On 10 September 2021, the UK Government's Department for Digital, Culture, Media and Sport (DCMS) launched a consultation outlining its proposals to extensively reform the UK's data protection and privacy regime, following its departure from the European Union ("EU").
The new data protection rules proposed for the UK would see the country deviate from the standards that apply in the EU under the European General Data Protection Regulation ("EU GDPR") and would loosen restrictions on the use of data in the UK, with the purpose of engendering growth and innovation.
The DCMS proposals fall into five broad categories:
- Boosting trade and reducing barriers to data
flows The UK Government seeks to boost international trade
by removing unnecessary barriers to cross-border data flows and
offering a more flexible and innovative approach to international
data transfers. The proposals include the following:
- Establishing adequacy regulations for groups of countries, regions and multilateral frameworks which have shared, harmonised or common frameworks. The UK would implement an ambitious programme of adequacy assessments to expand the list of countries that are designated by the UK as offering adequate data protection to include countries such as the United States of America, Singapore, Brazil and Australia;
- Approaching adequacy assessments with a focus on risk-based decision-making and outcomes, providing businesses the flexibility to create their own alternative transfer mechanisms and amending legislation so that both administrative and judicial redress are acceptable mechanisms to address any shortcomings identified with respect to personal data being transferred overseas; and
- Exempting 'reverse transfers' (i.e. the transfer of
data originating from a country outside of the UK, which is
subsequently processed by a processor located in the UK, and is
then sent back to the data controller operating outside of the UK)
from falling under the scope of the UK international transfer
- Reduction of administrative burdens on
businesses The UK Government proposes to move away from
what it calls the "box-ticking" regime of the EU GDPR
which places unnecessary burdens on businesses and ultimately
hinders the UK's competitiveness. Proposals include the removal
of the requirement to:
- designate a Data Protection Officer;
- conduct data protection impact assessments (DPIAs);
- meet the data mapping and record keeping obligations under Article 30;
- consult with the UK Information Commissioner's Office ("ICO") prior to high-risk processing; and
- inform the ICO of personal data breaches where the risk to data subjects is "not material".
Further, it is suggested that businesses should be able to charge fees with respect to their handling of subject access requests as these are time consuming and costly for businesses to respond to.
It is also proposed that businesses be permitted to use analytics cookies and other similar technologies without requiring the consent of users to reduce excessive cookie pop-ups on devices. Alternatively, organisations should be permitted to store data on, or collect information from, the devices of users without their consent for limited purposes.
- Reduction of barriers to responsible
innovation The UK Government seeks to clarify the scope of
the 'legitimate interests' ground used for lawful
processing under Article 6(1)(f) of the UK GDPR. It would provide
an exhaustive list of pre-approved legitimate interests for which
businesses can process data without the need to conduct a balancing
test to determine if the rights and freedoms of data subjects
override the interests of a business in processing data. For
example, the processing activities that would be permitted under
this ground would include the processing of data for internal
research and development purposes or for the improvement of the
safety of a product or service which a business provides. Further,
it is proposed that the requirement for human oversight in respect
of automated decision-making be removed. Instead, automated
decision-making would be permitted where one of the lawful grounds
of processing under Article 6(1) are met. Importantly, the UK
Government has also proposed to make changes to the rules on
anonymization. It plans to adopt a clearer test which can be used
to determine when data will be regarded as anonymous, which will
also establish, amongst other things, that the question of whether
data is anonymous is relative to the means available to the data
controller to re-identify it.
- Delivery of better public services The UK
Government is considering expanding the list of situations in which
special categories of personal data (i.e. those relation to an
individual's health, race, political opinions or sexual
orientation) can be processed. Further, it is proposed that public
and private bodies should be able to process health data when it is
necessary for reasons of "substantial public
- Reform of the Information Commissioner's
Office The UK Government intends on setting a new
legislative framework for the ICO which introduces the following
- ICO to have regard for economic growth and innovation when it is performing its functions;
- ICO to have regard to competition when discharging its functions; and
- ICO to cooperate and consult with other regulators in the UK.
Further, the UK Government is keen to reduce the burden on the ICO to investigate complaints. It is considering introducing a requirement for a complainant to attempt to resolve any complaints with the data controller prior to filing the complaint with the ICO, or a criteria by which the ICO can decide not to investigate a particular complaint so that it can focus on complaints that carry a higher risk of harm to individuals.
While the reforms proposed by the UK Government would relieve UK businesses from some of the more stringent requirements they are subject to under the UK GDPR, the substantive changes proposed to the UK data privacy regime may in fact pose a practical challenge for businesses that operate in both the UK and EU that will now be required to comply with two separate and different sets of rules. For this reason, ultimately, the loosening of rules in the UK may not bring much material benefit to businesses that operate in both the UK and EU if these businesses instead decide to continue to comply with the higher standards required under the EU GDPR across their European operations.
The most significant risk associated with an overhaul of the UK GDPR rules is that it puts the EU's adequacy decisions in relation to transfers of personal data from the EU to the UK at risk. The EU may decide that the watering down of the GDPR rules means that the UK no longer provides an adequate level of data protection and that data can no longer flow freely between the EU and the UK. The European Commission did warn the UK Government when issuing its adequacy decisions that its decisions could be revoked "immediately" if the UK Government weakens its data protection standards (please see our client alert about the European Commission's adequacy decisions for the UK here). Given that approximately 45 percent of UK imports and exports are from/to the EU1, with the unrestricted exchange of data forming a crucial part of that trade, a revocation of the adequacy decision will not only prove challenging for UK and EU businesses, but would also be very costly. It is estimated that the cost to UK businesses alone can fall between £1.1 to £1.6 billion2.
It remains to be seen which of the proposals will be implemented by the UK Government and the scale of the changes that will be made to the UK GDPR; however, what is clear is that the significance of these changes to international businesses will be tied to the EU's reception of the new rules adopted by the UK.
Organisations are welcome to respond to the UK Government's consultation until 19 November 2021. Details on how to submit a response to the consultation can be found here.
1 Department for International Trade. 2021. Trade and Investment Core Statistics Book. Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1018620/Trade-and-Investment-Core-Statistics-Book-2021-09-20.pdf
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2021. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.