UK - Proposals to reform the GDPR are significant but not radical
The UK Government has today released its proposals to reform UK data protection laws. Unsurprisingly, it seeks to deliver on its Brexit promises through deregulation, such as scrapping data protection officers, records of processing and data protection impact assessments.
However, it is less radical that it might have been and many of these obligations are replaced by a new, more flexible obligation to implement a “privacy risk programme”. More flexible, of course, means that the programme might be more burdensome in some situations. In addition, while the ancillary obligations in the UK GDPR will change, the core principles and definitions will not.
The key uncertainty is whether it will provoke the EU into revoking its adequacy finding for data transfers to the UK. There are good reasons to think this should not happen, but the loss of adequacy would have immediate and significant effects that might well outweigh the other benefits these reforms will deliver.
A bonfire of red tape?
The Government’s proposals for reform are set out in its 146 page paper Data: A new direction. It provides a detailed and well-thought-out series of proposals for reform to UK data protection laws that raise valid questions about the cost and effectiveness of many aspects of the UK GDPR.
The answers to those questions, at least on the face of it, appear to be underpinned by the UK Government’s desire to deliver a Brexit dividend and remove unnecessary red tape for UK businesses. As a result, the UK Government proposes removing the obligation to:
- appoint a data protection officer, either in all cases or just for public authorities;
- conduct data protection impact assessments;
- consult with the Information Commissioner in relation to high-risk processing;
- prepare records of processing activities.
Similarly, there are broader reforms to other aspects of UK data protection law, such as:
- creating an “whitelist” of situations in which the legitimate interest test would apply without having to conduct a balancing exercise, e.g., reporting criminal acts, using analytics cookies, anonymising personal data or improving products or services. This is, in effect, the creation of a whole new set of legal bases, albeit for obviously unobjectionable purposes that would clearly satisfy the legitimate interests test in any event;
- introducing a notional fee for subject access requests, imposing a cost-cap on the amount organisations have to spend responding to a subject access request and invalidating vexatious subject access requests;
- relaxing the rules on cookies so consent will not be needed for analytics cookies or where there is a legitimate purpose to the processing (e.g., detecting faults). However, consent will still be needed for marketing and tracking cookies;
- broadening the similar products and services exemption for email marketing so that it also applies to non-commercial entities; and
- further reforming to the rules on transborder dataflow and processing by public authorities which, in the interests of brevity, are not discussed further in this article.
However, this is far from a bonfire of red tape. Rather it appears to replace the more rigid requirements of the UK GDPR with a more flexible obligation to implement a “privacy management programme”. This will require organisations to:
- define roles and responsibilities within the organisation with respect to data protection including designating an individual to be responsible for that programme and liaising with the Information Commissioner;
- demonstrate evidence and support from senior management, including through appropriate reporting obligations;
- implement measures to support the programme such as: (a) personal data inventories; (b) internal policies; (c) risk assessment tools; (d) procedures for communicating with data subjects; (e) procedures for handling breaches; and
- implementing processes to monitor and update the programme and check its effectiveness.
Given the Information Commissioner’s likely demanding expectations for such a programme (particularly given its recently released Accountability Framework) it is not immediately clear this is a less onerous framework, particularly for larger businesses. Many may retain their DPOs, DPIA processes etc. as the building blocks to deliver that new “privacy management programme”.
The future is robotic
The UK Government is also proposing significant changes to better allow the use of data for innovation, particular for AI projects.
The centre piece of these particular reforms is to either remove, or more tightly limit, the restriction on automated decision making in Article 22 of the GDPR, which is thought to hold back the practical deployment of AI and its use in robo-decision making. The focus on automated decision making is interesting given Article 22 remains an enigma. While it is an interesting and potentially significant right, it does not seem to apply very frequently in practice and rarely seems to cause problems. Moreover, the UK will be swimming against the tide when both the EU and China are seeking to regulate this area, to protect consumers better.
There are a series of other broad reforms proposed in this area. For example:
- explicitly permitting the use of personal data, including special category personal data, for bias monitoring and correction in AI systems;
- consolidating the research specific provision in the UK GDPR and Data Protection Act 2018 into a single provision and providing a statutory definition for “scientific research”;
- clarifying the legal basis for the use of personal data in research projects, particularly if it falls under Article 6(1)(e) or if a new legal basis should be created;
- better allowing the use of personal data for research by: (i) broadening the situation in which personal data can be used for new purposes: (ii) allowing broader consents to be given for future unspecified uses; and (iii) restricting the situations in which fresh privacy notices are needed; and
- confirming that the test for anonymisation of data should be viewed from the perspective of the person holding the data (e.g., rather than considering if there might be some other data somewhere that would allow identification) and possibly introducing a statutory definition or test for anonymisation.
The centre holds
Importantly, while these are significant and wide-ranging changes, the core principles in the GDPR are unaffected. There is no significant change to the data protection principles or lawful bases for processing (noting there are proposals to whitelist some processing under the legitimate interests conditions). Similarly, the key concepts such as that of personal data, and the distinction between processors and controllers remains.
As such this is more a case of incremental reform rather than a radical reinvention. For example, the UK Government might have considered if the processor-controller dichotomy is still fit for purpose or if unstructured electronic personal data ought to be subject to separate, less onerous regulation. Similarly, the Government does not appear to want to thin the current legislative thicket created by the UK GDPR and Data Protection Act 2018 by combing them into a single consolidated instrument.
However, given the last few years have been so tumultuous, many UK businesses may welcome the continuity and stability these proposals provide.
Changes for the Information Commissioner
Finally, the proposals contain a range of proposals to change the powers of the Information Commissioner and the way her office operates. This includes:
- increasing the sanctions for breach of ePrivacy laws, such as sending SPAM. The fines for breach are currently limited to £500,000 but would be increased to be on the same footing as the GDPR;
- providing a new power to commission a “skilled person report” similar to that available to the Financial Conduct Authority;
- introducing a new independent board and CEO role; and
- imposing various new duties including a growth and innovation duty, a competition duty and a public safety duty. These new duties will likely complicate the Information Commissioner’s enforcement work given data protection often involves trade-offs between different competing interests.
Impact on adequacy
One of the most significant implications of these new reforms is the impact on the EU’s finding that the UK has adequate data protection laws, thus enabling the free transfer of personal data from the EU to the UK. The EU’s adequacy finding includes an obligation on the EU Commission to monitor developments with UK data protection laws and, in any event, is only for a four-year period.
There are good arguments that these proposals should not affect the adequacy finding. As set out above, the changes will not necessarily result in a lessening of the protection of personal data, rather it means the process to ensure that protection is more flexible. However, this is ultimately a question for the EU Commission who will, no doubt, be scrutinising these proposals closely.