The UK Government has published its response to the consultation on its proposed reform of the UK's data protection regime (which we have provided further information on in our previous legal update available here.) Whilst the UK Government has proposed several incremental reforms to the UK's data protection laws that will diverge from the standards set under the European General Data Protection Regulation ("EU GDPR"), the proposals fall short of the extensive reform, or replacement, of UK GDPR previously considered.
The UK Government's response was categorised into the following five areas of consideration:
1. Reducing barriers to responsible innovation
The Data Reform Bill (the "Bill") will reduce legal requirements for the use of personal data in connection with scientific research. The Bill will introduce statutory definitions for "scientific research", "historic research" and "statistical purposes" in order to provide clarity and certainty for researchers. It will also provide for the use of broad consent in order to allow researchers to use less specific consent where the purpose of the data processing is not final at the point of collection.
The UK Government has confirmed that it will proceed with introducing under the Bill a limited list of legitimate interests for businesses to process personal data without applying the balancing test. This list will be smaller than that identified in their consultation paper, and is likely to include "processing activities which are undertaken by data controllers to prevent crime or report safeguarding concerns, or which are necessary for other important reasons of public interest". The UK Government has also proposed to create a power to update the list of activities in the event that other processing activities are identified in the future that should be added.
With regards to its original proposals to remove data subject rights in relation to automated decision making, following its consultation the UK Government has confirmed that it no longer intends to pursue its proposals to remove Article 22 of UK GDPR. The UK Government has noted that it otherwise intends to publish a white paper on the governance of artificial intelligence, following the publication of its National AI Strategy in September 2021.
2. Mitigating burdens on businesses and improving better outcomes for people
The Bill will reduce risk management requirements for certain organisations, including SMEs. Flexibility will be introduced for specific obligations on organisations, including requirements to appoint a Data Protection Officer, maintain records of data processing activities, and to conduct Data Protection Impact Assessments. The UK Government has noted in its proposals that, despite this flexibility, organisations will still be expected to maintain high data protection standards. In order to achieve this, the Bill will introduce new requirements for organisations to implement risk-based privacy management programmes, which will require organisations to consider measures corresponding to existing obligations under UK GDPR – for example, in lieu of a Data Protection Officer, appointing a senior member of the organisation responsible for the privacy management programme.
The Department for Digital, Culture, Media and Sport ("DCMS") has stated that the reduction of these obligations will produce costs savings of more than £1 billion over ten years for businesses. At present, the UK Government has yet to confirm in its proposals which types of organisations will be able to implement the privacy management programme.
Cookie consent requirements under the Privacy and Electronic Communications Regulations ("PECR") will also be updated, reducing existing "opt-in" requirements to a new "opt-out" model. Whilst the UK Government considers that this will cut down existing requirements on businesses to maintain, and consumers to click through, cookie pop-ups and banners, critics have pointed out that the "opt-out" model will allow organisations to set cookies without an individual's consent, making it easier for organisations to track an individual's online activity.
The Bill will also see the increase of financial penalties under PECR for nuisance calls and texts and other serious data breaches, increasing the existing cap of £500,000 to match penalties under UK GDPR of £17.5 million or 4% of worldwide revenue, whichever is larger.
Following its consultation, the UK Government has confirmed that it no longer intends to pursue its proposal to re-introduce nominal fees for the processing of subject access requests.
3. Minimizing barriers to data flows
The Bill will introduce reforms to reduce barriers to cross-border data flows. With regards to the UK's future approach to adequacy assessments of third countries, the UK Government has proposed the introduction of a risk-based approach to adequacy, which will allow the DCMS Secretary of State to consider additional factors including the value of facilitating international data transfers when reaching an adequacy decision. The UK Government has also proposed that in its future assessment of the adequacy of third countries, it will not specify the form of redress mechanism that has to be made available to UK data subjects, but will rather consider the effectiveness of any redress mechanisms only. The Bill will also introduce ongoing monitoring of adequacy regulations, whilst simultaneously relaxing the current requirement to review regulations every 4 years.
The UK Government has confirmed that it will continue to consider its proposal to grant the DCMS Secretary of State powers to make adequacy decisions for groups of countries, regions and multilateral frameworks. Whilst the UK Government has not announced any future adequacy decisions that it will make regarding specific countries, the UK Government has noted in a separate announcement that it "continues to work closely with international partners on data adequacy deals with priority countries, including the United States, Australia, the Republic of Korea and Singapore".
For countries which are not subject to an adequacy decision, the Bill will also introduce new powers for the DCMS Secretary of State to formally recognise new alternative transfer mechanisms. This proposal will allow the Secretary of State to create new mechanisms for the international transfer of UK data overseas, and to recognise international mechanisms in UK law.
4. Improving public services
The UK Government will seek to support personal data sharing within the public sector in order to improve the delivery of public services. The UK Government has proposed to achieve this by extending public service delivery powers under the Digital Economy Act 2017 to business undertakings.
The UK Government's proposals also include clarifying rules on the use, collection and retention of biometric data by the police, and specifying new scenarios to permit certain processing activities on grounds of substantial public interest.
Following its consultation, the UK Government has confirmed that it no longer intends to pursue its proposal for the lawful processing of health data by organisations, without the supervision of healthcare professionals, on the grounds of substantial public interest during public health or other emergencies.
5. Reform of the Information Commissioner's Office ("ICO")
The Bill seeks to modernise the governance of the ICO, with the introduction of a statutory board including a chair and chief executive. In response to the ICO's concerns regarding its independence in light of the UK Government's proposed public appointment process for the role of chief executive, the UK Government has now proposed that the chief executive will instead be appointed by the ICO's board in consultation with the DCMS Secretary of State.
The Bill will introduce new statutory objectives for the ICO, ensuring that the ICO continues to promote the rights of data subjects, whilst accounting for growth, innovation and competition. In addition, the Bill will set out criteria for the ICO to use in order to establish whether to pursue a complaint, so as to empower the ICO to take a proportionate, risk-based approach to its handling and investigation of complaints.
In its statement in response to the UK Government's announcement, the ICO expressed its support for the scope of the proposed reforms. Whilst it remains to be confirmed whether the UK Government's proposals, if passed into law, will affect the UK's data adequacy agreement with the EU, it is evident that the reduced scope of these proposals will be a lower risk to the UK's future adequacy status.
Originally Published 22 June 2022
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2021. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.