The UK government published a consultation entitled “Data: a new direction” which revisits the UK data protection regime, and recently introduced to Parliament the new 192-page Data Protection and Digital Information Bill. This proposal aims to streamline administrative requirements and remove unnecessary barriers to the flow of data whilst retaining adequacy status with the EU’s data protection regime. The hope is it will make the UK a more appealing location for scientific research and businesses involved in data. This is in addition to the requirements that businesses have already made efforts to undertake for compliance with the UK and EU General Data Protection Regulation (GDPR).
The consultation asked for input on five key areas:
- Reducing barriers to responsible innovation
- Reducing burdens on businesses and delivering better outcomes for people
- Boosting trade and reducing barriers to data flows
- Delivering better public services
- Reform of the Information Commissioner's Office (ICO)
Scientific research – the government hopes to increase the UK’s standing as a science superpower and recognises that, for this to happen, it must facilitate researchers’ access to data. This comes in the form of a new statutory definition for “scientific research”, intended to provide clarity for researchers. The proposals will also reform the law to clarify how data may be processed for research purposes and the distinction between new processing and further processing. Any potential for confusion surrounding anonymised data will also be addressed – if a greater quantity of data becomes categorised as anonymous, this data may become available for research and analytics. The government plans to increase AI utilisation in sensitive data research (health, ethnicity, sexual orientation), to reduce bias in AI systems and datasets.
Burdens on business and better outcomes for people
Cookies opt-out – under the Privacy and Electronic Communications Regulations 2003 (PECR) it is currently a requirement for any electronic platform such as websites to alert them to cookies or similar tracking technology and offer the option to opt in to non-essential cookies. Under the proposals the intention would be to adopt an opt-out model for cookie consent which would allow cookies to be set without consent, provided that the website displays information on how to opt out for UK residents. This model would not be used on websites which are likely to be accessed by children. PECR enforcement fines will change to reflect the UK GDPR, with fines of up to the greater of £17.5m or 4% of turnover.
Accountability requirements will be reduced to avoid a disproportionate burden on some businesses, although most respondents argued that the current legislation is already sufficiently flexible. Some businesses will no longer need to appoint a data protection officer, undertake data protection impact assessments, or maintain records of processing activities. Businesses will instead have to comply with privacy management programmes, involving measures such as the appointment of a senior individual charged with oversight of data protection compliance, the implementation of risk assessment tools, and more flexible record keeping requirements.
Trade and data flows
The proposals include recognition of new alternative transfer mechanisms to countries which have not been granted adequacy status. These mechanisms would not require businesses to carry out a transfer impact assessment each time data is transferred, as is currently required by the UK GDPR. It acknowledges that the reforms in this area should not come at the cost of the UK losing its own adequacy status. The Secretary of State will no longer be required to review adequacy decisions every four years under the reforms.
Better public services
Data sharing powers under the Digital Economy Act 2017 will be extended to improve service delivery, while the Data Protection Act 2018 will be amended to include more effective public interest grounds for processing special category data. The proposals will clarify which lawful processing grounds a non-public body may rely on when providing services to a public authority to help deliver a public task. The government also intends to provide guidance on how the police may use biometric data.
Reform of the ICO
The complaints framework will be streamlined to prevent data subjects from lodging complaints with the ICO without first having attempted to resolve the matter with the data controller (which must implement a simple and transparent complaints handling process). A new framework will set out the ICO’s objectives and duties, with additional duties to have regard to “economic growth and innovation” and “competition issues”.
Given that businesses have already dedicated a serious amount of time and resource to adapting to the EU GDPR and the UK GDPR – which in a global world can mean, in effect, compliance with both regimes – it remains to be seen if these further proposals will be welcomed in practice.
Contact our data protection and cybersecurity team if you would like advice on any of the topics discussed here.