On 10 September 2021, the Department for Digital, Culture, Media & Sport (the 'DCMS') announced that the Government has launched a public consultation on proposed reforms to data protections laws in the UK.
Motivations for the consultation
The DCMS and UK Government recognise that data protection reforms are in line the Government’s aim of 'maintaining a pro-growth and trusted data regime' helping to achieve the Government’s 10 Tech Priorities.
When the United Kingdom left the EU, the EU’s General Data Protection Regulation ('GDPR') became embedded in UK law through amendments to the Data Protection Act 2018 and the passing of the Data Protection, Privacy Electronic Communications (Amendments etc) (EU Exit) Regulation. These laws mirrored GDPR into UK law and the European Commission ('EC') subsequently granted a data adequacy decision in respect of the UK which permits the continued free exchange of data between the UK and EU (please see our article here for further information on this).
The Government’s view is that reforms would eradicate and dissolve the complex and vague aspects of the current data protection regime. At present there appears to be a ‘one size fits all’ approach, which is placing a burden on start-ups and smaller organisations. Reforms could work to ease and displace this burden and for smaller organisations to illustrate compliance in a different way. Breaking down disproportionate barriers and implementing new welcomes changes will drive economic growth and strengthen public trust in the use of data.
However, any significant movement away from the EU’s GDPR regime may imperil the UK’s adequacy decision and data flows with Europe, so any changes to the UK data protection regime will need to strike a balance between easing the compliance burden on businesses yet ensuring that the UK continues to provide a legal standard of data protection that is essentially equivalent to that of EU GDPR.
Key changes proposed
The Government is proposing minor changes around the current UK General Data Protection Regulation ('UK GDPR'), for example the data processing principles, data rights for citizens and mechanisms for supervision and enforcement. DCMS is also welcoming views in relation to emerging policy areas such as the governance of AI technologies and other cutting-edge technologies.
The consultation focuses on 5 key areas;
1. Reducing barriers to responsible innovation
Data is a key factor and driving force of the modern day UK economy. It is crucial that reforms are centred on its potential for linkage, re-use, active interpretation and application to build on an adaptable and dynamic set of data protection rules. Elements of the current law create barriers to responsible innovation and the reforms seek to provide greater clarity which will result in reduced uncertainty, and help to keep pace with the development of cutting-edge data-driven technology. Areas of interest include artificial intelligence, consolidating research practices, re-use of data, data minimisation and anonymisation.
2. Reducing burdens on businesses and delivering better outcomes for people
The current law is based on a prescriptive model encompassing various activities and controls which organisations must adhere to in order to be considered compliant. This has, in the Government’s view, created a ‘box-ticking’ and ‘one size fits all’ regime, which can potentially hinder innovation. The Government is looking to reform this area by incentivising organisations and equipping them with the tools necessary to focus on the right outcomes, and reduce any burdens. Bringing flexibility into the reforms will allow organisations to introduce innovative solutions which work for them, whilst achieving high outcomes for individuals. Proposals include reform of the accountability framework, removing existing requirements to designate a data protection officer and data protection impact assessment and other reporting requirements, as well as reforms to data subject access requests.
3. Boosting trade and reducing barriers to data flows
Data flows are critical to individuals and organisations, and facilitates the collection, sharing and processing of personal data, on an international scale. It is no surprise that the Government is committed to working with international partners to eradicate unnecessary barriers to cross-border data flows, in line with the ambition for the UK to be a leader in digital trade and the world’s most attractive data marketplace. The Government hopes to achieve this by using the UK’s data adequacy framework more effectively and seeks views on alternative transfer mechanisms, certifications schemes and derogations.
4. Delivering better public services
The Covid-19 pandemic has demonstrated the importance of using personal data responsibly and the value of collaboration between the public and private sector. It is recognised that there are currently issues relating to the collection, use and sharing of personal data especially in the context of public health and other emergency situations. The Government hopes to implement a fair, transparent and secure data ecosystem to address such issues, whilst ensuring a high level of public trust. The Government welcomes views on the extension of data sharing powers under the Digital Economy Act 2017, the interaction between private and public companies when sharing data, use of the ‘substantial public interest’ when processing data and mechanisms surrounding trust and transparency.
5. Reform of the Information Commissioner’s Office ('ICO')
The ICO is set to be reformed to mirror other UK regulators such as the Financial Conduct Authority and Competition and Markets Authority. As one of the UK’s most important regulators with a growing remit, the reforms will allow the regulator to be refocused away from handling voluminous low-level complaints and towards addressing more serious threats to public trust and inappropriate barriers to responsible data use. These reforms will ensure the ICO is well equipped to regulate effectively in an increasingly data-driven world.
Key points for organisations
The Government aims to use the evidence gained through the consultation responses to assess the case for legislative changes and help shape future reforms. It is estimated that the reform package will have a net direct benefit of £1.04 billion over 10 years.
Should some or all of the proposals set out in the consultation become law, organisations should keep in mind that 'organisations that comply with the UK’s current regime should still be largely compliant with our future regime, except for only a small number of new requirements’.
A key reminder for individuals and organisations is that the protection of individual’s personal data will continue to take priority, even in the new proposed regime. These proposed reforms will ensure individual’s data is safe and secure.
Next steps
Interested parties are requested to submit responses no later than 19 November 2021, at which point the consultation will end. Responses can be submitted using any of the methods listed below:
- Visit DCMS’s online survey platform for online responses
- Email responses can be sent to DataReformConsultation@dcms.gov.uk
- Hard copy responses can be sent to: Domestic Data Protection team, DCMS, 100 Parliament Street, London, SW1A 2BQ
Further information can be found on the Government website here.
If you have any data protection or technology queries about this subject, please contact David Varney in our Data Protection team.
This article was drafted by David Varney and Jenika Pankhania.