UK: The Information Commissioner's Office Publishes Its Response To The UK Government's Consultation On Reforms To The UK's Data Protection Regime

EU – Data

Key date(s)

• 10 September 2021  – The Department for Digital Culture, Media & Sport ("DCMS") publishes its consultation on reforms to the UK's data protection regime (the "Consultation"). The Consultation will run for 10 weeks.
• 6 October 2021 – The Information Commissioner's Office ("ICO") publishes its response to the Consultation.
• 19 November 2021 –  The deadline for responses to the Consultation is 11:45pm on 19 November 2021, at which point the Consultation closes.
• Q4 2021 – Q1 2022 – The UK Government will publish its response to the Consultation in "due course".

Status

• On 6 October, the ICO published its response to the DCMS Consultation (the "Response").
• The UK Information Commissioner, Elizabeth Denham CBE, noted that the ICO is broadly supportive of the Consultation document and of the overarching intent behind it. Nonetheless, Denham notes that "as the proposals develop...the devil will be in the detail" and consequently the ICO have produced an in-depth and wide-ranging 89 page response document that addresses the Consultation's key proposals.
• Many of the Consultation proposals include a significant shift away from existing UK legislation and the EU GDPR and, whilst the ICO is supportive of the move towards a proportionate, risk-based approach, its Response includes numerous reservations based on the adoption of a more data subject focused view of the Consultation's proposal, and seeks clarity on the use of additional safeguards to ensure that data subject rights are not jeopardised.
• Notably, the Response also expressed concerns around the proposed reform of the ICO's own leadership structure, which it notes has the potential to put the independence of the regulator at risk. With the current serving New Zealand Privacy Commissioner, John Edwards, taking the UK ICO helm from January 2022 (with a remit that goes beyond the regulator's traditional role of focussing only on protecting data rights), it will be interesting to see how these reservations will be reconciled in the short term. Not least because the DCMS is keen to finalise the proposals set out in the Consultation in the coming months.

 What it hopes to achieve 

• The proposals set out in the Consultation have the ability to significantly change the data protection landscape in the UK and, in turn, the compliance requirements for businesses operating in the UK.
• The true impact of this "new dawn" on the full spectrum of businesses operating in the UK (particularly whether the intended benefits of the proposals are realistic in practice), will only be known further down the reformation process, once the detail of any legislative changes is published.
• Either way, as the ICO's Response highlights, the UK Government is forging its own data protection path ahead of the wake of Brexit and in some cases, this approach appears at odds with the ICO, the Government's own data protection supervisory authority.
• It will be interesting to see how these pinch points, in particular the proposed re-structuring of the ICO's leadership, develop once the Consultation closes and the Government's response is published. Conflict with the ICO is of course not a desired outcome of the Consultation nor of the Government's wider data strategy, but the Response makes it clear that there are multiple instances whereby the Government's approach differs from the significantly more data subject focused views of the ICO. Whether these two approaches can be reconciled remains to be seen.

Who does it impact? 

• The ICO's Response is just one reply to the DCMS Consultation. Whilst the Consultation has an explicit and direct impact upon the ICO, it also has particular relevance to a variety of organisations including: start-ups and small businesses; technology companies and data-driven or data-rich companies; civil society organisations; academics; and law firms and other professional business services.
• Given the wide ranging application of the Consultation, a range of stakeholder responses are expected (and encouraged).

Key points 

1. Easier reliance on legitimate interest
   • The ICO understands the need for greater certainty around the use of legitimate interests, however the Response proposes a shift in responsibility to carrying out the balancing test from organisations to the Government itself, rather than a straight removal of the balancing test.

2. Reduced restrictions on ADM
   • The ICO supports the Government's proposals relating to research and recognises the need to build trust regarding the fairness of AI and automated decision making. It opposes however the removal of the Article 22 right to human review as it feels this will reduce trust in AI and prejudicially impact data subjects

3. Changes to internet cookies policies
   • The ICO agrees that the current approach to cookie pop-ups is not practical for data subjects or organisations and welcomes change. It is broadly supportive of the two options proposed, but requires further clarity on how a list of exemptions (without requiring user content) would work in practice.

4. Reverse data transfer exemption
   • On the proposed reverse transfer exemption, whilst the ICO supports changes to reduce burdens in a proportionate manner, it has encouraged the Government to investigate how effective the exemption may be in reducing complexity in practice and pointed to the ICO's ongoing consultation on international transfers.
5. Reforming the structure of the Information Commission's Office
   • Whilst the ICO supports some of the proposed changes (including strengthening the ICO's supervision and enforcement powers), it has raised concerns about reforms to its leadership structure and the impact on the ICO's independence.

Originally Published 6 October, 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.