Data Protection Reforms in UK

This year in May, the United Kingdom Government announced the intention to introduce a reform bill that will implement extensive changes to the existing domestic data protection framework. If implemented, the proposed changes are expected to contribute towards UK to deviate from the standards that apply in the EU under the General Data Protection Regulation (EU GDPR). While the purpose of the changes is to loosen restrictions imposed by the EU GDPR on the use of data, the concerns are that this would be a potentially compromise the EU equivalence decision and would put into place parallel data protection legal regimes for companies to follow.

Introduction

Initially, the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) launched a consultation outlining its proposals to extensively reform the UK’s data protection and privacy regime. The full detail of the proposed changes will be revealed when the draft bill is published. However, it is anticipated that the changes will include the following:

• The EU GDPR is accountability-centric and requires data controllers to maintain a record of processing, produce Data Protection Impact Assessments (DPIAs) and, for organizations that process data on a ‘large scale,’ they must appoint a Data Protection Office (DPO). The proposed changes include removing mandatory DPIAs and ROPAs – although organisations will still be required to identify and manage risks and document their processing in a more tailored and proportionate way.

• The UK GDPR requires data controllers to report all data breaches unless it ”is unlikely to result in a risk to the rights and freedoms of natural persons” (Article 33). The UK Government has proposed increasing this threshold to reduce the number of reports that data controllers are required to make to the ICO.

• allowing organisations to refuse to answer or charge a reasonable fee for answering ‘vexatious or excessive’ DSARs, rather than the current ‘manifestly unfounded or repetitive’ threshold. The UK government’s anticipation is that this will make it easier for organisations to refuse requests that are clearly unreasonable, thus reducing the compliance burden on them.
• defining anonymisation under the UK GDPR to confirm that whether data is anonymous is a subjective test  – e.g. relative to the reasonable means available to the controller or processor to re-identify the data. This may help organisations share more data outside the scope of the UK GDPR regime.

• treating analytics cookies in the same way as ‘strictly necessary’ cookies, i.e. as no longer requiring user consent. Notably, the UK government has also indicated its ambition for further reform of the UK cookie regime towards an entirely ‘opt-out’ model as and when the necessary technology becomes available (e.g. via browser settings)
• bringing the direct marketing penalties and ICO enforcement powers under PECR in line with those under the UK GDPR. Organizations carrying out direct marketing may need to reconsider their risk appetite in this area, as infringements could potentially incur a £17.5m / 4% turnover fine.
• placing a new hierarchy of statutory obligations on the ICO, including an overriding objective to uphold data rights and encourage responsible data use and new secondary duties to have regard for economic growth, innovation, competition and public safety. The ICO will also have to consider a set of statutory strategic priorities set by the UK government (and report against them annually). This may provide a clearer insight into the operations of the regulator and a better idea of the enforcement action the ICO will prioritize.
• granting the ICO greater discretion to decide which complaints to investigate – including discretion not to investigate vexatious complaints and those where the individual has not complained to the organization first.
• moving the ICO away from the corporation sole structure and introducing a statutory board with a chair and chief executive, which will bring the ICO in line with other UK regulators such as Ofcom and the FCA. The ICO will also be renamed, with the UK government currently considering options.

The UK Government are expected to publish the draft legislation before April 2023, during this parliamentary term. GDPR Local will follow these developments and will provide a further update on implications of the Bill in full.

Sources:

[1] Department for Digital, Culture, Media & Sport, Data: A new direction (10 September 2021) https://www.gov.uk/government/consultations/data-a-new-direction.

[2] Steptoe: UK Government Announces Extensive Post-Brexit Changes to Data Privacy Laws (11 May 2022) https://www.steptoe.com/en/news-publications/uk-government-announces-extensive-post-brexit-changes-to-data-privacy-laws.html

[3]The Lens: What we can expect in the Data Reform Bill: UK Government publishes consultation response on UK Data Protection Law reform (24 June 2022) https://thelens.slaughterandmay.com/post/102hrf1/what-we-can-expect-in-the-data-reform-bill-uk-government-publishes-consultation#page=1