HomeInsightsGovernment publishes response to its consultation on reforms to UK’s data protection regime

Article by

The consultation, “Data: a new direction”, was published in September 2021. It received 2,924 responses from organisations representing a cross-section of the UK economy and society, including the Information Commissioner’s Office and overseas organisations.

The Government says that overall responses indicated support for its proposals in many areas, including:

  • changes to research provisions, especially the proposal to consolidate and bring together research-specific provisions, to create a statutory definition of “scientific research” and the changes proposed to notification requirements;
  • removal of consent requirements in relation to audience measurement cookies;
  • the principle of proportionality outlined in the reform agenda across adequacy and Alternative Transfer Mechanisms (ATMs);
  • reforming the ICO and emphasis on the importance of maintaining its regulatory independence;
  • standardising the terminology and definitions used across the data processing regimes;
  • increasing clarity and transparency of the existing rules on police collection, use and retention of data for biometrics, in order to improve transparency and public safety; and
  • extending powers under s 35 of the Digital Economy Act 2017 to include businesses, as this could be beneficial in terms of joined-up public services.

Potential concerns were raised about:

  • introducing a nominal fee for subject access requests;
  • whether the Government should have a role enabling the activity of responsible data intermediaries;
  • removing the need for data controllers to carry out the legitimate interests balancing test for specified activities if children’s data is involved;
  • removing the right to human review of automated decisions;
  • whether to exclude political parties and charities from rules on direct electronic marketing;
  • removing requirements for Data Protection Impact Assessments (DPIAs) and Data Protection Officers (DPOs); and
  • the potential impact of reforms on the ICO’s independence.

As well as this policy-specific feedback, several themes emerged consistently across all the chapters in the consultation:

  • respondents highlighted the importance of maintaining data subject rights;
  • respondents made clear the benefits they saw from the effective use of personal data that the reforms would deliver, while emphasising the need for this to be done responsibly; and
  • respondents raised the importance of data flows with the EU and expressed concern over how the reforms would affect this, in particular, with respect to the UK’s EU data adequacy decision.

As for what the Government intends to include in the Data Reforms Bill, below is a summary of some of the key points:

Reducing barriers to responsible innovation

  • Research purposes: the Government will create a statutory definition of “scientific research” and will use Recital 159 of the UK GDPR as the basis of the definition so that it remains broad; the Government will also add the definitions for “historic research” and “statistical purposes” to the legislation based on the existing recital language; the Government will take a more targeted approach to simplifying the legislation to consolidate research provisions by only moving certain sections of the legislation rather than creating an entire chapter as originally proposed; the Government will not take forward proposals that establish a new lawful basis for research;
  • Further processing/re-use of personal data: the Government will simplify and clarify the relevant legislation, e.g. on the distinctions between new processing and further processing;
  • Legitimate interests: the Government will create a limited, exhaustive list of legitimate interests for which organisations could use personal data without applying the balancing test and without unnecessary or inappropriate recourse to consent, but only in relation to an initially limited number of carefully defined processing activities; for those activities where the balancing test is removed, the Government will consider if any additional safeguards are needed for children’s data; for any processing activities not featured on the list, data controllers will still have to undertake the balancing test;
  • AI and machine learning: the Government will consider the role that fairness should play in wider AI governance as part of the White Paper on AI governance, but does not currently plan to legislate in this area; the Government plans to introduce a new condition to Schedule 1 of the Data Protection Act 2018 to enable the processing of sensitive personal data for the purpose of monitoring and correcting bias in AI systems; the new condition will be subject to appropriate safeguards, such as limitations on re-use and the implementation of security- and privacy-preserving measures when processing for this purpose; the limited, exhaustive list of legitimate interests (above) will not include bias monitoring and correction in AI systems; the Government will not pursue its proposal to remove Article 22 of the UK GDPR, which contains provisions on automated decision-making and profiling, but is considering how to amend the Article to clarify the circumstances in which it must apply; the Government will consider further the approach to explain-ability and intelligibility of AI-powered automated decision-making, including the role of data protection legislation within that, through the White Paper on AI governance;
  • Data minimisation and anonymisation: the Government will clarify in legislation when data is regarded as anonymous; the Government will engage with the ICO to ensure that the adoption of privacy-enhancing technology (PETs) is encouraged as part of organisations’ approach to privacy management; and
  • Innovative data sharing solutions: the Government will legislate to enable the development of Smart Data Schemes; the legislation will not preclude the possibility for a range of data intermediaries to offer services as data recipients under these schemes and will enable any associated risks with their potential participation to be appropriately managed through regulation.

Reducing burdens on businesses and delivering better outcomes for people

  • Reform of the accountability framework: most respondents disagreed that the current framework should feature fewer prescriptive requirements and be more risk-based; however, the government will proceed with its proposal;
  • Introduction of new privacy management programmes (PMPs): the Government will proceed with the requirement for organisations to implement PMPs, and the legislation will be designed in a way that addresses concerns raised;
  • Removal of data protection officers: despite most respondents disagreeing with the proposal, the Government plans to proceed with it, saying that appointing a “senior responsible individual” instead will shift the emphasis to ensure data protection is established at a senior level to embed an organisation-wide culture of data protection; most of the tasks of a data protection officer will become the ultimate responsibility of a designated senior individual to oversee as part of the PMP;
  • Removal of data protection impact assessments (DPIAs): despite most respondents disagreeing with the proposal, the Government plans to proceed with it because it believes that organisations will still be required to ensure that there are risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation; DPIAs will remain a valid way of achieving the new requirements;
  • Removal of the record of processing activities requirement: the Government will proceed with replacing the current requirement for record-keeping provisions with a more flexible record keeping requirement under the PMP; PMPs will still require organisations to document the purposes of processing, but in a way which is more tailored to the organisation;
  • Removal of requirement to consult ICO where high-risk data processing activity identified: the Government plans to proceed with this proposal and remove the mandatory requirement in favour of a voluntary mechanism;
  • Voluntary undertakings process: the Government will not pursue the proposal to introduce a new process, similar to Singapore’s Active Enforcement regime, whereby an organisation that has shown it has taken a proactive approach to accountability would be able to provide the ICO with a remedial action plan when they discover an infringement, provided the plan highlights the likely causes and steps to solve the problem;
  • Breach reporting requirements: the Government will not pursue legislative change so that only breaches that posed “material” risks to individuals would have to be reported, but will continue to work with the ICO to explore the feasibility of clearer guidance for organisations on breach reporting;
  • Subject access requests: the Government plans to proceed with changing the current threshold for refusing to respond to, or charging a reasonable fee for, a subject access request from “manifestly unfounded or excessive” to “vexatious or excessive”, which will bring it in line with the Freedom of Information regime; the Government does not intend to introduce a cost ceiling for subject access requests; it will not re-introduce a nominal fee for processing subject access requests;
  • Cookies under the Privacy and Electronic Communications Regulations 2003 (PECR): the Government will legislate to remove the need for websites to display cookie banners to UK residents; the Government will permit cookies (and similar technologies) to be placed on a user’s device without explicit consent for a small number of non-intrusive purposes; these changes will apply not only to websites but connected technology, including apps on smartphones, tablets, smart TVs or other connected devices; in the future, the Government intends to move to an opt-out model of consent for cookies placed by websites, but not in relation to websites likely to be accessed by children;
  • Direct marketing under PECR: the Government will extend the “soft opt-in” to non-commercial organisations;
  • Nuisance calls under PECR: the Government will proceed with proposals to allow the ICO to take enforcement action against organisations on the basis of the number of calls they generate (rather than on the number that are connected); it will also proceed with the proposal to require communications providers to inform the ICO of suspicious levels of traffic on their networks; the Government is not ruling out placing further requirements on telecoms companies to block a greater volume of nuisance calls at source, if necessary; and
  • Amending PECR to allow the ICO to levy fines of up to £17.5 million or 4% of turnover: the Government will proceed with this proposal.

Boosting trade and reducing barriers to data flows

  • Adequacy: the Government will take forward reforms that better enable the UK to approach adequacy assessments with a focus on risk-based decision-making and outcomes, and continuing to support the UK’s commitments relating to data flows; the reformed regime will retain the same broad standard that a country needs to meet in order to be found adequate, meaning individuals’ data will continue to be well protected by a regime that ensures high data protection standards; where countries meet those high data protection standards, the law will recognise that the DCMS Secretary of State may also consider the desirability of facilitating international data flows when making adequacy decisions; the reformed regime will recognise the contexts in which other countries operate, and take account of the different factors that play a part in protecting personal data; the Government will also proceed with relaxing the requirement to review adequacy regulations every four years and move to ongoing monitoring; the Government will also proceed with the proposal not to specify the form in which redress has to be provided by the other country;
  • Alternative transfer mechanisms: the Government will proceed with changes to reinforce the importance of proportionality when assessing risk for alternative transfer mechanisms; the Government will not pursue the proposal to allow organisations to create or identify their own transfer mechanisms; it will, however, proceed with plans to create a new power for the DCMS Secretary of State to formally recognise new alternative transfer mechanisms; and
  • Derogations: the Government will not proceed with establishing a proportionate increase in flexibility for the use of derogations by making explicit that repetitive use of derogations is permitted.

Delivering better public services

  • Digital Economy Act 2017: the Government will take forward the proposal to extend the public service delivery powers under s 35 of the 2017 Act to business undertakings, but the purpose will be to support personal data sharing within the public sector to improve public services, not to facilitate personal data sharing from the public to the private sector for other reasons;
  • Building trust and transparency: the Government will not take forward legislative change in relation to increasing transparency of the use of algorithmic tools for decision-making in the public sector due to the early stage of this work, but says that it remains strongly committed to algorithmic transparency and will continue to pilot and gather feedback on the standard and explore policy enforcement options in the future;
  • Processing in the substantial public interest: the Government proposed introducing a definition of “substantial public interest” in relation to processing sensitive personal data, but now does not believe a definition is needed or would add value; and
  • Public safety and national security: the Government will take forward its proposal to align key terms used across the UK GDPR, and Part 3 (Law enforcement processing) and Part 4 (Intelligence services processing) of the Data Protection Act 2018 to drive consistency.

Reform of the ICO

  • A new statutory framework for the ICO: the Government plans to proceed with the proposal to introduce a new statutory framework of objectives and duties, but with some changes to the original proposals; it will introduce a new overarching objective for the ICO and ensure that the ICO takes a proportionate, risk-based approach to its regulatory activities; it will also ensure that the ICO is required to consider impacts on competition, growth and innovation, as well as a duty to have regard to public safety; it will also proceed with the proposal to introduce a power for the DCMS Secretary of State to prepare a statement of strategic priorities (SSP) for the ICO to consider when discharging its data protection functions; the ICO will also be under a duty to co-operate with and consult other regulators; the Government will not continue with the proposal to include an international objective for the ICO to consider the Government’s wider international priorities when conducting its own international activities;
  • Governance model and leadership: the Government will proceed with moving away from the corporation sole structure of the ICO, introducing a statutory board with a chair and chief executive instead;
  • New reporting requirements: the Government will proceed with introducing legislative requirements for the ICO to report on its approach and performance;
  • Codes of practice and guidance: the Government will proceed with creating a statutory requirement for the ICO to undertake and publish impact assessments when developing codes of practice and guidance on complex or novel issues; the ICO will also be required to set up expert panels to review codes of practice or guidance on complex or novel issues during their development; it will also proceed with giving the DCMS Secretary of State power to approve codes of practice and complex or novel guidance;
  • Complaints: the Government will proceed with proposals to reform the complaints framework, requiring data controllers to consider and respond to data protection complaints lodged with them and giving the ICO the ability to use its discretion to decide when and how to investigate complaints; and
  • Enforcement powers: the ICO will be given powers to commission technical reports in respect of its investigations; the ICO will also be able to compel witnesses to interview and answer questions.

To access the Government’s response in full, click here.