The United Kingdom government is planning on changing the UK privacy/data protection regime, which consists of UK GDPR, PECR (E-Privacy rules) and the Data Protection Act 2018. This article briefly highlights the key points of proposed reform.
What’s this all about?
In May this year the UK government announced as part of its legislative proposals to come that the UK’s data protection regime will be reformed through a Data Reform Bill.
Last year, a UK government department, the Department for Digital, Culture, Media & Sport (DDCMS), undertook an official consultation exercise to look into various possible changes to make to the UK data protection regime (https://www.gov.uk/government/consultations/data-a-new-direction). The UK government’s official response to that consultation has now come out (in part) which is expected to form the main basis of proposed changes to the UK data protection regime.
What are the proposed changes?
Highlights of the UK government’s response to the consultation and its proposed changes to the UK data protection regime include the following:
- Legitimate interests – this is one of the lawful bases under UK GDPR for processing personal data which in effect consists of a three-part test whereby data controllers must: identify a legitimate interest; and, demonstrate that the processing is necessary for the intended purpose and cannot be achieved through less intrusive means; and, weigh up whether their interests in processing personal data outweigh the rights of data subjects (sometimes called the “balancing test”). The government proposes creating a limited, exhaustive list of legitimate interests for which organisations could use personal data without applying the balancing test and without unnecessary or inappropriate recourse to consent, in relation to an initially limited number of carefully defined processing activities e.g. to prevent crime;
- Data Minimisation and Anonymisation – the government intends to clarify in the law: when a living individual is identifiable and therefore within scope of the law; that the test for identifiability is a relative one; and, that the test should be based on the wording set out in the “Explanatory Report to the Council of Europe’s Convention 108+”. According to the government, this could be where a living individual is identifiable by the controller or processor by “reasonable means”, taking into account, among other things, the technology available at the time of the processing, and technological developments. Or, according to the government, this could be where the controller or processor knows, or ought reasonably to know, that passing the data to another data controller or processor is likely to result in re-identification, taking account of the means available to that organisation. According to the government, by confirming this test for anonymous data as relative, and incorporating the wording from the explanatory report to Convention 108+ which focuses on the means that are available to the controller at a particular time, the government intends to avoid setting an impossibly high standard for anonymization;
- Privacy Management Programmes – the government proposes to introduce a more flexible accountability framework, underpinned by so-called risk-based “privacy management programmes”. According to the government, these would be designed in a way that addresses concerns raised about these in the DDCMS consultation, in particular about the time and resources that organisations have invested to establish policies and processes in order to comply with UK GDPR, and that any further regulatory changes would lead to further costs. Under the government proposal, organisations would have to implement a privacy management programme based on the level of processing activities and the volume and sensitivity of personal data they handle;
- Data Protection Officers (“DPOs”) – the government proposes removing the requirement to designate a DPO and replace this with a requirement to appoint a suitable senior individual to be responsible for the privacy management programme and to ensure data protection is established at a senior level to embed an organisation-wide culture of data protection. According to the government, the designated senior individual’s role will include: representing or delegating a representative to the ICO and data subjects; ensuring that appropriate oversight and support is in place for the programme and appointing appropriate personnel; providing tailored training to ensure staff understand the organisation’s policies; and, regularly auditing the efficacy of the privacy management programme;
- Data Protection Impact Assessment (“DPIAs”) – the government proposes removing the requirement to undertake DPIAs. According to the government, under the new privacy management programme, organisations will still be required to identify and manage risks, but they will be granted greater flexibility as to how to meet these requirements. For example, although organisations will no longer be required to undertake DPIAs, they will be required to ensure there are risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation. Also according to the government, organisations may wish to continue to use DPIAs but tailor them based on their processing activities;
- Record of Processing Activities – the government proposes removing the requirement for record keeping provisions. According to the government, privacy management programmes will still require organisations to document the purposes of processing, but in a way which is more tailored to the organisation. Also according to the government, organisations will need to have personal data inventories as part of their privacy management programme which describe what and where personal data is held, why it has been collected and how sensitive it is, but they will not be required to do so in the way prescribed by the requirements set out in Article 30 of UK GDPR;
- Breach Reporting Requirements – the government does not propose making any legislative changes in this area, but it will continue to work with the ICO to explore the feasibility of clearer guidance for organisations on breach reporting;
- Subject Access Requests (“SARs”) – the government proposes changing the current threshold for refusing or charging a reasonable fee for a SAR from “manifestly unfounded or excessive” to “vexatious or excessive”, which will bring it in line with the UK’s Freedom of Information regime. According to the government, it does not intend to introduce a cost ceiling for SARs, nor does it intend to re-introduce a nominal fee for processing SARs;
- Cookies – the government proposes to legislate to remove the need for websites to display cookie banners to UK residents. According to the government, in the immediate term, the government will permit cookies (and similar technologies) to be placed on a user’s device without explicit consent, for a small number of other non-intrusive purposes. According to the government, these changes will apply not only to websites but connected technology, including apps on smartphones, tablets, smart TVs or other connected devices. The government says that in the future it intends to move to a so-called “opt-out” model of consent for cookies placed by websites. According to the government, in practice, this would mean cookies could be set without seeking consent, but the website must give the web user clear information about how to opt out. The government also says that it will work with industry and the regulator on browser-based and similar solutions that will help people manage their cookie and opt-out preferences. Further, the government says that it will take forward proposals that require websites to respect automated signals emitted by these technologies, and will move to an opt-out model of consent for cookies only when the government assesses these solutions are widely available for use;
- Direct Marketing – Currently, under PECR (E-Privacy rules), businesses can contact individuals with whom they have previously been in touch during a sale or transaction with further marketing material about similar or related products, provided that the individuals were given the opportunity to opt-out of such contact at the time they provided their details. This is known as the so-called “soft opt-in”, as it doesn’t require the customer’s explicit consent. The government proposes extending the soft opt-in to non-commercial organisations, but in parallel will take steps to make sure that appropriate safeguards are in place to protect individuals who do not wish to continue receiving communications;
- Regulatory enforcement of PECR (E-Privacy rules) – the government proposes amending PECR to allow the ICO to impose fines up to £17.5 million or 4% of a business’s global turnover, and to allow the ICO to be able to serve so-called “assessment notices” and carry out audits on organisations suspected of infringing PECR;
- International Data Transfers – the government proposes approaching so-called “Adequacy Decision” assessments with a focus on risk-based decision-making and outcomes. The government proposes creating a new power for it to formally recognise new alternative transfer mechanisms, allowing for the creation of new UK mechanisms for transferring data overseas or recognising in UK law other international data transfer mechanisms, if they achieve the outcomes required by UK law.
- The Information Commissioner’s Office – the government proposes a new statutory framework for the ICO’s objectives and duties. According to the government, in order to ensure clarity on how the objectives and duties are to operate alongside the ICO’s existing functions and tasks, the new framework will be designed in a way that ensures that the ICO will be able to uphold data subject rights and encourage trustworthy and responsible personal data use, while also having regard to growth and innovation, competition, and public safety. The government also proposes that the ICO moves away from the corporation sole structure and the government will introduce a statutory board with a chair and chief executive. The government is also considering options for a new name for the ICO. The government also proposes introducing legislative requirements for the ICO to report on its approach and performance. Further, the government proposes creating a more efficient and effective model that would require a complainant to attempt to resolve their complaint directly with the relevant data controller before lodging a complaint with the ICO, alongside a requirement on data controllers to have a simple and transparent complaints-handling process in place to deal with data subject complaints. The government also proposes changing the complaints process so that the ICO will have the ability to use its discretion to decide when and how to investigate complaints. According to the government, this will include clear discretion in legislation not to investigate certain types of data protection complaint, including vexatious complaints, and complaints where the complainant has not first attempted to resolve the issue with the relevant data controller – in turn, data controllers will be required to consider and respond to data protection complaints lodged with them. The government also proposes introducing a power for the ICO to compel witnesses to attend an interview and to compel the witness to answer questions.
In order to formally introduce its proposals the UK government will need to introduce a Data Reform Bill, in the current Parliament session – no indications have been given yet as to when that might be.
What are the takeaways?
Organisations should keep track of developments in order to be able plan ahead for any changes that they may eventually need to make to their UK data protection compliance.
We have previously reported on plans to reform the UK data protection rules here: https://www.corderycompliance.com/ukgov-ukdpr/
We report about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The UK government’s announcement about its proposal to reform UK data protection law can be found here: https://www.gov.uk/government/news/new-data-laws-to-boost-british-business-protect-consumers-and-seize-the-benefits-of-brexit.
The UK government’s response to organisations’ responses to the Department for Digital, Culture, Media & Sport consultation can be found here: https://www.gov.uk/government/consultations/data-a-new-direction/outcome/data-a-new-direction-government-response-to-consultation.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|