Following Brexit, the UK government announced its vision to develop a separate data regime from the EU data protection laws in its mission statement and consultation, which closes on 19 November 2021.
On 26 August 2021, the UK government published its mission statement entitled ‘International data transfers: building trust, delivering growth and firing up innovation’, containing its intentions to enter into adequacy agreements to facilitate the transfer of data between the UK and third countries.
The aim is to provide UK organisations with the most efficient way to transfer personal data without alternative mechanisms. The UK government identified ten priority countries for those deals – Australia, Brazil, Colombia, the Dubai International Financial Centre, India, Indonesia, Kenya, the Republic of Korea, Singapore and the US.
Adequacy between two countries is not meant to undermine the level of protection under the UK General Data Protection Regulation (UK GDPR) when transferring personal data internationally. To determine whether a third country has the appropriate and equivalent level of security, the UK government will consider the overall effect of a third country’s data protection laws, implementation, enforcement and supervision. To assist organisations with the assessment, the government published:
- The Manual Template, containing questions to guide the collection of relevant information relating to a country’s data protection
- The Manual Guidance, to assist with the identification and recording of relevant information.
The adequacy decisions are subject to monitoring and under review every four years.
In addition, John Edward who has been nominated as the preferred candidate to be the UK’s next Information Commissioner, indicated the government’s intention to adopt a new direction to the data protection regime.
On 10 September 2021, the UK government published its consultation on proposals to reform the UK’s data protection regime. The consultation is focused on five objectives:
- Reducing barriers to responsible innovation – The aim of lowering barriers is to provide clarifications to help organisations establish the legal basis of processing in research, legitimate interests, AI and machine learning, data minimisation and anonymisation.
By simplifying the legislation concerning scientific research and AI systems, it will provide a more appropriate avenue for assessing fairness and outcomes. The UK government proposes creating an exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test, to give them more confidence to process personal data without unnecessary recourse to consent. While the balancing test may still apply for certain activities, the rationale behind such an approach is to create a better balance between protecting individuals and not impeding responsible data use in these specific circumstances.
- Reducing barriers on business and delivering better outcomes for people – Also known as the accountability framework. The proposal intends to provide a proportionate and flexible approach by replacing the existing requirements to designate a data protection officer, removing the requirement of a data protection impact assessment and the provisions under Article 36 of the UK GDPR for prior consultation with the Information Commissioner’s Office (ICO) for higher-risk processing. It also allows the organisations to provide the ICO with a remedial action plan and a more flexible record-keeping model set out in Article 30 of the UK GDPR. The threshold for reporting to the ICO will be whether the risk to the individuals is material instead of non-material risk.
The consultation paper recognises the needs of individual organisations and proposes, introducing a fee regime identical to that of the Freedom of Information Act 2000 for data subject access requests (DSAR), which will include a cost ceiling to address organisations’ capacity constraints. Additionally, the proposal includes amending the threshold for response to a DSAR, enabling organisations to refuse vexatious requests.
The UK government’s proposals also include recommendations to improve the Privacy and Electronic Communications Regulation 2003, which complements the UK GDPR and addresses privacy rights on, among other things, cookie policies. For instance, it is proposed that explicit consent will not be a requirement for using analytics cookies and storing or collecting information from a user’s device for another limited purpose, since such a requirement is not risk-based and tends to be interpreted very narrowly.
- Boosting trade and reducing barriers to data flows: The government is committed to reducing the obstacles organisations face when transferring personal data overseas. The goal is to explore a legislative change to ensure that alternative transfer mechanisms are available to UK organisations under the UK GDPR, which is transparent, flexible and provides personal data protection. Organisations will be allowed to create alternative transfer mechanisms in addition to the mechanisms listed under Article 46 of the UK GDPR, and derogations (under Article 49 of the UK GDPR) will continue to be permitted although it is proposed that there should be an increase in flexibility in use.
- Delivering better public services: The government proposes to amend the existing lawful bases for processing personal data for private organisations that help deliver public tasks provided for under Article 6 of the UK GDPR. The government proposes to clarify that private companies, organisations and individuals who have been asked to process personal data on behalf of a public body may rely on that body’s lawful ground for processing the data under Article 6(1)(e) of the UK GDPR and need not identify a separate lawful ground.
- Reform of the ICO: The government’s objective is for the ICO to be an agile and forward-looking regulator. To achieve this, the consultation paper recommends several changes, including a new information-sharing gateway, a transparent complaints-handling process, and introducing a threshold for data subjects to make complaints to the ICO by first attempting to resolve the complaints directly with the relevant data controller. Furthermore, new powers are introduced for the ICO to enable the commission of an independently produced technical report to inform investigations, to provide the ICO with discretion to decide not to investigate a complaint and thereby reduce the burden on the ICO.
The consultation is open until 19 November 2021.
Both papers are constructive and demonstrate the UK government’s intention for a new direction for data protection laws within the UK. Although there will be challenges ahead, with the European Commission making it clear that it will closely monitor the UK data protection laws and the practicality of the adequacy principle when an organisation is subject to both the UK and EU GDPRs, it is a delicate balancing act for the UK government, which seeks to maintain the privacy rights of individuals but to also encourage growth and innovation in the UK.
It is encouraging that the ICO welcomes the review of the UK data protection legal framework and regulatory regime. However, Information Commissioner Elizabeth Denham, in her response to the government’s consultation paper published on 7 October 2021, underlined that the “devil will be in the detail”. She emphasised the importance of maintaining rights for individuals, minimising burdens for business and safeguarding the ICO’s independence.
Contributed by Rosehana Amin and Genevieve Cripps, Clyde & Co