In September, the Department for Digital, Culture, Media and Sport (DCMS) launched a consultation on the future of UK Data Protection LawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data.. The consultation document proposes a series of changes to the current legislation. This includes small clarifications and changes, aimed at resolving uncertainties within the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., and bigger, more fundamental, reforms to the operation of current UK data protection regulation. All organisations that operate in the UK should follow this consultation processA series of actions or steps taken in order to achieve a particular end. as the changes are likely to impact:
The consultation is open to all respondents until the 19th of November 2021. It asks for feedback on each of the proposed changes and encourages individuals to give their own views and experiences in relation to the current challenges organisations are facing and the possible solutions. In this blog, we highlight the five most important proposed changes to UK data protection law that this consultation proposes and we assess their potential level of impact.
1. Accountability
Perhaps the most drastic proposals contained within the consultation paper centre around accountability. The document proposes to reform several key aspects of the current accountability requirements, including: removing the requirements to appoint a Data Protection Officer (DPO), conduct Data Protection Impact Assessments (DPIAs), and maintain an Article 30 Records of Processing Activities (RoPA).
The consultation document’s departure from the current framework is, in our opinion, puzzling. It suggests that the current framework places a “disproportionate administrative burden” on organisations – yet in its place it proposes very similar obligations, that merely provide a bit more flexibility. In reality, however, the proposed accountability amendments are likely to place additional burdens on many organisations, as any that come under the scope of the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). will be stuck between a rock and a hard place – trying to reconcile two sets of diverging rules that are set to align progressively less over time.
2. Data subjectAn individual who can be identified or is identifiable from data. rights
The consultation seems to have taken a page out of the Freedom of Information Act 2000’s book by proposing the re-introduction of a fee for completing Data Subject Access Requests (DSARs). The FOIA provides that if an organisation responding to an FOI request will incur a cost over a set threshold (£450-600), it is allowed to charge a nominal fee for completion of the request, or reduce the scope of the request so as to limit the cost of responding.
By introducing a fee cap on DSARs, the proposal hopes to lower the threshold of what can be considered ‘manifestly unfounded’, in the hope that this will make it easier for organisations to justify refusing to deal with some excessive requests.
In addition, the ability to charge a fee for those requests that fall above the fee cap may dissuade individuals from submitting complex requests for merely malicious purposes only to cause disruption. However, by allowing only a nominal fee to be charged, it will not dissuade many data subjects with genuine motives from submitting a request.
3. Data Transfers
The consultation proposes a number of reforms to change the UK’s international data transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mechanisms. In terms of adequacy decisions, the consultation makes clear that it wants to progress “an ambitious programme of adequacy assessments”, taking a risk-based approach that will focus on actual material risks rather than academic or immaterial risks posed by the data protection regimes in other countries.
In terms of alternative transfer mechanisms, it aims to facilitate the use of certification schemes and codes or conduct, and broaden the scope of the derogations presently enshrined in Article 49 UK GDPR. It also recommends that exporters should be able to make their own decisions on how to best protect personal dataInformation which relates to an identified or identifiable natural person., including using contracts that have not been overseen by the ICO. All in all, the general theme is clear – restricted data transfers are about to get a whole lot easier.
4. E-privacy
The proposed changes to the Privacy of Electronic Communications Regulation (PECR) appear on first inspection to be minor in comparison to those proposed in other areas and are likely be welcomed by organisations and individuals alike. The consultation calls for views on how organisations could comply with the UK GDPR’s principles of lawfulness, fairness and transparencyThe first principle of the GDPR, requiring organisations to document a lawful basis for collecting and using personal data, to avoid processing personal data in a way that is unduly detrimental, unexpected or misleading to data subjects, and to be clear and honest about how they use personal data. without the use of cookie banners, and without seeking consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. from users. In addition, it suggests the possibility of increasing the fines available for PECR breaches. This should serve as an indication that the DCMS are aware of the number of fines the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICO) has handed down due to nuisance calls and messages. These cases indicate a general disregard for the rules enshrined in PECR and the low deterrent value that the maximum £500,000 fine currently has.
5. Reform of the ICO
The consultation document makes several suggested changes to the UK’s data protection regulator, some of which will likely be welcomed, whilst others, not so much. On the one hand, the ICO will be given additional powers, including the ability to commission independent technical reports to help inform its investigations into regulated organisations; the power to compel witnesses to interview in the course of an investigation; and it will have an extended dealing for issuing penalty notices, to enable a more thorough investigation. However, on the other hand, the proposed reforms give more power over the ICO to the DCMS, enabling the Department to prepare a “statement of strategic priorities” that will inform how the ICO sets its own priorities. This latter reform has already received some backlash, with the outgoing Information Commissioner, Elizabeth Denham, raising her concerns over the proposal’s potential to erode the ICO’s independence.
How this all plays out? Only time will tell.
Conclusion
Overall, the proposals offered up in the DCMS’ consultation document are wide ranging and potentially very significant. The clear running theme throughout is the intention to remove the perceived barriers to personal data processing that the UK GDPR presents. However, we harbour several concerns over how this may affect UK organisations, not least those that deal with EU data subjects and therefore answer to both the UK and EU data protection regimes. But, perhaps our biggest concern lies in the fact that the degree of divergence away from the EU GDPR proposed in the consultation document is so significant that, should all the proposed reforms be implemented fully, there appears little chance of the UK retaining its EU Adequacy decision.
If you wish to take part in the consultation, and we encourage you to have your say, you have until the 19th of November 2021. You can find the consultation document here and the consultation questions here.
Fill in your details below and we’ll get back to you as soon as possible