and private squabbles during the pandemic.
More generally, DCMS has approvingly recognised the ICO’s increased focus on "upstream" or proactive support and guidance for organisations (rather than enforcement). However, the ICO gives a mixed response to new proposals influenced by other regulators at home and abroad: for example, it welcomes an FCA-style power to commission an independently-produced expert report into data protection failings by controllers, and to compel witnesses to give statements. By contrast, it has clear concerns about the proposal for a “voluntary undertakings process” (an idea imported from Singapore) whereby a controller would self-identify potential breaches or failures in accountability, and provide a remedial action plan to the ICO to approve or comment on, in lieu of any enforcement activity. The ICO, for its part, suggests it would rather retain discretion about which matters it has the power to investigate or enforce.
If you require further information about anything covered in this briefing, please contact Owen O'Rorke or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, October 2021