The UK Government’s response to ‘Data: a new direction’. What are the plans?

IGS
June 24, 2022

The public consultation, ‘Data: a new direction’, was launched by The Government and ran from September 2021 to November 2021. It presented the development of proposals to reform the UK’s data protection laws, aiming to “secure a pro-growth and trusted data regime”.[1] Over 2900 responses were received from the Information Commissioner’s Office and from organisations in the UK and overseas.

On the 17^th of June 2022, the UK Government published its response to the ‘Data: a new direction’ consultation on reform of UK data protection law[2]. It has a clear ambition: “to establish the UK as the most attractive global data marketplace”[3], aiming to create a framework that empower citizens through a responsible use of personal data whilst giving people transparency over their rights. Furthermore, the reform aims to bring economic and social benefits and to support the country’s commitments on the free flow of data, making the UK an ideal place for data-driven businesses and scientific institutes.[4]

For businesses, the reforms aim to reduce the burden that generally work against the responsible use of personal data. The key goals are proportionality, accountability and a more effective protection for businesses. For instance, making the responsible use of automated decision-making tools easier are associated with economic growth.[5]

What are the main changes in The Government’s response?

Research purposes

There will be a new definition of ‘scientific research’, based on Recital 159 of the GDPR. The Government would not introduce a new lawful basis for research purposes.

Legitimate Interests

The Government proposed the creation of an exhaustive list of processing activities (to prevent crime, to report safeguarding concerns or reasons of public interest) for which the organisations could use personal data with no application of balancing tests. The changes would be subject to parliamentary scrutiny. Data controllers would continue to be required to undertake the balancing test for not-listed processing activities.

Artificial Intelligence and machine learning

No consensus on whether the data protection laws would discuss AI governance fairness issues. A white paper on artificial intelligence governance is among The Government plans.

In relation to automated decision-making and profiling (Article 22)

Article 22, regarding solely automated decision making, would remain.

Data minimisation and Anonymisation

The Government intends to clarify the test for anonymisation, under a relative test, simplifying it, based on wording from the Council of Europe’s Convention 108.

Reform of the Accountability framework

The Government aims to create a flexible accountability framework, with reduced necessary resources for compliance. It can bring benefits to small and medium-sized companies, as they would undertake less resources. However, the high standard of accountability is still necessary.

Removal of the requirement for Data Protection Officers (DPO), DPIA and Record of Processing Activities

Although there were concerns about the removal of these requirements, The Government seeks more flexibility and the implementation of “privacy management programmes”.

First, it aims to remove the DPO requirement. In place, “complimentary measures” will include “a suitable senior individual to be responsible for the programme”.

Regarding the DPIA, The Government considered a more flexible approach and that it would be tailored to the needs of the organisation, to avoid duplication of requirements and of other risk assessments. Organisations will not be required to undertake DPIA under the UK GDPR. However, they will still be required to undertake the analysis, identification and management of the risks, tailoring them to their activities. The consultation clarifies that existing DPIAs would remain valid.[6]

Likewise, it is still required for organisations to document the purposes of processing, but the Government incentivise a tailored record keeping. It underlines the need to maintain high standards for privacy management under a more flexible and proportional approach, depending on the type and volume of personal data. The focus is on the design of the management for a more effective and appropriate programme.[7]

Subject Access Requests

Subject Access Requests are a mechanism that generates the empowerment of data subjects. However, they can be time-consuming and costly for organisations. Regarding the ‘manifestly unfounded’ threshold for refusal to respond to subject access requests, respondents of the public consultation noted its vagueness and the possibility of unreasonable requests. Furthermore, this proposal aimed to ensure that organisations would not be overburdened by speculative subject access requests.

In its 17^th June response, the Government considered the views and currently plans to change the ‘manifestly unfounded’ threshold for refusing a subject access request to ‘vexatious or excessive’, in accordance with the Freedom of Information regime.[8] Therefore, organisations would be able to reject subject access requests if the request is vexatious or excessive.

Regarding the fees, in the September 2021 public consultation, the Government proposed the possibility of an introduction of a fee regime for access to personal data held by data controllers and that it would not undermine the individual’s rights to access personal data.[9] However, in its response, The Government does not seek to re-introduce a nominal fee for dealing with such requests, and recognised the need to protect the rights of data subjects – including vulnerable people, and not to proceed with the cost ceiling proposal.[10] The plan is to encourage organisations to implement appropriate infrastructure and better processes to respond to access requests.

Cookies

The intention is to move to an opt-out model of consent for cookies on websites, which means that they would exist without previous consent, however the website must provide clear steps to opt-out. The opt-out model would not apply to websites accessed or likely to be accessed by children.[11]

International data transfers:

The majority of respondents of the public consultation relied on the use of Standard Contractual Clauses (SCC’s) for international personal data transfers. The reforms intend to make the transfer mechanisms easier.

Furthermore, the response acknowledged the concerns regarding data flows and the UK’s adequacy decision currently provided to it with the EU. At the same time, The Government wants to reduce what they perceive to be unnecessary barriers to international data transfers. A program of adequacy assessments and further updated analysis by the government on the impact of the proposals will be expected.[12] [13] Finally, it aims to create alternative transfer mechanisms and a new power for the DCMS Secretary of State, ensuring that these also meet the high data protection standards.

Conclusion

The UK’s data protection regime currently consists of the UK GDPR, the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act 2018 (DPA). The Queen’s Speech confirmed The Government’s intention for a Data Reform Bill over the next parliamentary year[14], and will help the reduce the culture of “tick box” exercises.[15] The Government’s belief is that is possible and reasonable to expect that the UK will maintain EU adequacy with the commitment to maintain high data protection standards and individuals’ privacy rights. Furthermore, it points out that ‘adequate’ countries do not need to have identical rules for EU adequacy decisions.[16]

From the analysis, the consultation presented reforms for this regime on mechanisms for supervision, data rights and principles. However, the reforms do not lead to an automatic loss of the UK’s adequacy status with the EU. Even when reformed, the proposed new UK legislation appears to still have significant similarities with the GDPR. As such, it is unlikely to threaten the UK’s adequacy status. Of course, only time will tell whether this happens.

Therefore, organisations that invested resources and time into the European data protection law compliance will not be required to change substantially their approach. However, some changes will likely occur.[17] Whilst the industry is more supportive on the Government proposals[18], and that it brings more flexibility, privacy campaigners consider that it may bring the idea of data protection as a burden[19], provide less choice for data subjects, given the opt-out requirements for cookies, and a threaten to the ICO independence given the ‘overextending requirements’ and the power of the DCMS Secretary of State to approve codes of practice and new guidance. For John Edwards, UK Information Commissioner, the changes will ensure that the ICO can operate with fairness and impartiality, enabling a more flexible action.[20] Further discussion on these changes is likely to occur over the next months.

[1] Data: a new direction – government response to consultation. 17 June 2022.

https://www.gov.uk/government/consultations/data-a-new-direction/outcome/data-a-new-direction-government-response-to-consultation

[2] ibid

[3] ibid

[4] ibid

[5] ibid

[6] ibid

[7] ibid

[8] ibid

[9] Sections 188 and section 189 of ‘Data: a new direction’ dated September 2021.

[10] Data: a new direction – government response to consultation. 17 June 2022.

https://www.gov.uk/government/consultations/data-a-new-direction/outcome/data-a-new-direction-government-response-to-consultation