On 17 June 2022 the UK government’s Department of Culture, Media and Sport (DCMS) published the outcome of its consultation on reform of the UK’s data protection laws (see Legal update, DCMS publishes outcome of consultation “Data: a new direction”). DCMS has presented the response as a step forward for both businesses and individuals in terms of, for example, cost savings, innovation, and clarity around privacy rights. In practice, the proposals are no great overhaul of UK laws, nor was one wanted by those who responded to the consultation. Organisations will undoubtedly be keen to know how the proposals will affect their business, and whether any of the proposals risks the UK’s adequacy status under the EU GDPR.
So who is set to benefit?
Organisations supervised by the ICO
Proposals to change the ICO, its strategy and oversight are among the most expansive. Although the ICO gains certain extra powers and tools, it will also be required to consider the promotion of economic growth and its impact on competition. Government approval will be required before statutory guidance is laid before Parliament. These changes potentially risk the ICO’s independence, perhaps even the UK’s adequacy status, but businesses will hope these lead to greater pragmatism and stakeholder engagement. DCMS’s proposal to move initial complaints handling out of the ICO and into the hands of controllers is also likely to be welcomed.
Research and scientific institutions
One of the government’s focuses of reform has been the removal of perceived barriers to innovation. A number of proposals aim to simplify the UK GDPR’s peppering of research related provisions, regrouping some and moving a number of interpretative recitals into the main text to give them greater force. A new exemption to providing notices under Article 13 and promised clarity on both broad consent for research and the permitted scope of further processing are also intended to assist researchers. In addition, the response confirms that the UK will codify a more pragmatic “relative” approach to anonymisation.
SMEs and UK-based businesses
DCMS has declared that its proposals will deliver around £1 billion in business savings, in large part through its move to a “more risk-based” approach. In particular, DCMS proposes the replacement of several specific accountability provisions with a “privacy management programme”. DPOs will be replaced by “suitable senior individuals”, records of processing will be reduced to data inventories and DPIAs will fade into more general requirements to assess risk.
For some SMEs and businesses who only need to worry about UK rules, these changes could well reduce the administrative burden of data protection compliance. These organisations should keep an eye on the detail of the Data Reform Bill, and the guidance that ensues once it is law. The risk of a “flexible” approach is a lack of certainty and room for a regulator to impose high standards. For this reason, these changes are unlikely to benefit those who have complex or high-risk data processing activities. They are also likely to cause extra work for those still caught by the EU GDPR. The proposal to increase the threshold for reporting minor data breaches has unfortunately been dropped.
Although the more radical proposal on international transfer to allow exporters to determine their own safeguards has been dropped, DCMS has promised both a more commercial approach to its assessment of adequacy and measures to allow exporters to act “pragmatically and proportionally” in assessing transfers risks.
Political parties, charities and other non-commercial bodies
DCMS intends to help non-commercial bodies by permitting them to send some electronic direct marketing on an opt-out basis, through an extended version of the current “soft opt-in”. This is particularly aimed at helping charities and (somewhat self-servingly) political parties. DCMS promises that this will be subject to safeguards. Political parties and elected representatives are also due to receive assistance on establishing a lawful basis for their processing, both under Article 6 and Article 9 of the UK GDPR.
The ICO will get extra enforcement powers on nuisance calls, and will particularly be able to consider the calls made by controllers as well as those received by individuals in enforcement action. This reflects the ICO’s already tough stance and enforcement priorities in this area.
Businesses taking ePrivacy risks
Fines for breach of PECR are going up to UK GDPR-levels (previously, the maximum was only £500,000). Given the steady increase in ICO fines over phone, email and SMS marketing, the risks of targeted marketing are on the up.
Organisations under ICO investigation
While the change to ICO strategies and structure may prove helpful for guidance, the ICO is getting more time to investigate organisations and additional powers such as the ability to compel witnesses.
Indifferent, or unclear, for:
Complex or EU regulated businesses
Companies processing large volumes of high-risk data, or subject to the EU GDPR, are unlikely to see privacy management programmes as an opportunity for cheaper compliance. Some businesses might actually see increased costs in the short-term, as they try to ensure compliance with both regimes.
Adtech and businesses relying on cookies
In the long-term
DCMS has heralded its reform plans by highlighting its intention to get rid of cookie banners. Unfortunately for businesses, this will only happen once appropriate technology to allow an opt-out approach is available. Even then, websites likely to be accessed by children, which encompasses a large number of the substantial publishers funded by ad revenues, will not be entitled to use this opt-out model.
In the shorter-term
It will be possible to place more cookies in the UK without opt-in user consent. This will benefit only cookies placed for a “small number of other non-intrusive purpose” and will not cover more intrusive purposes such as real time bidding.
Controllers dealing with DSARs
The threshold for being able to refuse a DSAR will change from “manifestly unfounded or excessive” to “vexatious or excessive” to expressly align with the FOIA exemption. It is unclear how this is intended to help, given ICO guidance and case law on the meaning of vexatious is entirely statute specific. It is unlikely to bring more certainty. Proposals to introduce wider cost caps or nominal fees have been dropped.
The processing of special category data (for example, race and ethnicity data) will be permitted for bias monitoring in AI, although existing provisions in the Data Protection Act 2018 arguably sufficed for this purpose. Other proposals on AI have been postponed until a future White Paper on AI governance. Although the controversial proposal to remove the Article 22 prohibition on certain types of automated decision-making has been pulled, DCMS still proposes to reframe the right as one of ensuring safeguards are in place rather than a wide-ranging ban.
Will the DCMS assertion that its framework “empowers citizens through the responsible use of personal data” ring true? It is unclear how its proposals so far will lead to any improvement here. The movement of complaints handling from the ICO to controllers is likely to delay the ability of individuals to access assistance, and there are no obvious expansions to data subject rights.
The draft Data Reform Bill implementing DCMS’s proposals is expected before Parliament’s summer recess, and will take the form of a series of amendments to the existing UK GDPR, PECR and Data Protection Act 2018 rather than propose a standalone piece of legislation.
As ever, the devil will be in the detail of the drafting, with a number of proposals in the consultation response needing further clarification. Importantly, is not too late for organisations to influence the shape of reform. The Bill will be amended as it passes through Parliament, and its progress should be monitored as businesses plan their implementation.