On 17 June 2022, in response to its consultation in 2021 on the same topic (which we wrote about here), the UK government published more detailed proposals to reform data protection laws in the UK. The response to the consultation can be found here. The intention of the reforms is to achieve greater personal data use enabling economic growth by removing barriers and reducing obstacles for organisations whilst maintaining high standards of personal data protection and EU adequacy.
Of the 62 different proposals the government plans to move forward with, we have identified those that we consider will have the biggest impact on businesses.
Proposals relating to the UK GDPR and Data Protection Act:
- Research: Changes proposed to unlock data for scientific research; creating a definition of ‘scientific research’ based on Recital 159 of the GDPR; permitting scientific research following the receipt of broad consent from the data subject; clarifying what further processing of personal data for scientific research means (where the original lawful basis is not consent); and extending the ‘disproportionate effort’ exemption on the obligation to provide a privacy notice when personal data is used for research purposes where there is a genuine disproportionate effort on the controller in providing such information.
- Legitimate interests: Setting out a specific list of legitimate interests that will not require the controller to carry out a balancing exercise (e.g. processing that is necessary to prevent a crime or report safeguarding concerns) thereby reducing the burden on businesses to conduct time-consuming and complex legitimate interest assessments.
- AI: Introducing a new lawful basis to Schedule 1 of the Data Protection Act allowing special category personal data (e.g. health data, ethnicity and biometrics) to be used for the purpose of ensuring bias monitoring, detection and correction in AI systems, thereby supporting innovation using AI.
- Anonymization: Clarifying when a data subject is identifiable and when they are not (with reference to the Council of Europe’s definition), thereby creating more certainty for businesses about whether they are using personal data or anonymised data.
- Privacy management program: Introducing the requirement to have a ‘privacy management program’, which will be a more risk-based and flexible obligation; making amendments to the accountability requirements including replacing the requirement for organisations to appoint a data protection officer with the requirement to appoint a senior individual within the organisation to oversee the organisation’s privacy management program; removing the requirement for controllers to conduct data protection impact assessments and replacing it with the organisation’s own internal risk assessment measures; removing the requirement for controllers and processors to have records of processing and replacing it with a document recording the purposes of processing; and amending the mandatory requirement to consult the ICO on any high-risk processing activities and by making it voluntary.
- Cookies: Removing the requirement to display cookie banners and finding other solutions to meet the requirement to obtain prior consent to drop cookies and similar technologies. The intention here in the long term is to move from opt-in to opt-out consent for cookies. The government plans to proceed with this only once automated technology is widely available to help users manage online preferences. In the short term the government intends to remove consent for audience measurement cookies.
- Data Transfers: empowering the Secretary of State to create alternative transfer mechanisms (in addition to UK certification schemes) that will allow a pragmatic and proportionate approach to transfers; and removing the requirement to review UK adequacy decisions every 4 years. Considering the government’s recognition that legitimate interest assessments are ‘complex’ and difficult to get right, the government did not comment on the requirement to conduct transfer impact assessments.
- Data subject access requests (DSARs): changing the current threshold for refusing a DSAR from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’ to address disproportionate impacts of DSARs on organisations.
- Automated decision making: amending article 22 to clarify the circumstances in which the article will apply; recasting it as a right to safeguards rather than a general prohibition on solely automated decision making.
- Complaints handling mechanism: A requirement on controllers to have a complaints-handling mechanism, so that the controller has a chance to resolve complaints from an individual before they are escalated to the ICO.
Proposals relating to the Privacy and Electronic Communications Regulations (PECR):
- Direct marketing consent: allowing the soft opt-in (i.e. an exemption to obtaining consent) to apply to direct marketing communications from political parties and other non-commercial organisations (e.g. charities).
- Fines: increasing the fines under PECR from the current maximum of £500,000 to align with the UK GDPR.
- Nuisance calls: introducing a requirement for communication providers to notify the ICO of suspicious levels of traffic on their networks and plans to empower the government to require telecoms companies to block nuisance calls at source.
The response to the consultation is detailed and informative about the direction of data protection law in the UK, but we await the draft of the Data Reform Bill to see exactly how some of these changes are going to pan out. Any such legislative changes are likely to take some time and we do not expect to see any such changes within the year.
Organisations should hold off making any drastic changes to their privacy program (like ripping up their data protection impact assessment template!) and wait to see how the changes progress through parliament, especially given that any changes in compliance programs, cost organisations time and effort. One other major factor to keep in mind is that most organisations do not just operate within the UK. This means that despite the potential relaxing of the data protection rules in the UK, organisations need to think about how this impacts their obligations (if at all) in the European Union and the European Economic Area (where they may still be subject to the EU GDPR) and on its global privacy program.