In Part 1 here, we gave an overview of the five chapters of "Data: a new direction" a consultation paper published by the Department for Digital, Culture Media and Sport (DCMS) and the proposals it contained for a re-framing of data protection law in the UK post-Brexit, as well as explaining the background to these reforms.
In this Part 2, we dive deeper into the detail of a key selling-point of the DCMS paper – Reducing burdens on businesses – and consider how it might apply to a wide range of clients, including those in the not-for-profit sector. We will follow up with shorter, more focused bulletins aimed at individual sectors and, where appropriate, encouraging engagement in the DCMS consultation (which closes on 19 November 2021).
Reducing burdens: by diluting the accountability principle?
This section considers the key implications of the proposals in Chapter 2 of the DCMS paper, titled “Reducing burdens on businesses and delivering better outcomes for people”. As will become clear, DCMS’ focus is largely on the former; whereas the ICO’s response to this chapter sounds various notes of caution in its commentary.
The accountability principle introduced by the GDPR is a laudable one. In essence, it requires that organisations bear responsibility for the data they hold and show that they build privacy into their processes. They must also be accountable to individuals (for example, by facilitating data subjects’ rights) as well as to regulators (by keeping comprehensive records of data processing activities). It can however create uneven burdens on organisations of differing resources, many of whom do not seek to exploit data commercially (but may, by their nature, either hold more sensitive categories of data or foster more in-depth personal relationships with data subjects).
The UK GDPR does already apply slightly different rules of accountability according to the size of the organisation and the scale and nature of their processing: for example, in terms of needing to keep records of processing activities, or being required to appoint a DPO (see below). An organisation’s available resources will also be a factor in how far the ICO expects them to go in complying with subject access requests; or it can affect what would be considered appropriate data security measures for that organisation. And an organisation’s size will determine their level of data protection fee payable to the ICO.
However, data protection compliance can still disproportionately affect certain organisations, any many businesses (rightly or wrongly) perceive it as red tape and a drain on resources. DCMS’ paper seeks to tackle these concerns, and, in our view, its proposals are aimed at most of the right targets.
Doing away with DPOs
Many organisations have experienced confusion as to whether they need to appoint a Data Protection Officer (DPO), and / or what the job description and title for their data protection lead should be. As such, it is perhaps inevitable that reformers would see this as low-hanging fruit, with the role set to be amended if not abolished. The ICO, for its part, recognises the scope for reform in this area – and the case for empowering more organisations to determine themselves how to assign data protection responsibility within their staff. However, it does suggest DPOs still have a role to play and emphasises the value of what is “now a well-developed and skilled profession”.
A new approach to DPIAs
Another area where the ICO does not want to see important privacy protections being lost concerns the Government’s intention to do away with the requirement, imposed by the GDPR in certain circumstances, to conduct a Data Protection Impact Assessment (DPIA). Instead, it proposes more general requirements to identify and minimise data protection risks “in a way that best suits the organisation” – ie flexibility, not formality – while stressing that any existing DPIAs would still have value. The ICO, however, is “concerned that this reform could undermine a generally positive direction of travel”.
We would agree with the ICO that the DPIA can be a simple and effective tool providing checks and balances, and which often does not require huge formality: certainly in cases where the risk to privacy is lower or can be readily mitigated, the process of conducting a DPIA can still be valuable without being burdensome. An interesting insight in the ICO’s response is that, in the comparatively rare instances where organisations consult with the ICO over their DPIA (in accordance with Article 36 UK GDPR, having deemed the residual risk to be high), the ICO recommended changes in one in four instances.
This is proof, the ICO say, not that innovation is being stymied – in each case, the project or process went ahead, suitably adjusted – but that the consultation process adds value and, in many cases, does a service to the public by mitigating higher risk activities. However, the government paper suggests ditching the obligation to consult in such circumstances. Given that the obligation only arises where there is an irreducible high risk identified, it does seem that this proposal unduly errs on the side of reducing the burden where the highest-risk activities are concerned, rather than the day-to-day processing of ordinary businesses and not-for-profits.
It is little wonder, all things considered, that the ICO has asked for more detail from Government as to how it proposes to replace DPIAs.
Raising the bar for reporting data breaches
Greater consensus can be found in proposed reform to the area of data breach reporting – by raising the threshold for reporting (ie requiring a degree of materiality to the risk), and hence avoiding the cost and confusion of unnecessary reporting. The issue has already been considered in this article.
Stemming the flow of subject access requests
Perhaps the point of greatest interest for many controllers will be subject access requests (SARs).
Any discussion of reform of the SAR regime could easily be an article in itself, but the key proposals concern (i) consultation on amending the threshold to refuse to respond to SARs where they are vexatious and / or the purpose of the request goes beyond an individual exercising their data protection rights (for example, a fishing exercise for use in litigation) and (ii) the re-introduction of a fee (which was previously £10 under the Data Protection Act 1998) as a deterrent to spurious use of the right, and/or introducing a cost ceiling (likely to be more comparable to the £450 – £600 model applicable to Freedom of Information (FOI) requests) in order to place a knowable cap on the expense a controller would have to incur.
The proposal in (i) is broadly to be welcomed, although it arguably continues an existing direction of travel since the ICO updated its detailed guidance on subject access last year.
The ICO is less keen on asking requesters for fees, mainly because it would unduly penalise those with least resources who may be most at risk. The purpose of the GDPR doing away with the fee mechanism was to remove any barrier to assert what is considered a fundamental right of citizens under EU law. However, what may be interesting in practice is the application of a cost capping regime. As proposed by DCMS, it would not be a basis to refuse wide-ranging requests, but would rather empower controllers to go back to data subjects and explain what they can actually expect to receive for, say, £500 worth of staff hours.
If so, by requiring requesters to be targeted and proportionate, that would swing back the balance considerably in favour of controllers. Whether it better reflects the original intention of this right – namely, to make controllers accountable to data subjects for the personal data they hold – is a valid academic debate, but most organisations will gladly overlook the philosophical issues if it spares them the cost and stress of dealing with wide-ranging SARs.
Where the ICO still needs to be convinced is in the mechanism for safeguards and oversight. It currently deals with more SAR complaints than it can manage (these comprised almost half of the issues referred to the ICO in 2019/20), but under the FOI regime a requester can readily and freely appeal to the ICO when requests are refused as vexatious or the cost limit is applied. How, in practice, would the ICO be able to regulate this on a larger scale?
Wherever the DCMS reforms land, however, it does appear that there will be a reining-in of the accountability requirements in favour of something more light-touch for controllers. And that is, largely, to be welcomed.
Cookies and direct marketing rules
The Privacy and Electronic Communications Regulations 2003 (PECR) – from which we derive our consent rules on cookies and direct marketing by email, SMS and telephone – were never part of the GDPR. The introduction of the GDPR in 2018 did however make the rules more onerous, by imposing a stricter standard of consent. PECR, although it has since been updated more than once by statutory instrument, implemented a 2002 EC Directive – one which has still not been replaced, despite a proposal for an "e-Privacy" Regulation being debated since 2017. DCMS has now proposed tidying up two areas where it is widely considered not fit for purpose.
Relaxing the rules on Cookies
DCMS proposes relaxing the rules about website cookie pop-ups and when consent is required to set cookies on a user’s device. For its part, the ICO concedes that the current approach to cookies is not effective for website operators or their users, who for the most part neither engage with consent wording nor find the ‘acceptance’ mechanism user-friendly.
This seems entirely sensible and overdue, although whether it marks a real divergence from any future EU e-Privacy Regulation (which may affect the UK’s adequacy decisions) will only be seen in the detail of the proposals. The issues DCMS’ proposals deal with (ie that it would be preferable for analytics cookies not to require consent, and for there to be some umbrella alternative to endless individual web-browser pop-ups) are well-recognised, including by the ICO and by the law-making bodies of the EU.
The real issues in this area concern not functional or analytics cookies but more complex AdTech which uses similar technologies for more impactful purposes such as real-time bidding (RTB) for targeted ads. Whilst the ICO has consulted on this issue, and drawn some conclusions which some consider not to be business-friendly, the DCMS paper does not go any way to engaging these points beyond setting out a representative example of how certain AdTech works (and the ICO has not responded on this point). It does however invite proposals more broadly.
Extending the "soft opt-in" mechanism
Under PECR, "soft opt-in" is a means of lawfully justifying sending electronic direct marketing on an ‘opt-out’ basis, as an alternative to otherwise strict consent rules.
It currently applies: (i) provided an opt out is offered clearly from the outset, (ii) where the sender or instigator of the message has obtained the data of the person in the course of a sale (or negotiations for a sale) of goods or services, and (iii) requiring that all subsequent messages to the recipient are for similar goods and services of the same sender / instigator.
As such, and on a technicality, it is currently only available to commercial businesses looking for sales – because marketing or promotion sent by non-commercial organisations (charities or political parties), or indeed fundraising appeals or non-commercial news updates sent by any person (including schools and universities), do not meet the criteria above.
Closing this gap would be very significant (going forward, at least) for UK charities, membership bodies and other not-for-profits, which are currently required to obtain clear opt-in consent from anyone they wish to contact by electronic means for promotional purposes.
Importantly, the ICO is not averse to this expansion of the "soft opt-in" to charities, and even asks whether it ought to cover fundraising communications specifically – given that this was an area of intense ICO enforcement activity from 2015 to 2017. However, less promisingly, the ICO is also clear in its response that the three necessary elements of the test set out above must be met: meaning it is unlikely the ICO would look kindly on any not-for-profits trying to claim the right to rely on soft opt-in with retrospective effect on its existing database, if the process of collection did not meet the soft opt-in criteria at the time.
Whilst we are a step further on in understanding how realistic the DCMS paper’s proposals are, now that the ICO has responded, we still lack a road-map to when these issues may be legislated and which proposals will survive.
The short consultation period – ending on 19 November 2021 – suggests a department in a hurry. What is clear is that there is the political will (and Parliamentary majority) to push these reforms through comparatively quickly, perhaps prioritising one or two “slam dunks” (eg by way of statutory instrument, similar to how the Data Protection Act 1998 was updated in the years immediately following its implementation) rather than moving immediately to a wholesale reform of the UK GDPR. After all, thus far the rhetoric has concerned “building on” the current regime rather than setting it alight – all of which will make it politically easier for the European Commission not to withdraw and review the current UK adequacy decisions at the first sight of actual legislative reform, which it has expressly asserted its right to do.
One of the most intriguing (and nuanced) questions, however, is whether organisations can responsibly adapt their own data protection practices in light of this direction of travel – and whether the ICO may ease up its approach to enforcement in areas which it knows the Government has prioritised.
Applying all due caution, controllers must bear in mind two realities here: that the black-letter law remains materially the same as it has been since 25 May 2018 (with the additional friction around personal data transfers under EU rules); and the ICO, as a regulator, remains – in theory at least – sufficiently independent to determine its own enforcement targets and priorities, without looking over its shoulder at what DCMS is suggesting the law should be like in the future.
Enforcement has, in many cases, taken a back seat during the pandemic – meaning it is risky to draw too many conclusions on what those priorities would look like under normal service. Whilst the ICO still takes no action in the majority of cases referred to it, it is clear from recent fines over direct marketing that it remains prepared to adopt the strictest and most dogmatic views on liability where it considers the matter should be taken seriously; and the last two years have seen a pattern of fewer data breach fines, but at a higher level (British Airways, Marriott and Ticketmaster at £20 million, £18.4 million and £1.25 million respectively).
However, and looking in particular at the ICO’s response to DCMS’ proposals, it is fair to say that it would be a surprise for the ICO suddenly to ramp up its interest in certain areas – subject access disputes, or charities newsletters, or non-intrusive cookies – where the prevailing winds suggest these ought not to be enforcement priorities. Similarly, we do not expect the ICO to regulate international data transfers overzealously when it has always been more relaxed in this area than certain of its European counterparts, and all indications are that this will continue to be the direction of travel in the UK (though this may not assist those who do business involving data with counterparties in the EU).
In any event, we are at a moment of transition in personnel. Oliver Dowden MP, whose name was closely associated with "Data: a new direction", has handed over his ministerial position at DCMS to Nadine Dorries: but she is not at this stage a likely candidate to throw UK policy back into the arms of EU lawmakers. Similarly, John Edwards (the new Information Commissioner) was introduced by Mr Dowden as the “ideal candidate” for the “new era” of data-driven growth and innovation, post-Brexit. His first statement as preferred candidate suggests a man on-message: “I look forward to the challenge of steering the organisation and the British economy into a position of international leadership in the safe and trusted use of data for the benefit of all”.
Still, data controllers and practitioners will be awaiting with interest his first significant statements on policy and enforcement before we can judge the type of Information Commissioner he will be – and, perhaps, deciding whether it is responsible to prioritise some aspects of compliance over others, pending the reforms that his tenure will likely oversee.
If you require further information about anything covered in this briefing, please contact Owen O'Rorke or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, October 2021