Following last year's consultation exercise, the UK Government has published details of its proposed reforms to UK data protection and ePrivacy laws. The changes, which will be included in a Data Reform Bill later this year, will make a number of material changes to the law.

In this update, we summarise what is changing, what changes the Government is not taking forward and what these changes mean for businesses and other organisations that handle personal data.

Background to data reform

Following the UK's departure from the European Union, the UK is no longer subject to GDPR and can therefore make changes to data protection and ePrivacy law. 

The Government published its consultation paper in September 2021, setting out a number of proposed changes, under the title "Data: A New Direction". A number of the proposed reforms were quite detailed, whereas others were more exploratory, and sought views on whether these should be progressed.

The Government confirmed its intention to bring forward a Data Reform Bill in last month's Queen's Speech, though the briefing papers provided limited information on the proposed reforms.

The Government's response to the consultation indicates that respondents had a mixed response to the proposed reforms. While many changes were welcomed by respondents to the consultation as simplifying and clarifying data protection law, a number were opposed on the basis of cost, the impact on data subjects and concern over the status of  the UK's adequacy decision from the EU.

The proposals are evolutionary, rather than a wholesale reform of data protection law. In particular, the Government does not plan to simplify UK GDPR and the DPA 2018 into a single text, though some provisions in the recitals will be incorporated into the operative text of UK GDPR. 

What changes will be introduced in the data reform bill?

The Government's consultation response states that it will take forward a number of changes to data protection law, including:

  • Accountability framework - the current accountability framework, including obligations in relation to record keeping, the appointment of data protection officers and data protection impact assessments will be replaced by a requirement for organisations to have in place a privacy management programme.
  • International transfers - the law will expressly set out a risk based approach to assessing adequacy. However, it is unclear how risk can be assessed without knowing what data is transferring and the identity of the recipient. The Secretary of State will also have flexibility to take into account whether the transfer is "desirable." In relation to IDTAs and other transfer mechanisms, the law will expressly emphasise proportionality and the assessment of risk, which is consistent with the ICO's draft guidance.
  • Legitimate interests - a number of processing activities relating to prevention of crime/safeguarding and matters of public interest will be "whitelisted" for the purposes of a legitimate interests assessment.
  • AI - there will be a new legal basis for using special category data for bias monitoring and correction.
  • Research - the law will be clarified, with a new definition of "scientific research" and clarification and simplification of the rules on further processing.
  • Data subject requests - the current concept of "manifestly unfounded" will be replaced with "vexatious or excessive" requests to align it with freedom of information law.
  • Complaints - organisations will need to put in place a transparent complaints process, which data subjects must attempt to use before complaining to the ICO.
  • Public tasks - non-public sector bodies will be able to "borrow" a public authority's public task condition when helping to deliver a public task or function (including sharing personal data with that authority). However, it does not appear that this will extend to special category data.
  • Processing special category data - there will be some additions to the legal bases in Schedule 1 of the DPA 2018 on the basis of substantial public interest.
  • Alignment of Parts 3 and 4 of the DPA - key terms in parts 3 and 4 of the DPA 2018 (dealing with processing for law enforcement and intelligence services purposes) will be aligned with UK GDPR.

It is also likely that the draft Bill will contain changes to the rules around data subject requests to address specific sectoral needs and the impact on SMEs. 

The Government is also planning to take forward a number of changes in relation to ePrivacy:

  • Cookies - despite opposition from respondents, the Government plans to move cookie consent to operate on an opt-out basis. However, this will not happen until an appropriate browser based solution is in place to enable users to select preferences. In the meantime, the requirement for consent will be removed for "non-intrusive" cookies. It is not yet clear what this may include beyond website analytics/audience measurement
  • Electronic marketing - charities, political parties and other non-commercial organisations will be able to benefit from the soft opt-in. This means that charities will be able to send communications to donors and supporters without needing prior consent.
  • PECR enforcement - the maximum fines under the Privacy and Electronic Communications Regulations will be brought into line with UK GDPR.

Finally, the Government is also going to take forward changes to the constitution, powers and functions of the Information Commissioner:

    • Status - the ICO will become a body corporate, similar to other regulators, with powers vested in that body rather than the individual appointed as the Information Commissioner.
    • Objectives and governance - the ICO will be given new statutory objectives, a new governance model and annual reporting obligations, while respecting its independence.
    • Codes of Practice - the ICO will be required to set up expert panels to assist with developing codes of practice and guidance.
    • Approval processes - the Secretary of State will have the power ro approve codes of practice and statutory guidance before they are laid before Parliament.
    • Complaints - the ICO will be able to set criteria for deciding not to investigate a complaint.
    • New name - the Government is considering renaming the ICO to better reflect its wider responsibilities

    The new accountability framework

    A key part of the Government's proposals is the introduction of a new accountability model based on a requirement for organisations to have a privacy management framework. This is one of the most contentious areas of reform, and most respondents disagreed with the Government's proposed changes on the basis that the current law is sufficiently flexible.

    The intention behind the new accountability framework is to provide more flexibility and enable organisations to take a risk based approach to managing data protection compliance. There will no longer be mandatory obligations in relation to the retention of records, the requirement for some obligations to appoint a data protection officer, or the need in certain circumstances to carry out a data protection impact assessment.

    Instead, organisations will need to put in place a "privacy management programme", which is to be effective relative to the "volume and sensitivity of personal data involved." 

    While this sounds a positive reform, it is arguably what already happens under the current law. For example, only certain organisations need to have a DPO, some organisations are exempt from the Article 30 record keeping obligations, and DPIAs are only necessary for high risk processing. However, many organisations use DPIAs and record keeping a core part of their compliance framework. 

    The key elements  of the privacy management programme will be: 

    • Leadership and oversight - including an obligation to appoint a senior responsible individual to ensure appropriate oversight and support for the programme, liaising with the ICO and data subjects, providing training and regularly auditing the efficacy of the programme. while this will replace a number of functions currently carried out by the DPO, it is notable that the SRI will not need to be an expert in data protection law. It also appears that there will not be any obligation to avoid conflicts of interest.
    • Risk assessment - which is likely to involve organisations continuing to use DPIAs, even though they are being abolished
    • Policies and processes
    • Transparency
    • Training and awareness of staff
    • Monitoring
    • Evaluation and improvement

    Further  detail on the specific requirements will be set out in the Bill. It is unclear why the framework has been called a privacy management framework, rather than a data protection management framework, when data protection is the term used in both the DPA 2018 and UK GDPR.

    What changes are not being progressed?

    A number of proposed changes are not being taken forward following feedback during the consultation process. These include:

    • Abolishing the right under Article 22 of UK GDPR to a human review of AI and other automated decision making
    • New rules in relation to the role of fairness in AI governance and AI explainabilty and intelligibility. This will instead be taken forward through the Government's AI workstream.
    • Proposals to reintroduce a fee to make a data subject access request
    • Removal of the application of the rules on international data transfers to "reserve transfers" (where personal data is sent back to the original transferor)
    • Creating a specific legal basis under Article 6 for research purposes

    What is the impact of data reform on EU adequacy?

    A key concern of many organisations was the potential impact that any divergence may have on the UK's adequacy decision from the European Union and whether UK law may no longer be essentially equivalent to EU data protection law.  Removal of adequacy would impact on UK businesses seeking to do business in the EU/EEA and multinational groups.

    While the Government's proposals, if passed, will lead to divergence from GDPR and EU data protection law, many of the changes appear to be evolutionary rather than revolutionary. 

    That said, some of the proposed changes to UK law in relation to adequacy decisions in respect of third countries (in particular the explicit reference to risk based assessments and the discretion that the Secretary of State will have to consider the "desirability" of the proposes transfer) may cause concern in relation to the onward transfer of EU originating personal data. It remains to be seen what checks and balances are included in the draft Bill.

    What about the proposed EU ePrivacy Regulation?

    In January 2017, the European Commission published proposals for an ePrivacy Regulation to update the laws dealing with the use of tracking and cookies and electronic marketing, among other things. The text of the regulation has still not been agreed by the EU institutions. 

    However, it is notable that the Government's long term proposals in relation to cookies, which are dependant on workable browser/device based cookie controls, will in practice likely be dependant on similar obligations to be imposed on browser  and device manufacturers under the ePrivacy Regulation. Similarly, exempting analytics cookies from the need to have prior consent mirrors the proposals in the draft ePrivacy Regulation, though it may be that UK reforms go further in adding other classes of cookies to the exempt list.

    What is the practical effect of the data reform proposals?

    A number of the proposed changes will be welcomed by organisations. These include some of the proposed simplification and clarification of existing laws, the formal adoption of a risk based approach to international transfers, together with improvements in relation to research activities and the extension of the soft opt-in to non commercial bodies. There may also be some changes to reduce the burden on SMEs in relation to data subject requests.

    For many organisations, however, the new accountability framework is unlikely to lead to them them changing their compliance framework. Having spent time and money implementing that framework for GDPR, organisations are unlikely to want to re-invent those processes, particularly if they operate in multiple jurisdictions.  

    This is also the case for international transfers. If an organisation makes transfers that are subject to both UK and EU law then it will still need to follow the EU approach when assessing equivalence and the lawfulness of the proposed transfer.

    While SMEs may in theory benefit from the supposed increased flexibility, in reality the lack of certainty is likely to mean greater cost as they will need professional advice to determine what their privacy management programme should comprise.

    What has the the Information Commissioner's Office said about the proposed reforms?

    The Information Commissioner's has given his backing to the stating that he "share[s] and support[s] the ambition of [the] reforms."

    Next steps

    The next step is for the Government to publish its draft Bill. Given that the Government is still considering its position on a number of points, that is unlikely to be before the summer recess.

    More information

    You can read the Government's response to the consultation on the UK Government website.

    If you would like to discuss any of the proposed changes or how they might impact on your organisation, please get in touch with Martin Sloan or Grant Campbell.