EU - DATA

Following the DCMS's publication of its consultation on proposed reforms to the UK's data protection regime as part of the UK Government's National Data Strategy, the consultation has now closed. The UK Government will now consider the responses gained from the consultation questions and publish a full consultation response in due course. This response will likely inform the UK's future stance on data protection for years to come.

Key date(s)

  • 9 September 2020 - The UK Government published its new National Data Strategy.
  • 10 September 2021 - The Department for Digital Culture, Media & Sport ("DCMS") published its consultation on reforms to the UK's data protection regime (the "Consultation"). The Consultation will run for 10 weeks.
  • 19 November 2021 - The deadline for responses to the Consultation is 11:45pm on 19 November 2021.
  • Q4 2021 - Q1 2022 - The UK Government response to the Consultation is expected.

Status

  • On 10 September 2021, the DCMS published its 146 page Consultation which includes a number of wide-ranging proposals for reform to UK data protection laws.
  • The Consultation is the first step in the Government's plan to deliver on 'Mission 2' of the National Data Strategy, which is underpinned by the desire to boost innovation and economic growth for UK businesses while strengthening public trust in the use of data.
  • Many of the proposals include a significant shift away from existing UK legislation and the EU GDPR. The Consultation highlights the potential impact of reform on the UK's recently obtained adequacy status, but concludes that it is possible to maintain data adequacy with the EU based on a shared commitment to high standards of data protection.
  • Nonetheless, the Consultation outlines a new regime predicated on a more practical, risk based regulatory approach that moves away from a "one size fits all" method to allow organisations to demonstrate compliance in ways that are more appropriate to their particular circumstances.
  • The DCMS has called for responses to Consultation questions by 11:45pm on 19 November 2021. Once the Consultation has closed, the responses will be considered and the Government will publish its response "in due course".

What it hopes to achieve

  • The Consultation aims to create a "bold new data regime" that will simultaneously encourage and enable British businesses to use data in new and innovative ways while ensuring that the UK upholds high standards of data protection.
  • The new regime will support the UK's post-Brexit pursuit of international trade partnerships by establishing the UK as a global hub for digital development. Significantly, the new regime will seek to create an adaptable set of rules that are flexible enough to be applied to emerging data-driven technologies and to increase the use of personal data for scientific research purposes.
  • For businesses, the Consultation proposes to reduce compliance activity requirements through the introduction of a risk-based accountability framework which will require organisations to develop and implement their own risk-based privacy management programmes.
  • Additionally, the Consultation proposes significant reforms to the Information Commissioner's Office ("ICO"). The new Information Commissioner will be empowered to protect data rights, promote trust in the data protection system and ultimately go beyond the regulator's traditional role.
  • With the recent appointment of international privacy expert and New Zealand's former Privacy Commissioner Jonathan Edwards as the new Information Commissioner (effective from 31 October 2021) and the Consultation's proposal to introduce a new regulatory governance model and statutory framework to govern the ICO, it is likely that the ICO will play an increasingly active role in data regulation.

Who does it impact?

  • The Consultation is considered by the DCMS to have particular relevance to:
    • individuals;
    • start-ups and small businesses;
    • technology companies and data-driven or data-rich companies;
    • investors in technology and data-driven or data-rich companies;
    • civil society organisations focussed on consumer rights, digital rights, privacy and data protection;
    • academics;
    • organisations involved in international data standards, regulations and governance; and
    • law firms and other professional business services

Key points

  1. Easier reliance on legitimate interest
    • The Consultation's proposed changes would make it easier to rely on legitimate interest as a lawful basis for processing personal data. An exhaustive list of legitimate interest grounds would be created
  1. Reduced restrictions on ADM
    • The Consultation also proposes to remove or limit the current restrictions on automated decision making ("ADM") and the use of artificial intelligence ("AI") in the UK GDPR. It is proposed that UK law would permit the use of solely automated AI systems on the grounds of legitimate interest or public interest.
  1. Changes to internet cookies policies
    • Organisations also would be permitted to collect and use cookie analytics data, without the user's consent. A 'soft opt-in' regime would be introduced to allow cookies to be used where there is a pre-existing relationship between the user and the organisation..
  1. Continuation of adequacy requirements
    • For international transfers of data to other EU countries and globally, the proposed regime will uphold the EU's adequacy requirements, however, organisations will be able to create or identify their own, alternative, international data transfer mechanisms.
  2. Reforming the structure of the Information Commission's Office
    • The Consultation proposes a refocussing of statutory commitments away from handling a high volume of low-level complaints, towards addressing the most serious threats to public trust and barriers to responsible data use and seeks to formalise the ICO's strategic objectives.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.