Government proposes to shake up data protection regime
On 17 June 2022 the Department for Digital, Culture, Media & Sport (“DCMS”) issued a press release announcing the new data laws that would take effect as a result of the planned Data Reform Bill (the “Bill”).
The proposals follow a formal consultation exercise, launched by the government in September 2021 and are described by the DCMS as changes which will ‘transform the UK’s data laws for the digital age and seize the benefits of Brexit’.
The proposed legislation takes aim at, amongst others, reforming the Information Commissioners Office (“ICO”), reducing barriers to innovation and boosting trade through eliminating unnecessary obstacles to cross border data flow. According to the DCMS the reforms are predicted to deliver around £1billion in business savings.
A short summary of the main reforms is set out below.
The data burden
The Bill seeks to ‘remove the UK GDPR’s prescriptive requirements’ and increase the flexibility of businesses in relation to how they manage data risks. One of the proposed methods for doing this is to remove the need for a Data Protection Officer for some small organisations.
Although organisations will still be required to have privacy management programmes and the same ‘high data protection standards’ will remain, the DCMS suggest that the additional flexibility organisations will have to meet these standards will result in a net saving of over £1 billion over 10 years.
Subject access requests can be a huge burden for businesses to deal with and the consultation considered options for making these more manageable. The proposals include a change to the threshold for dealing with requests so that any which are “vexatious or excessive” can be refused or a fee charged.
Cookie consents and nuisance calls
The Bill will also seek to increase the limit on monetary fines for nuisance calls and texts under the Privacy and Electronic Communications Regulations (“PECR”) to bring them in line with the current UK GDPR penalties. This would see an increase from the current maximum fine of £500,000 to up to £17.5million or 4% of global turnover, whichever is greater.
Somewhat controversially, the Bill also seeks to water down the current ‘cookie consent’ regime under the UK GDPR. Rather than users be faced with a pop-up consent banner that initiates whether the user ‘opts-in’ to cookie usage or not, the new regime under the Bill would be based on an ‘opt-out’ model. It is suggested that users would be required to generally ‘opt out’ of cookie consent via their internet browser settings.
A modern ICO
The structure of the ICO will also be broadened to include a chair, chief executive, and a board under the Bill. The DCMS suggests that this broadening of the hierarchical structure will introduce a wider set of skills to support the decision-making process of the ICO’s work.
New strategic objectives will also be set for the ICO which will underpin the regulator’s responsibilities to the government and the public. Additionally, the ICO will be required to form a panel of experts in their respective field when it comes to developing new statutory guidance and codes, which will then need to be approved by the Secretary of State before being presented to Parliament.
The Bill also seeks to simplify the legal requirements of data usage for scientific research. The proposals will remove the need for data consents to be as detailed and clearly defined as they currently are under the data protection regime, broadening the scope of which data can be used for research purposes. The DCMS illustrates its goal by providing the example of a person giving consent to ‘cancer research’ generally, rather than a particular cancer research study to illustrate these amendments.
Data and international trade
The DCMS has also suggested that the reforms will seek to facilitate the transfer of data overseas more freely by reducing burdens and providing clarity as to how and where data can be transferred.
The government is currently working on data adequacy deals with the USA, Australia, the Republic of Korea, and Singapore.
In summary, the Bill looks to introduce ambitious and wide-spread change to the current data protection regime under the UK GDPR and PECR. The overall impression from the proposals is that the prescriptive nature of the current data regime will be diluted to enable data to flow more freely and the legislative burden on businesses reduced.
Whilst the proposals may be a welcome reduction in paperwork for organisations, a close eye should be kept on how the proposals alter the balance of data flow versus data protection.
To hear more about the reforms and data protection generally there is still time to book a place at our webinar here.