UK Government Announces Data Protection Reforms

On 17 June 2022 the UK Government published its long-awaited plans to reform the UK Data Protection Act. In late 2021, the Department for Digital, Culture Media & Sport (DCMS) issued a consultation on potential revisions to the UK’s data protection regime, signalling what the DCMS described as a “new direction” for data as part of its first post-Brexit review of the GDPR (see our article on the consultation here).

The DCMS’ response to the consultation is the first step to it unveiling its plans for the Data Reform Bill, and it is clear that there is a difficult balance for the UK Government to strike in these reforms. On the one hand there are fears that if the reforms aren’t substantial or radical enough, they may just unnecessarily re-badge and over-complicate existing requirements. That would make for unnecessary compliance changes with only marginal business benefit. On the other hand, straying too far from EU standards could risk the UK losing its adequacy status which enables free flow of data from the EU to the UK.

Public responses to the consultation have stressed the importance of the UK retaining its adequacy status with the EU and otherwise raised some potential concerns around:

• introducing a nominal fee for subject access requests;
• removing the need for data controllers to carry out the legitimate interests balancing test for specified activities if children’s data is involved;
• removing the right to human review of automated decisions; and
• removing requirements for Data Protection Impact Assessment (DPIAs) and Data Protection Officers (DPOs).

The UK Government’s response to the consultation set out its plans to reform the UK’s Data Protection Act through five main areas:

• reducing burden on business;
• protecting consumers from nuisance calls and unnecessary cookies;
• modernising the ICO;
• enabling the innovative use of data; and
• empowering international trade.

Reducing the compliance burden

At the root of the UK Government’s reform proposals is a desired to reduce the administrative burden for businesses through a focus on a risk-based, flexible attitude to data privacy. The DCMS has heralded this new approach as ensuring “the same high data protection standards” but with more flexibility to determine how businesses meet these standards.

The UK Government has confirmed that the Bill will remove the UK GDPR’s requirement for certain organisations, such as small businesses, to have a DPO and to undertake DPIAs. However, organisations will still be required to have a privacy management programme to ensure they are accountable for how they process personal data. Once the Bill is published, more detail on these privacy management programmes will clarify the extent to which requirements are being watered down for businesses, or whether they are being replaced with new and different obligations.

Consumer protection

The Bill will significantly increase the fines for nuisance calls and texts to be in line with current UK GDPR penalties (from £500,000 to up to £17.5 million, or 4 per cent of global turnover, whichever is greater). More welcome for businesses will be the proposal for a new opt-out model for cookies making the online experience better for users and likely to make it easier for websites to collect cookie data. In this regard the UK seems set to go back to relying on users taking control over the cookies deployed through their internet browser settings.

Modernising the ICO

The Bill will set out strategic objectives for the ICO as well as introduce reforms to the way in which the ICO develops statutory codes and guidance. For example, the ICO will be required to set up a panel of experts in relevant fields when developing pieces of statutory guidance and obtain approval from the Secretary of State on codes and guidance before they are presented to the UK Parliament.

Enabling the innovative use of data

The reforms promise to define types of scientific research which would be subject to simplified legal requirements, and provide clarity about when user consent can be obtained for broad research purposes.

Empowering international trade

The UK Government has the ambition of enabling free international flows of data by striking data adequacy deals with countries like the United States, Australia, the Republic of Korea and Singapore.

The Government’s International Data Transfer Expert Council (announced in January 2022 and made up of global experts on data from academia and business) will review and provide recommendations on how the UK can remove barriers to data flows and ensure data-driven services can flourish in the UK.

What difference will it make?

The reforms set a clear tone: the UK wants to cut down on excessive bureaucracy and reduce costly compliance burdens for businesses. Little is mentioned about individuals’ rights beyond the reassurance that the plans will preserve the UK’s “high data protection standards”. While the reform package is certainly significant, only the detail of the reforms contained in the publication of the Data Reform Bill will reveal how radical it is.

As a result, detailed commentary will have to wait for the publication of the Bill. However, for now, we can say that it is perhaps surprising that the Bill will impose a new requirement on the ICO to obtain the approval of the Secretary of State before submitting codes and guidance to Parliament. It reduces the independence of the ICO, something which is a relevant factor in the EU adequacy decision.

Despite the majority of public responses to the consultation stressing the importance of the UK retaining its adequacy status with the EU, the DCMS statement does not address the UK’s need to engage with this delicate balancing act, or the risks associated with the UK veering too far from EU standards. It is no secret that there have been calls - particularly from Brexiteers within the Conservative Party - for the UK to lose its adequacy status entirely and instead pursue data-based trade deals with other states to compliment trade agreements. Whilst the high-level detail of the reforms does not appear to take the UK further away from EU standards than other countries that are subject to EU adequacy decisions, the European Commission will no doubt scrutinise the details of the Bill and we can expect the UK’s adequacy decision to continue to be a political bargaining chip.

Finally, despite the Government’s promise to cut back on red tape, neither the DCMS consultation nor the latest announcement indicate changes that will materially reduce the compliance burden. In any event, many large businesses may be reluctant to revisit GDPR compliance frameworks that they already have in place and have different processes and procedures in place for the UK compared to the EU.