UK data protection reform: a taste of what's ahead

These changes, set out in chapter 2 of the consultation, are likely to have the most practical impact on businesses:

• Changes to the Privacy and Electronic Communications Regulations 2003 (PECR):
  
  
  • in response to cookie pop-up "fatigue", the consent requirement for analytics cookies (audience measurement and detecting faults are mentioned) will be removed. Moreover, there will be a move in the longer term to opt-out consent for all cookies “once automated technology is widely available to help users manage online preferences”. The opt-out won’t apply to websites likely to be accessed by children, who will still need to provide opt-in consent;
    
    
  • in relation to direct marketing, there will be a duty for communications providers to report suspicious levels of traffic. Curbing nuisance calls is to be encouraged, but this measure does not appear consistent with reducing the regulatory burden on businesses;
    
    
  • enforcement will be brought in line with UK GDPR i.e. with maximum fines of higher of £17.5m and 4% of turnover. Businesses take note: PECR fines are currently much more common than fines under UK GDPR.
    
    
• "Privacy Management Programmes" (PMP) and a requirement to have a senior individual to oversee the PMP will replace Data Protection Impact Assessments, Data Protection Officers and records of processing activity. Intended to be a more risk-based and flexible approach to accountability, only time will tell if it actually results in a reduction of the burden on businesses. Will some businesses, particularly those also subject to EU GDPR, choose to subsume existing accountability mechanisms within a PMP? If so, not much will change - apart from the label.
  
  
• There will be no mandatory requirement to consult with the ICO in relation to high-risk processing - a requirement currently more honoured in the breach than in the observance - although it may be a mitigating factor in an enforcement action to have consulted.
  
  
• The threshold for refusing a Subject Access Request (SAR) will change from "manifestly unfounded or excessive" to "vexatious or excessive". It's questionable how many more requests will be filtered out by applying this new test, as it is still a high bar.

The UK Government aims to make it easier to transfer data internationally. Changes include:

• Facilitating a risk-based approach to adequacy decisions (including clarifying that administrative redress for data subjects is sufficient for international transfers, not just judicial redress) and removing the mandatory four year review of those decisions
  
  
• Introducing a power to create alternative transfer mechanisms (but not empowering organisations to devise their own).

The Government wants to make it easier and clearer for organisations to use and reuse data for research purposes. The changes in this area are mostly clarificatory, rather than significant changes of principle:

• Shifting concepts from recitals to operative provisions including providing a definition of "scientific research"
  
  
• Clarifying the standard of anonymisation. The precise approach isn't set out but the test will be relative to the means (for identification of the individual) available to the controller at the particular time
  
  
• Introducing a new condition to enable the processing of special category data for the purpose of monitoring and correcting bias in AI systems
  
  
• Providing a (now shorter) list of exceptions to the requirement to undertake a balancing test in relation to the "legitimate interests" lawful ground for processing e.g. preventing crime, reporting safeguarding issues, important reasons of public interest.

The changes proposed to the ICO (which may have a different name in future) are fairly extensive, aligning its structure more closely with other regulators such as the FCA and CMA and include:

• A new statutory framework: an overarching objective to uphold data rights and encourage trustworthy and responsible personal data use with subordinate duties, to take into account growth/innovation, competition law and public safety
  
  
• A new governance structure, with a chair and CEO
  
  
• Complaints will need to be raised first with data controllers before being lodged with the ICO and data controllers will need to have a transparent complaints procedure
  
  
• Power for the ICO to commission technical reports (at the data controller or processor's expense) and compel witnesses to interview, which could add to the cost of managing a data breach for example
  
  
• An increase, in certain circumstances, to the ICO's current 6 month deadline to issue penalty notices and a requirement for the ICO to be more transparent over time periods for each phase of an investigation
  
  
• An obligation on the ICO to consult with other regulators. 

Respondents expressed concern that the changes proposed in the consultation risked compromising the independence of the ICO. The ICO, John Edwards, has said, "I am pleased to see the government has taken our concerns about independence on board", but some question marks remain on this front. The DCMS still intends to require approval of codes of practice which entail complex or novel guidance and the ICO is to carry out its data protection functions under a statement of strategic priorities to be prepared by the DCMS (although the ICO won't be legally bound to act in accordance with this statement and it will still be subordinate to the ICO's primary objective and duties under the UK GDPR and the DPA 2018).

There has been much speculation about the impact that these reforms may have on the adequacy decision from which the UK benefits in respect of data transfers from the EU. It has been suggested¹ that the compliance cost to UK businesses of losing adequacy would easily wipe out the $1bn of savings over 10 years that the DCMS projects from deregulation as a result of these reforms. We're cautiously optimistic: the Government has taken a fairly conservative approach, none of these changes appears to fly in the face of EU GDPR and so it looks unlikely that these reforms alone will threaten the UK's adequacy status. That said, the devil will be in the detail and, besides, adequacy is not only about how closely UK and EU legislation are aligned but by factors such as the access that the national security agencies have to personal data, so the Government still needs to tread carefully.

¹  Research carried out by the New Economics Foundation think tank and UCL's European research hub