A long-awaited proposal for reform of the United Kingdom’s data protection legislation was released by the Department for Digital, Culture, Media, and Sport (DCMS) on September 10, 2021, after months of anticipation. The consultation document contains a thorough and comprehensive set of proposed changes to the UK GDPR, Data Protection Act 2018, and Privacy and Electronic Communications Regulations (PECR), which, taken together, may result in a significant overhaul of current standards in the UK. Following the United Kingdom’s withdrawal from the European Union at the beginning of this year, these suggestions are part of a broader strategic strategy to change existing laws in the country.
The following are ten of the most important ideas from the article, in no particular order:
Accountability and governance are important concepts
Current accountability requirements would be significantly altered, with existing duties to conduct data protection impact assessments (DPIAs), keep records of processing, and designate a data protection officer all possibly being repealed, according to the DCMS.
Instead of these safeguards, a new obligation on controllers to adopt a risk-based “privacy management programme” might be introduced (PMP). A PMP would basically be a kind of compliance governance framework, with the goal of introducing a more “holistic” and less strict approach to responsibility in the workplace. According to the consultation paper, a PMP would need to include elements such as clearly defined roles and responsibilities for compliance, internal data protection policies, risk assessment tools (that take into account privacy risks across the organisation), and operational plans to periodically monitor, assess, and revise the PMP.
Notification of a data breach
Because of concerns about the over-reporting of personal data breaches, the Department for Digital, Culture, Media and Sport (DCMS) is considering altering the criteria for when such breaches must be notified to the UK Information Commissioner’s Office (ICO).
Currently, controllers are required to inform the Information Commissioner’s Office (ICO) of data breaches, unless they believe the breach is unlikely to result in a danger to the rights and freedoms of data subjects. This criterion may be amended such that, in the event of an occurrence that is not deemed to represent a significant danger to people, notification is not required.
Justifications for processing that are legal
Several changes may be made to the current regulations regulating the permissible reasons for processing, depending on the circumstances. The Department for Communities and Local Government (DCMS) recommends that organisations be provided with clarification on when legitimate interests may be relied upon by adding a legislative list of particular use-cases where the basis will apply by default. Internal research and development, product safety, and algorithmic bias monitoring are some examples of what may be included under this category. It will no longer be necessary for controllers to conduct a balancing test in cases when the processing activity falls within the scope of this restricted set of situations.
Among other things, the paper proposes the establishment of a new legal foundation for scientific research as well as an expansion or clarification of the situations in which the “strong public interest” exemption may be used for the processing of special category data.
Mechanisms for international data transmission are being developed.
The Department for Digital, Culture, Media and Sport (DCMS) wants to make the current regulations regulating personal data transfers from the United Kingdom to other countries more “proportionate, flexible, and interoperable.”
In addition to empowering organisations to develop and self-approve their own data transfer mechanisms (as opposed to relying on existing standards), the proposed changes could include allowing non-UK bodies to develop accredited international certification schemes that can be relied upon by UK companies to facilitate the free flow of data, among other things. It is possible that the Secretary of State will be given the authority to propose or approve additional alternative transfer mechanisms at any point in the future.
Decisions on adequacy
The consultation document, which is consistent with DCMS’ previous statement on its intentions to boost commerce via global data partnerships, states the goal to be “the world’s most appealing data marketplace,” according to the paper. An more risk-based and proactive approach to issuing adequacy judgments, which will allow for the free flow of data to and from the necessary third countries, will most likely be the foundation for this shift in thinking.
Adequacy determinations may be made with regard to certain sectors or territories within a jurisdiction that provide adequate safeguards for personal data protection. They may also be included in international frameworks that have been agreed upon between the United Kingdom and a number of other nations.
There are a number of possible alternatives for changing the current cookie regulations that are laid forth in the consultation document. With the most important being an examination of several approaches to removing cookie pop-up warnings while yet protecting the privacy of website visitors.
The removal of the need under PECR to seek prior permission for analytics cookies and similar technologies in cases where there is a minimal risk of damage to users may be a less ambitious option.
In addition, the DCMS recommends that the maximum penalties for PECR violations (which are presently set at £500,000) be aligned with the maximum fines for GDPR violations.
AI stands for artificial intelligence.
As a result of the increasing interest in regulating artificial intelligence and other algorithmic systems, the Department of Consumer and Markets Services (DCMS) proposes a number of possible changes that may be implemented with regard to the use of personal data when such systems are used.
In particular, the introduction of additional clarity on how the UK GDPR’s fairness obligation should apply to artificial intelligence (AI) and the potential enhancement of the explainability and accountability obligations that apply to controllers in connection with the use of “inferred data” when making automated decisions about individuals are among the initiatives being considered.
The article examines both the possible revocation and the potential extension of the requirements related to purely automated decision-making under Article 22 of the UK General Data Protection Regulation. Between now and then, it argues for the need of mandatory transparency reporting by public authorities and commercial government contractors in cases where algorithms are being utilised to assist decision-making.
Requests for access to personal data
Due to the substantial expenses that organisations often spend in order to comply with the data access requirement, the Department for Culture, Media and Sport has suggested the re-introduction of a modest charge that data subjects must pay before filing a subject access request.
Besides that, organisations may be allowed to set a limit on the expenses they must spend in responding to data subject access requests (DSARs) and reject vexatious requests submitted by data subjects.
The General Data Protection Regulation (GDPR) in the United Kingdom may be modified to incorporate a legislative criterion for what constitutes anonymization under data protection legislation. This is designed to clear up any misunderstanding about the steps that organisations must follow in order to comply with the law.
The United Kingdom’s Role ICO
The Department for Communities and Local Government (DCMS) plans to adopt a more active approach to controlling the function and strategic vision of the UK ICO. According to the consultation paper, the government believes that the Information Commissioner’s Office (ICO) is currently utilising excessive resources in dealing with small-scale but high-volume complaints, and that it wants to shift the focus away from dealing with the most serious threats to public trust.
The Information Commissioner’s Office (ICO) may be obliged to compel data subjects to first attempt to address their concerns directly with the relevant controller before submitting them to the ICO. Controllers may also be needed to provide a straightforward and transparent complaints-handling procedure in order to assist this transformation.
What happens next?
The government’s consultation on the plans is currently underway and will continue for ten weeks, with the deadline for submissions being November 19, 2021. This offers an unprecedented chance for organisations and people to have an effect on the future data protection framework in the United Kingdom, which is also likely to have an impact on the way this area of legislation evolves on an international level.