The new UK data protection direction

With relatively little fanfare and on the day of a heatwave (in London, at least!), the UK Government published its response to its consultation on reform of data protection law last Friday. While no longer a member of the EU, any changes that the UK Government makes to UK data protection law (which currently reflects the EU GDPR) have to walk a fine line given the clear economic benefit of preserving the UK's adequacy status under EU law as well as maintaining a high standard to protect individuals privacy.

So what will the new UK law look like? Well, it's not the full scale revolution that some commentators thought was coming. But, equally, there are certain significant changes. Of course, we will need to wait to see the draft bill and what it looks like in its final form once it has gone through the Parliamentary legislative process.

In a number of areas the UK Government has stopped short of proceeding with wholesale change. So, the Government decided not to change the rules on reporting for data security breaches or to create new lawful bases under Article 6. The framework for international data transfers under the UK GDPR remains broadly the same (albeit with a risk-based approach). The Government also decided not to introduce a definition of substantial public interest (although may introduce more substantial public interest conditions under Schedule 1, Data Protection Act 2018) and has decided not to proceed with requiring compulsory transparency reporting on the use of algorithms in decision-making for public sector bodies.

Below is a high-level look at the forthcoming changes to UK data protection law:

• Research - there will be a new statutory definition of scientific research; although, since this is going to be based on the language in recital 159 of the GDPR there are unlikely to be any big surprises. Additionally, there will be clarification about the use of broad consent for research, clarity on further processing for research, and an exemption from the requirement to provide a privacy notice for data used in research when contacting individuals would involve a disproportionate effort. However, the Government is not going to introduce a new lawful basis for research purposes given feedback from respondents that the existing framework under Article 6 is sufficient.
• Legitimate Interest - there will be an initial limited number of carefully defined processing activities where an organisation can rely on LI without having to carry out a balancing test. These limited processing activities will include prevention of crime and safeguarding although there will likely be additional safeguards where children's data is processed.
• Article 22 and AI - Article 22 (concerned with solely automated decision making) remains. While there have been a number of voices in the UK calling for Article 22 to be removed and several respondents to the consultation found it confusing, the Government is going to consider how to amend Article 22 to clarify when it applies and to align its use with the Government's broader approach to governing AI-powered automated decision making. There will be a Government white paper on AI governance although there are no current plans to legislate on fairness in AI governance. In response to specific concerns about bias mitigation in AI, there will be a new condition under Schedule 1 of the DPA 2018 to enable the processing of sensitive data for the purpose of monitoring and correcting bias in AI systems.
• Anonymisation - there will be clarity on when data is anonymous. The test for identifiability will be a relative test based on wording from the Council of Europe's Convention 108. The Government wishes to avoid setting an impossibly high standard for anonymisation.
• Accountability - there will be a more flexible accountability framework underpinned by privacy management programmes. The aim is to reduce the amount of time and resources that organisations (especially SMEs) need to invest in compliance and introduce a more proportionate approach to comply with the law. However, there is still an emphasis on a high standard of protection so that organisations that process highly sensitive data will still be expected to implement a robust approach to accountability.
• DPOs, DPIAs and ROPAs - all of these requirements under the UK GDPR will be removed. Yet, there will be new obligations in their place. So, instead of a DPO, organisations will need to appoint a senior individual who is responsible for data protection compliance. Likewise, organisations will need to identify and manage risk under the new privacy management programme even if it's not documented as a fully fledged DPIA (in the GDPR sense). And while the requirement to keep records of processing activities as defined under the UK GDPR will fall away, there will be a requirement to keep a personal data inventory as part of a privacy management programme.
• Subject Access Requests - organisations will be able to refuse SARs if the request is vexatious or excessive, replacing the current 'manifestly unfounded or excessive' threshold. However, there will be no reintroduction of the ￡10 fee for individuals making SARs.
• Cookies, e-marketing and fines - the new legislation will remove the requirement to display a cookie banner and the Government will permit cookies to be placed on a user's device without consent for a small number of non-intrusive purposes. Significantly, the intention in the future is to move to an opt-out model of consent for cookies placed on websites although this will take place only when the Government is satisfied that there are robust solutions allowing individuals to manage their cookie and opt-out preferences. Non-commercial organisations will be permitted to rely on the soft opt-in rule when sending email marketing although the Government will ensure that appropriate safeguards are in place to protect individuals who do not wish to continue to receive communications. Organisations that flout the rules under the Privacy and Electronic Communications Regulations (the framework that governs e-marketing) will face GDPR-level fines (the current limit for PECR breaches is ￡500K).
• International data transfers - the focus will be on a risk-based approach to adequacy when the Government assesses giving a third country adequacy status; there will be no requirement on the Government to review adequacy every 4 years but there will be ongoing monitoring. The reforms in this area will ensure exporters can act pragmatically and proportionally when using alternative transfer mechanism but organisations will not (as was originally proposed) be able to create or identify their own transfer mechanism. Instead, the UK Secretary of State (DCMS) will be given a new power to recognise alternative transfer mechanisms as a form of future proofing. However, the Government is not going to legislate to exempt reverse transfers (transfers from a third country into the UK and then back to the third country) from the rules on international data transfers under the UK GDPR. Nor is the Government going to legislate to enable a more flexible approach to the derogations for international data transfers (Article 49).
• The role of the ICO - the original Government proposed reforms to the ICO was one of the more controversial changes. In particular, concerns were raised that the reforms would undermine the ICO's independence. However, while the Government will proceed to introduce new duties on the ICO (to have regard to competition, growth and innovation) as well as a new structure, it is not proceeding with certain other key changes. So although the Secretary of State will be given the power to issue a statement of strategic priorities to the ICO (even though most respondents disagreed with this), the ICO's primary objectives and duties will supersede these strategic priorities. On the ICO's workload, there will be a new requirement for a complainant to resolve their complaint with the controller before complaining to the ICO which should reduce the flow of complaints to the ICO. As a result of this, organisations will need to provide a simple and transparent complaints handling process to individuals around handling of SARs and other rights requests. The law will also set out how the ICO can use its discretion to decide whether to investigate a complaint thus filtering out those complaints that are more vexatious.