ICO International data transfer e1545063154669 1536x819 1

The UK is set to diverge from the GDPR

On 9 September 2020, the UK Department for Digital, Culture, Media & Sport (DCMS) published its National Data Strategy, which included: “responsible data” as a core pillar and an associated “securing a pro-growth and trusted data regime” priority mission. This included a June 2021 Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) proposal to: “replace the UK General Data Protection Regulation 2018 [GDPR] with a new, more proportionate, UK Framework of Citizen Data Rights to give people greater control of their data while allowing it to flow more freely and drive growth across healthcare, public services and the digital economy.” Subsequently, DCMS launched its public consultation on reforming UK data protection legislation. This “long read” article outlines the main aspects of the proposed changes, including changes to accountability, international transfers, cookies and other key areas.

Accountability and privacy management programmes

The Telegraph reported that the Secretary of State for DCMS, Oliver Dowden, was: “determined to move away from a ‘one size fits all model’” because: “we should not expect exactly the same from a small family run business as we do from a massive social media company.” The TIGRR more strongly asserted that the ”GDPR is prescriptive, and inflexible and particularly onerous for smaller companies and charities to operate.” The Telegraph also quoted the Secretary of State for DCMS referring to: “… an awful lot of unnecessary bureaucracy and box ticking.

The DCMS’ public consultation document proposes to:

  • require organisations to implement risk-based privacy management programmes tailored to their own processing activities;
  • remove requirements to designate a data protection officer, maintain records of processing activities or undertake data protection impact assessments (DPIAs) and associated prior consultation with the ICO for high risk processing;
  • change the threshold for reporting a personal data breach to the ICO so that organisations must report it unless the risk to individuals is not material; and
  • introduce voluntary undertakings to enable organisations to provide the ICO with a remedial action plan in the event of an infringement, which the ICO could authorise without taking any further action.

Cookies

In relation to Cookies, the TIGRR asserted that: “overemphasis on consent has led to people being bombarded with complex consent requests”. Similarly, The Telegraph reported that Dowden wished to: “do away with […] endless [and] pointless […] cookie banners” unless: “they pose a high risk to individuals’ privacy”.  It is important to note that the e-Privacy Directive (Directive 2002/58/EC), implemented in the UK as the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), in fact introduced the requirement for cookie consent and uses the GDPR standard for consent. Enforcement of cookie consent is also an increasing priority for some European data protection authorities, notably the French Authority (CNIL) which imposed fines of €60m upon Google LLC and €40m upon Google Ireland Limited in 2020. Furthermore, on 7 September 2021, the ICO announced that it would call on fellow G7 data protection authorities to work together to overhaul cookie consent mechanisms.

The DCMS’ public consultation document proposes to:

  • consider alternatives such as browser technology to reduce cookie banners;
  • permit analytics cookies and similar technologies without the user’s consent; and
  • permit data collection or storage on or from the user’s device without their consent for other limited purposes, such as detecting technical faults or enabling the use of video or other enhanced functionality on websites.

Research and wider processing

The TIGRR proposal asserts that: “organisations generally [need] a person’s ‘consent’ to process their data. There are alternative ways to process data that do not require consent, but these are not well defined or understood, causing confusion amongst data processors and controllers.” Furthermore, The Telegraph reported that Dowden adjudged that reliance upon consent was impeding scientific research. The TIGRR echoed this, but also referred to difficulties in respect of legitimate interest and public task.

The DCMS’ public consultation document proposes to:

  • clarify definitions of anonymous data and scientific research;
  • create a new lawful basis for processing and consolidate provisions for research;
  • clarify that private bodies processing personal data on behalf of a public body, public and private bodies processing health data in relation to public health or other emergencies, and university researchers, may rely on public task as a lawful basis;
  • define and expand processing deemed to be in the “substantial public interest”;
  • clarify that consent is necessary for scientific research if the purpose of processing is unclear at the time of data collection, and that further processing for research has to be compatible with the original purpose and have a valid lawful basis;
  • exempt organisations which collect personal data directly from the data subject from providing further privacy information as to any further processing for research purposes where it would require a disproportionate effort to do so;
  • clarify that processing for an incompatible purpose may be permissible to safeguard public interest and when a second organisation can conduct further processing; and
  • create a limited, exhaustive list of legitimate interests for which organisations can use personal data without undertaking a legitimate interests assessment (LIA);

International transfers of personal data

The National Data Strategy included: “championing the international flow of data” as a priority mission. In the August 2021 Mission Statement published by Secretary of State for DCMS Dowden and Minister for Media and Data John Whittingdale, they maintain that international transfers of data:

  • drive international commerce, trade and development,
  • underpin innovation, research and development across multiple sectors (in particular, health),
  • support international cooperation (in particular, international trade, law enforcement, and national security), and
  • enable individuals to stay emotionally and socially connected.

The DCMS also announced that: “The Government believes it can unlock more trade and innovation by reducing unnecessary barriers and burdens on international data transfers, thereby opening up global markets to UK businesses.”

However, the Mission Statement underlined that: “The UK Government remains committed to high standards of data protection, not just in the UK but also to when that data is transferred overseas.” Furthermore, having left the EU, the UK now has the authority under Sections 17A and 74A of the UK Data Protection Act 2018 (DPA) to make its own “adequacy” decisions for third countries. The DCMS elaborated that the Government intended to: “… build on the [42] adequacy arrangements the UK already has in place” with third countries such as New Zealand, highlighting a desire for: “… data adequacy partnerships, with countries or sectors which have high data protection standards.” The Statement asserted that: “UK adequacy is the most efficient way to freely transfer personal data as it removes the need for UK organisations to use alternative transfer mechanisms, which can be costly.”

During March 2021, Minister Whittingdale outlined the Government’s intention to expand the list of third countries recognised as offering an adequate level of data protection. On 25 August 2021, The Telegraph quoted Secretary of State for DCMS’ view that the UK: “… can go much further and faster” than the EC in respect of adequacy decisions. On 26 August 2021, the DCMS announced that it would prioritise Australia, Colombia, Dubai, Republic of Korea, Singapore and the United States of America (US), as well as Brazil, Kenya, India and Indonesia, for adequacy decisions. The DCMS lauded what it perceived as a comprehensive and / or strong data protection framework in the first 5 and highlighted the value of trade with the first six of these 10 countries. In their Mission Statement, Secretary of State for DCMS and Minister Whittingdale estimated that: exports of “data enabled services” to the 10 prioritised third countries was: “already worth more than £80 billion.” The DCMS further estimated that: “£11 billion worth of [global] trade goes unrealised […] due to barriers associated with data transfers.”

The DCMS’ public consultation document proposes to:

  • require the ICO to deliver a more transparent and structured international strategy and to consider the Government’s wider international priorities;
  • exempt “reverse transfers” by a UK data importer back to an overseas data exporter, from the scope of the UK international transfer regime;
  • ensure that all current adequacy assessments remain valid and assessments are risk based, account for human rights and not necessarily subject to review every 4 years, increase the number of countries deemed “adequate” and consider adequacy assessments for groups of countries, regions and multilateral frameworks;
  • facilitate detailed and practical legislation for determining and addressing risks;
  • increase certification and the use of derogations as transfer mechanisms;
  • empower the Secretary of State for DCMS and organisations to recognise, create and / or identify new transfer mechanisms, with an emphasis on compatibility with other international transfer regimes, flexibility and proportionality; and
  • clarify that data subjects are entitled to administrative (e.g. ICO) or judicial (e.g. court) redress.

Intermediaries

The TIGRR recommended the creation of: “’Data Trusts’ or ‘Data Fiduciaries’…to whom consumers would delegate their data authorisations and negotiations.”

The DCMS’ public consultation document proposes to:

  • enable “data intermediaries” such as “data trusts” on behalf of data subjects and online platforms to access and advertise datasets.

Individual rights

In response to perceptions that Data Subject Access Requests create undue burden for organisations and are sometimes used by data subjects to disrupt internal operations, the DCMS’ public consultation document proposes to:

  • introduce a nominal fee (akin to the UK Data Protection Act 1998) and a cost limit (akin to the UK Freedom of Information Act 2000), and revise thresholds for “manifestly unfounded and excessive”, subject access requests.

Artificial intelligence

The final aspect of the proposed reform concerns artificial intelligence (AI). TIGRR asserted that successful AI projects are impeded by: “GDPR-related barriers” such as data minimisation and purpose limitation and recommended the replacement or removal of the right not to be subject to automated decision making, which is designed to prevent discrimination and errors. The Plan for Digital Regulation adopted a far more measured approach, referring to: “… the use of artificial intelligence to automate parts of the financial advice process …” as one of the: “… lively debates about the future of data protection in the UK …”

The DCMS’ public consultation document proposes to:

  • clarify whether data protection or other frameworks should address AI;
  • clarify that organisations can rely on legitimate interest as a lawful basis for bias monitoring, detection and correction in relation to AI without undertaking a LIA;
  • clarify that organisations can process special category and criminal conviction data for bias monitoring, detection and correction in relation to AI;
  • clarify fairness in the context of AI and introduce compulsory transparency reporting on the use of algorithms in decision making for public authorities, government departments and government contractors using public data;
  • amend or remove the right not to be subject to automated decision making;
  • streamline and clarify the police’s processing of biometric data; and
  • facilitate joint operational activity between law enforcement and national security.

Conclusion

While some of these changes will support the UK government to better “unlock the power of data” other changes to represent potential roll-backs of data subjects’ rights when their personal data is being processed. The proposed changes include significant adjustments of approaches in relation to accountability, research data, cookies, international transfers of personal data, data subject access rights and artificial intelligence. However, the free flow of data between the UK and Europe also depends on the UK’s ability to achieve the correct balance. For example, after these proposals were made public, the EC reiterated that: “In case of […] developments that negatively affect the level of protection, the [UK’’s] adequacy decision [which enables personal data to flow freely from the EU to the UK] can be suspended, terminated or amended at any time.” Organisations operating in the UK or transferring data between Europe and the UK will find that these proposed changes will have wide-ranging implications. Furthermore, these changes remain open for discussion and organisations processing personal data have an opportunity to respond to the proposals directly. As such, we recommend that organisations remain informed about the proposed UK reform and consider responding to the public consultation themselves.

Trilateral’s Data Protection and Cyber-Risk Team has significant experience advising organisations in regard to data protection compliance. For more information please feel free to contact our advisers, who would be more than happy to help.

Sanjay Patel

Sanjay Patel is Data Protection Advisor at Trilateral Research.

Rachel Finn

Rachel Finn is Senior Practice Manager at Trilateral Research.

Sign up for our newsletter

Join our mailing lists to receive updates about our latest research and to hear about our free public events and exhibitions.  If you would like to find out more about how we manage your personal information please see our privacy policy.