Change is in the air for UK data protection law

This is the driver which will most probably result in the greatest change to organisations' compliance programmes, though the changes very much appear to address some common 'bug bears' that have emerged from the current regime. Proposals include:

• introducing a more flexible and risk based accountability programme. Examples include the removal of the mandatory requirement on some organisations to appoint a data protection officer, and permitting organisations to replace the carrying out of data privacy impact assessments, with other, more appropriate tools for mitigating risk. Privacy management programmes tailored to the extent and nature of data processing which an organisation carries out would also be permitted;
  
  
• the raising of the threshold at which a data breach becomes reportable to the ICO, so that breaches are only reportable if there is a 'material' risk to individuals, including production of further guidance as to what risks are considered to be 'non material';
  
  
• introduction of a fee regime for individuals submitting data subject access requests and a cost ceiling for organisations which have to respond;
  
  
• changes to the rules on the use of cookies and direct marketing, including allowing organisations to run analytics cookies and similar technology on websites without first obtaining the user's consent, and increasing the ICO's fining powers for breach of the Privacy and Electronic Communications Regulations to bring them in line with those under GDPR.

This is all about making it easier for organisations to transfer data internationally. The government plans to achieve this:  

• through international partnerships, for example, by addressing data flow issues in trade agreements (as was done in last December's UK-Japan Comprehensive Economic Partnership Agreement);
  
  
• through speeding up the process of making adequacy decisions in respect of third countries, and taking a pragmatic view about ensuring that equivalent standards of data protection are preserved in such countries. Please see our recent briefing for further details of DCMS' four step framework for granting adequacy decisions.

The consultation also considers greater use of alternative transfer mechanisms, certification schemes and derogations.

Innovative uses of personal data are seen as key for the development of cutting edge technologies. With this in mind the Government is keen to make it easier for organisations to use, share and re-use data for research and development purposes by providing them with more certainty about how and when they can use personal data. Proposed measures, including in relation to data used for AI purposes, address:

• clarifying the lawful ground on which personal data can be processed for the purpose of research. This includes creating a limited, exhaustive list of legitimate interests for which organisations can use personal data without having to apply the balancing test;
  
  
• making it easer to gain a wider, less specific level of consent from data subjects at the outset of data collection; the Government also proposes clarifying when data can be re-used for a different purpose to that which it was collected for;
  
  
• making the transparency requirements less onerous when it comes to using data obtained from a third party for research purposes.

The expansion of the substantial public interest health basis for lawful processing, to aid non public organisations which need to process data in an emergency, is considered in the consultation. Also, measures to encourage the responsible use of data in collaborations between the public and private sector.

This is partly in response to the Covid pandemic, which highlighted the value in the efficient sharing of data between the public and private sector for the purposes of research and development. 

Proposals have been laid out for reforming the ICO so that it operates in a way which is more aligned with other UK regulatory authorities. The Government also wants to free up the ICO to focus on more serious breaches of data protection law, and to take a more strategic approach towards encouraging responsible and innovative data use, including taking competition concerns into consideration. This builds on the collaboration with the CMA which was announced earlier this year. 

Meanwhile, this week, the ICO released its own response to the consultation. It welcomed many of the suggestions put forward by the DCMS, such as proposals to make it easier to use, share and re-purpose data for research purpose. However, it also cautioned, amongst other observations, against some of the suggestions to reduce the compliance burden on business – including:

• the revisions in approach to accountability (stressing the importance of retaining in law a requirement for accountability to be demonstrated), and the proposal to replace some accountability requirements with privacy management programmes, which it questioned the value of;
  
  
• the proposal to remove the requirement to conduct a data protection impact assessment (these are viewed by the ICO as invaluable for helping controllers to understand data protection issues quickly and efficiently); and
  
  
• the proposal to introduce a fee regime for data subject access requests (without further research to assess the benefit and risks of any changes to this right, given the effect that a fee regime would have on some individuals' ability to exercise their right to access their personal data).

The ICO also highlighted the importance of ensuring that as a regulatory body, it remained truly independent from the Government.