Plans to reform the UK’s data protection regime represent an important evolution for the UK GDPR
On 17 June 2022, the UK Government published its response to its Data: a new direction consultation. The response sets out a series of proposals to reform the UK GDPR in ways that will better enable innovation, drive scientific research, and position the UK as a more attractive data economy. At the same time, the reforms maintain a high standard of data protection rights that will help preserve data sharing agreements with international partners, including the European Union (EU).
Following the UK’s withdrawal from the EU, the UK Government has approached reform of its data protection regime as an opportunity to seize the benefits of its new-founded regulatory freedoms, opting for a more risk-based and proportionate approach to data protection and compliance, which techUK has welcomed.
Based on feedback from just under 3,000 consultation responses, including techUK’s submission, the Government has set out the changes it will take forward in reforming the UK’s data protection regime, which will be laid before Parliament as a draft bill later this year.
In its response to the consultation, the Government outlines across five chapters which proposals will be adopted, including provisions around using personal data for research, introducing a legitimate interests list, creating a more proportionate and risk-based approach to the accountability framework and data flows, as well as expanding the responsibilities of the regulator. Overall, this is a welcome package of reform that adopts many of the suggestions made by techUK and our members.
Commenting on the proposals, Julian David, CEO at techUK said:
“At its introduction the GDPR was not perfect. The challenge in reforming it has always been how to retain key protections for citizens while introducing clarity and flexibility to enable growth in data driven innovation and new technologies such as AI.
“The reforms announced today find a good balance between making the UK’s data protection system clearer, more flexible, and more user friendly to researchers, innovators, and smaller companies. While at the same time maintaining levels of data protection in line with the highest global standards.
“There are some outstanding questions about how exactly these reforms will work in practice. Specifically, around an opt-out system for cookies and the Government’s proposals for balancing tests with regards to data processing.
“However, on the whole this is a welcome package of reform. techUK will continue to work closely with the Government on these outstanding questions and we look forward to seeing the draft Data Bill in due course.”
Chapter 1: Reducing barriers to responsible innovation
The Government will make it easier and clearer for organisations to use and reuse data for research purposes. The Government will legislate to create a statutory definition for scientific research in the UK GDPR. This will be based on recital 159 of the GDPR, a broad definition that covers technological development and demonstration, fundamental research, applied research and privately funded research.
The Government will clarify the processes and safeguards for the re-use of personal data and clarify standards for anonymisation, including making the test for anonymisation relative. An exhaustive list of processing activities that will allow organisations to process data without a lengthy legal assessment (balancing test) will be introduced. This will be usable for a number of purposes such as for anti-fraud and anti-money laundering.
Many of Government’s proposals and suggestions on artificial intelligence (AI) in this chapter, have been left to a forthcoming AI White Paper which will focus on the governance and regulation of AI systems. This includes the future of Article 22 (the right to a human review of an automated decision), which will remain in the UK GDPR in some form, however its thresholds for use will be clarified in the AI Whitepaper. techUK supports the UK retaining Article 22 in legislation and agrees with the Government that clarification is needed.
The Data Bill however make changes to enable organisations to use sensitive personal data for the purpose reducing bias in AI systems. This will be done by clarifying that Schedule 1 Paragraph 8 of the UK GDPR can be used for for the purpose of ensuring bias monitoring, detection and correction.
The Government will also implement proposals to provide organisations with more clarity on data anonymisation, improve industry participation in Smart Data Schemes under BEIS, and support efforts to promote the uptake of Privacy Enhancing Technologies (PETs).
Chapter 2: Reducing burdens on businesses and delivering better outcomes for people:
The Government will shift towards a more flexible and risk-based approach to compliance, proceeding with plans to implement Privacy Management Programmes (PMPs) as well as remove the requirement to appoint Data Protection Officer’s (DPOs) and Data Protection Impact Assessments (DPIAs). This will largely benefit smaller organisations who will now be able to take a more tailored approach to compliance.
The Government will also tackle concerns around “consent fatigue” in relation to Cookie banners by reducing the scope in which they are required (e.g., for non-intrusive purposes) and in the longer term, move to an opt-out model of consent for cookies,. The proposed opt-out system will require further consultation to ensure in its implementation it does not stifle innovation or have a negative impact on competition in the sector.
In this chapter, the Government has also set out other areas it will implement reform to ease compliance burdens on organisations related to record keeping, breach reporting and responding to unreasonable information requests from individuals (Subject Access Requests). techUK has welcomed the fact that a nominal fee for individuals to submit these requests will not be re-introduced.
On the whole, these plans should reduce burdens for businesses while retaining high standards of data protection. However, it will be important that Government seeks to make sure it does not take away regulatory burdens with one hand and then add them on with the other. This in particular, will be the case for new proposals with the intention to reduce unsolicited direct marketing, such as nuisance calls. While the policy intention here is good, this is a complex area. If reforms are poorly designed, they could add significant monitoring and double compliance costs to network providers which would be against the broader goals of these reforms to reduce burdens on businesses.
Chapter 3: Boosting trade and reducing barriers to data flows:
The Government will shift to a more risk-based and outcomes-based approach to data adequacy decisions, such as by removing the requirement to review adequacy decisions every four years and developing a more flexible and outcomes based approach for assessing jurisdictions for adequacy as well as for the creation of new data transfer mechanisms.
Chapter 4: Delivering better public services:
The Government will make it easier and clearer for organisations to share data with public bodies when asked to do so on public interest grounds. These proposals will help to address many of the challenges that arose during the pandemic around the sharing of personal data for purposes in the public interest.
Chapter 5: Reform of the Information Commissioner’s Office (ICO)
The Government will implement wide reforms to the ICO with a view to expand its responsibilities and bring its Governance structure in line with other UK regulators such as the Ofcom and the Competition and Market’s Authority (CMA).
This includes a new governance structure, including a Chief Executive and a board as well as secondary duties to consider the economic impacts of its decisions, to develop a coherent international strategy, as well as new transparency and reporting requirements.
The DCMS Secretary of State will also be given new powers to prepare a non-binding Statement of Strategic Priorities for the ICO and to approve new codes of practice and complex or novel guidance. How this power to approve guidance is exercised will be important with regards to the perceived independence of the regulator. techUK would therefore welcome further clarification on how this proposal will work in practice.
The ICO will also be renamed to better reflect changes in its structure and responsibilities.
Overall, these reforms represent an important evolution in the UK GDPR which will provide greater clarity and flexibility for businesses who process personal data. While some proposals will require further consultation and clarification this package is an important evolution of the UK GDPR, particularly with regard to changes designed to boost data driven research and innovation.
Based on the response to the consultation, a draft Data Reform Bill will be laid before Parliament this summer to undergo several rounds of amendments before it is formally passed into legislation. The scrutiny period will be critical in addressing any outstanding questions on the proposals such as those related to AI, cookies, nuisance calls, reforms to the ICO as well as the effectiveness of the processing activities listed under the legitimate interest list.
Once passed, the regulator will also play a vital role in providing organisations and individuals with guidance for implementing the new regime.
techUK will remain engaged with the Government throughout this process. In particular, we await the publication of the AI Whitepaper. Establishing the correct framework for data use and the regime for AI governance are two vital pieces of the puzzle to ensuring the UK takes a leadership role in AI, giving companies the confidence to invest.
Please see here for techUK’s full response to Data: a new direction.
This blog is part of a series exploring the UK's upcoming reform to its data protection regime. Learn more here.
techUK - Building a Thriving Digital Society
Visit our Digital Society Hub to learn more or to register for regular updates.
techUK is in constant dialogue with Government and policy makers to provide the perspective of the tech industry on a wide range of policy issues. Current policy engagement includes online safety, data protection, competition in digital markets, and online fraud. Get in touch to see how we can support your policy work. Visit our Digital Society Hub and complete the ‘contact us’ form.