Back in November, we posted a blog discussing the UK’s Department for Digital, Culture, Media and Sport’s (DCMS) recently published consultation entitled “Data: a new direction”. The consultation asked for views from different types of stakeholders on the government’s proposals for reforming the UK’s data protection laws, now that the UK is no longer subject to EU law. The supposed goal? To provide clarity for data subjects, organisations, and the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.); and to “establish the UK as the most attractive global data marketplace”.
Last week, the DCMS finally published its response to the consultation, providing insight into the feedback received from those who responded to the government’s call for views, and outlining its plan moving forward with regard to the proposals that have been abandoned, and those that will go ahead.
In our previous blog, we highlighted 5 different areas where the consultation proposed varying levels of change and pondered the impact of the reforms, and whether they will come to fruition.
Now, seven months later, we revisit these topics and give some analysis on where we stand now that the government has determined this “new direction”.
Despite the consultation response highlighting that the majority of respondents disagreed with the proposals to create a more flexible accountability framework, a more flexible accountability framework is what the UK shall be getting. In essence, this means replacing Data Protection Officers with a senior individual responsible for the organisation’s privacy management programme; swapping DPIAs for alternative risk assessments; and trading in RoPA requirements for other more flexible record keeping obligations.
Our previous blog highlighted the puzzling nature of the proposals, given the similarity between existing rules and what is being proposed and, unfortunately, we remain no less puzzled. The government’s consultation stresses in several ways how the proposals are similar to what already exists, just with added flexibility, but what this means in practice is yet to be seen.
One of perhaps the most controversial suggestions raised in the original consultation document was the re-introduction of a nominal fee for individuals submitting Data SubjectAn individual who can be identified or is identifiable from data. Access Requests (DSARs). Unsurprisingly, this suggestion was largely disagreed with as an affront to individuals’ rights to their own data and, fortunately, the government confirmed that this would not be going ahead.
However, this area is not devoid of change, with the response confirming that the “manifestly unfounded or excessive” threshold for refusing a request will be reduced to “vexatious or excessive”. To our mind, this change of language is a positive thing, given the nebulous definition of “manifestly unfounded” that organisations are currently working under. We therefore hope that this will make it easier for organisations to identify scenarios in which they are justified in refusing a request and, in addition, ensure that genuine requests are dealt with thoroughly and appropriately.
In terms of the mechanisms available to facilitate cross-border transfers, the government have taken forward proposals to broaden the application of existing mechanisms, whilst also leaving room for the DCMS Secretary of State to create additional new ones.
Whilst we don’t know much about the possible new mechanisms, the message in relation to the existing ones is: proportionalityA balance must be struck between the means used and the intended aim to ensure that a processing activity is proportionate. and a risk-based approach. No examples are provided on what this actually means and how this will affect the application of the barely-3-months-old IDTAThe International Data Transfer Agreement (IDTA) is a UK framework used as a mechanism to enable a data sharing agreement for the legal transfer of personal data to a country outside the UK. It came into force on 21 March 2022 and replaced the EU’s Standard Contractual Clauses (SCCs) and AddendumAn additional document that modifies, clarifies, or supplements the terms of an existing legal document without nullifying the original content., so we will have to wait and see.
E-privacy
The biggest headlines largely centred around reforms to the Privacy and Electronic Communications Regulation, with the removal of cookie banner requirements and intended future move to an opt-out rather than opt-in model of consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed.; a massive increase in fine levels (£17.4 million – up from just £500,000, or 4% of global turnover); and increased powers of enforcement for the ICO.
The crack down on PECR non-compliance will likely come as a welcome relief to many and, in our opinion, was long overdue and it is hoped that the increased fines will act as an effective deterrent to those nuisance callers. The new reforms on cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences., on the other hand, are much more ambiguous. Whilst the government emphasise that it will not move to an opt-out model until the technology that would allow preferences to be set at browser level is in action, no timeframe is given as to when this may occur.
Last but not least, the consultation response outlines plans to go ahead with significant reform of the ICO. Whilst in some ways it is gaining powers to compel witnesses; commission independent technical reports; and lay down higher fines for PECR breaches, it is also crucially losing some of its independence.
Interestingly, the reforms that related to the ICO being given prescribed objectives, duties and strategies by the government were all heavily disagreed with by respondents – clear evidence of the importance placed on the ICO being an independent voice. Those voices, however, unfortunately fell on deaf ears, with all three of those proposals coming to fruition.
Despite aiming to provide greater clarity to both organisations and businesses in relation to personal dataInformation which relates to an identified or identifiable natural person. processing, to us it seems that the consultation response is largely going to create greater confusion for organisations than it removes.
On the one hand, for smaller organisations that operate exclusively in the UK market and are exclusively bound by UK law, the loosening of the rules will undoubtedly be a positive thing; these types of organisations typically don’t have a dedicated data protection resource, so these rules will likely mean individuals will spend a few less hours on compliance and a few more on their actual job roles. However, even for these businesses, there is as of yet no clear guidance on what is required under these more flexible rules and until there is, uncertainty certainly reigns.
On the other hand, for any organisation that is also bound by the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). with regard to at least some of its processing, the reforms are unlikely to result in much change to their data protection compliance practices. After all, it is challenging enough to manage one compliance frameworkA series of policies, procedures, actions plans etc. detailing an organisation's compliance with any relevant laws, Codes of Practice etc. let alone two; even if the second one is more flexible in its requirements. Realistically, are organisations going to commit to maintaining two different RoPAs and impact assessment frameworks; two different websites with different cookie categorisations; both a DPO and a Privacy Programme Manager? We suspect not.
This is particularly so given that the UK has stated organisations that are compliant with the existing UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. (and therefore the EU GDPR) would “not need to significantly change their approach” to be considered compliant with the reformed UK law. What would need to change, is as of yet unknown. It is also worth noting that despite the government being confident that these developments will not impact the UK’s Adequacy ruling from the EU, only time will tell whether that is actually the case.
It seems then, that instead of creating clarity for businesses, the government’s response to the consultation has rather muddied the waters. And, until more guidance is published on what these changes will actually mean for businesses, it is likely to remain that way.
A final thought to add is that whilst this response speaks of rather significant regulatory change, it is likely only going to be realised many months, or even years from now once it has been enacted into law. Therefore, businesses should be mindful of the fact that, for the foreseeable future, the UK GDPR as it stands still applies and thus their compliance goals are still just as important as they always have been.
If any of the areas discussed in this blog affect your organisation, or you would like to find out more about our Data Protection Services, please do not hesitate to contact us by filling out the form below.
Fill in your details below and we’ll get back to you as soon as possible