The UK Government’s Department for Digital, Culture Media & Sport (DDCMS) launched in September 2021 a consultation on reforms to create a new data protection regime. Indeed, now that the UK has left the European Union (EU), its government is striving towards building a new legal framework to regulate the data protection field. For now, the UK has amended its Data Protection Act of 1998 by way of the Data Protection Act of 2018 in order to adapt its national data protection legislation to the requirements of the GDPR, creating a new data protection framework known as the “UK GDPR”, which is in practice the same as the EU GDPR.
Nonetheless, the government is seeking to create its very own data protection regime, whose main aim will be to ally solid protections of the people’s personal data to growth and innovation in the field of technologies. Proposals for reforming the UK’s data protection regime were published in a document entitled “Data: A new direction”. Organizations and individuals have until the 19th of November to take part in the public consultation.
This article looks into some of the main changes introduced by the consultation document.
Legitimate interests
The DDCMS proposes to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test found in the UK GDPR. This aims at giving them more confidence to process personal data without unnecessary recourse to consent.
The UK GDPR currently lays specific grounds under which processing is permitted, such as the consent of the individual, the necessity for the performance of a contract, etc. Data controllers are therefore always under the obligation of performing a balancing test in order to see whether the considered data processing is lawful. The newly proposed measure would thus alleviate the data processing process in some situations.
Data subject rights
The government considers introducing a fee regime for the access to personal data held by all data controllers, similar to the one found in the Freedom of Information Act of 2000, a British law which provides public access to information held by public authorities. While under the current legislation controllers may refuse compliance with a data access request or charge a reasonable fee only in case of “manifestly unfounded [or] excessive” demands, the new measure would introduce a cost ceiling, to the tune of 450 to 600 pounds, depending on the type of organization. This measure represents a significant change compared to the UK GDPR.
Accountability
Moving away from the GDPR’s “burdening” accountability framework, as qualified by the UK government, a more flexible and risk-based one is to be introduced. Organizations would have to implement a privacy management programme including appropriate policies and processes for the protection of personal data.
The existing requirements of designating a data protection officer would be replaced by the obligation of designating a suitable individual, or individuals, to be responsible for the privacy management programme and for making sure that the organization is compliant to the legal requirements.
Furthermore, the DDCMS proposes to remove the requirement for organisations to undertake a data protection impact assessment, thus allowing them to adopt different approaches to identifying and minimizing data protection risks. This contrasts with the obligation under art. 35 of the UK GDPR, which edicts that organisations must undertake a data protection impact assessment for processing likely to result in a high risk to individuals and which specifies what information the assessment shall contain.
The record keeping obligation under the UK GDPR, requiring the keeping at all times of a record of processing activities, would also be removed.
Finally, the threshold for notifying the Information Commissioner’s Office (ICO) in case of a data breach would be raised, as the DDCMS considers that the current threshold set in the UK GDPR may lead in some situations to over-reporting. These measures represent substantial changes from the actual legal framework.
Data transfers
The government is considering introducing the possibility for organisations to create or identify their own alternative data transfer mechanisms in addition to those provided for in article 46 UK GDPR. The repetitive use of derogations would also be explicitly permitted, once again providing flexibility for organisations.
ePrivacy
The DDCMS also proposes changes to ePrivacy, which is covered by the Privacy and Electronic Communications (EC Directive Regulations 2003). The first one would allow organisations to use “strictly necessary” and “low risk” cookies without the users’ consent. Nonetheless, the new measures would still have to comply with the UK GDPR’s principles of lawfulness, fairness and transparency, and the government is calling upon views on how organisations could comply with these principles without the use of cookie pop-up notices.
The DDCMS is considering the implementation of alternatives to web browser solutions or software applications that achieve the effect of removing cookie pop-up notices in order to alleviate the constant need for cookie consent, but clear alternative measures are still to be identified.
Artificial intelligence
Measures regulating AI are also introduced by the reform document, aiming at a new regulation in this fast-evolving field while allowing for the development of new technologies.
Amongst others, the government proposes to add the processing of personal data for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems to the list of legitimate interests for which the balancing test before data processing is not required.
Furthermore, the DDCMS considers the possibility of removing the current obligation of human review for automated decisions as set by article 22 of the UK GDPR and underlines the importance of at least clarifying its application.
Many changes are upcoming to the UK data protection regime and it is thus important for businesses and startupers alike to stay up to date with their legal obligations. Stephan Grynwajc is admitted as lawyer in the U.S., in France, in England and in Canada, and is specialized in advising U.S. and Canada-based startups and SMEs in their European operations. Contact us today !