On 10 September, the UK government launched a consultation on its proposals to reform UK data protection law. Its stated aim was to create “an adaptable and dynamic set of rules that are flexible enough to be interpreted quickly and clearly in order to fit the fast-changing world of data-driven technologies”. The consultation also included plans to revamp the role and structure of the UK data protection regulator, the Information Commissioner’s Office (“ICO”).
UK data protection legislation includes the Data Protection Act 2018 (“DPA 2018”) and the UK’s implementation of the EU’s General Data Protection Regulation (“GDPR”), which combine to form what we call the “UK GDPR”. The UK data protection landscape incorporates the Privacy and Electronic Communications Regulations 2003 (“PECR”) too, which governs electronic marketing, cookies and electronic communications.
UK organisations that operate in the EU or provide services to individuals in the EU are also still governed by the EU GDPR and the EU ePrivacy Directive (which is due to be updated soon).
In general, the reforms to the UK regime that have been proposed by the Department for Digital, Culture, Media and Sport (“DCMS”) suggest a relaxation of several areas of the UK GDPR to make it less prescriptive and ease the burden for organisations. The government needs to walk a fine line here: the UK must maintain a robust data protection regime, otherwise it risks losing EU equivalency. That could jeopardise its adequacy status and the free flow of data between the EU and the UK, which supports significant economic activity in the UK, the EU and beyond.
Before the government’s consultation closed on 19 November 2021, we reviewed the proposals in full and submitted detailed responses to the DCMS. We’ve summarised our key views below and we look forward to seeing the outcomes to the consultation.
1. Increased cost and compliance burden
We feel that many of the proposals would be a retrograde step and undermine data protection safeguards and the data protection legislation generally. They would also complicate compliance for UK organisations, particularly ones that operate as part of multinational groups of companies and supply chains, where diverging data protection compliance regimes would be a significant burden.
2. Independence of the ICO as a regulator
We are concerned that the proposals reduce the independence of the ICO as the UK’s data protection regulator. We believe that the ICO should continue to deploy its expertise independently of the government’s policies and political objectives. This would facilitate the proportionate protection of individuals’ data protection rights while offering clear guidance and support to organisations in recognition of the burden of compliance that they face.
3. Negative impact on EU adequacy decision
Many of the proposals relate to elements that are fundamental to the European Commission’s adequacy decision for transfers of personal data to the UK. The Commission based its decision on the assumption that there would be no material change to elements such as the accountability arrangements under the UK GDPR regime. If some of the proposals in the consultation document become law, there is a risk that the UK regime would be perceived as diverging from the EU regime. This would endanger the EU’s adequacy decision for the UK, which in turn could hinder the valuable free flow of personal data between the two economies.
4. Unclear benefit of the shift to a privacy management programme
At present, data protection impact assessments (“DPIAs”), records of processing activities (“ROPAs”) and the appointment of data protection officers (“DPOs”) are subject to specific requirements and are mandatory in some high-risk situations. These tools create a framework that organisations can use to build their data protection compliance measures. Removing the mandatory elements and replacing them with a vague privacy management programme will promote inconsistent – and probably lower-quality – outputs, increasing the risk to individuals’ data protection rights and escalating cost and confusion for organisations.
5. Improvement to cookie controls
Cookie banners have a high public profile, and there has been a fundamental undermining of the intended protection under PECR due to cookie banner fatigue. Therefore, we welcome the government’s attempts to improve cookie controls so that individuals have genuine control over how their data is used, while allowing cookies where they do not cause a material risk to data protection.
6. International data transfer mechanisms
We are delighted that the government is focusing on creating a flexible, useable international data transfer regime for the UK. We encouraged the DCMS to ensure that relevant reforms are implemented promptly as a priority. In this way, organisations can finally get on with establishing mechanisms that reflect the GDPR. Three years have already passed since it came into force, including nearly a year following Brexit.
What’s clear is that organisations can’t afford to take their foot off the pedal and ignore data protection compliance. It isn’t going away, and that shouldn’t be surprising in our data-driven world. If you’d like help with auditing or fine-tuning your own data protection compliance measures – whether you’re looking to update a customer-facing privacy notice, revise internal data protection policies and guidelines, sort out intra-group or supplier compliance, or manage international data transfers – please get in touch. We’d love to hear from you!