The UK government is currently considering proposals to reform the data protection regulations in the UK. Generally, there appears to be a move to a more practical and pragmatic privacy compliance system, allowing for businesses to operate more efficiently, while maintaining high standards of data protection when handling personal data. This divergence from EU laws will bring into question the UK’s current adequacy decision granted by the EU allowing data to be transferred freely between the EU and UK. However, encouragingly, the Information Commissioner does not seem too concerned about this (see below).
The key changes for organisations that have been proposed are as follows:
• International transfers: The Secretary of State will be able to create other transfer mechanisms allowing for the simpler flow of personal data between businesses based in different countries. The aim is for data exporters to be able to act “pragmatically and proportionally” when making data transfers.
• Legitimate interest clarification: A specific list of legitimate interests for processing personal data will be provided where a data controller will no longer have to consider the balance of the benefits of the processing of that data versus the individual’s rights and freedom, bringing clarity and enhancing efficiency.
• Data Protection Officer (DPO): A DPO will no longer be mandatory in certain circumstances. Instead, a senior member of staff should be appointed to oversee and manage data privacy.
• Data Protection Impact Assessment: Internal risk assessments will suffice instead.
• Record of Processing Activities (RoPA): A less onerous system of documenting processing purposes will replace this current admin-heavy requirement for a RoPA. Further, companies will not be mandated to consult the Information Commissioner’s Office (ICO) in relation to high-risk processing – it will become voluntary.
• Cookies: The requirement for cookie banners seeking consent from UK users to utilise all but essential cookies will go and instead other ways of requesting consent will apply, likely a less cumbersome ‘opt-out’ method. Consent for audience measurement cookies will additionally not be required.
• Anonymisation: Clarification about when personal data does in fact become anonymous will be given.
• Direct marketing exemption: The “soft opt-in” exemption for direct marketing will be extended to non-commercial organisations.
• Data Subject Access Requests (DSARs): Companies will be able to refuse to respond to DSARs if they are seen to be “vexatious or excessive” – a lower threshold than the current “manifestly unfounded or excessive”, hopefully preventing phishing exercises.
• Innovation through AI: Special category (or sensitive) personal data, including health data and biometrics may be used for the purpose of monitoring, detection and correction in AI systems.
• Scientific research exemption: Various changes have been proposed in order to make utilising personal data for scientific research purposes simpler, including only requiring broad consent from the data subject rather than the current requirement for explicit consent and clarifying how data may be re-used in further processing activities.
• Blocking nuisance calls: The ICO must be notified by communications providers in the event of suspicious levels of network activity in an effort to prevent nuisance calls.
• Enforcement to focus on high-risk complaints: Regulatory enforcement to refocus on the most serious privacy threats rather than the high volume of less risky complaints.
• Complaints: Data controllers will be given the chance to resolve complaints before the data subject escalates a matter to the ICO, via a suitable complaints-handling system.
• Increasing fines: Fines for non-compliance with the Privacy and Electronic Communications Regulations (PECR) covering cookie use and direct marketing will increase from £500,000 to align with the UK GDPR, i.e. 4% of global annual turnover or £17.5 million. A hefty increase.
During the recent Data Protection Practitioner’s Conference, the UK Information Commissioner, John Edwards, was asked whether he was worried about the EU revoking its adequacy decision in relation to the UK which currently allows for the free flow of information across UK and EU borders. His response was that he could “confidently say that personal data is as protected in Manchester as it is in Madrid and that sounds like adequacy to me”. A sure sign of his belief that the proposed changes will not impact trade with our closest neighbours, and a relief to businesses everywhere. Let’s hope the EU Commission agrees!
The above changes are likely to come into effect in 2023 so we would not recommend organisations make any drastic changes to current data protection practices at this stage. Of course, where businesses operate in territories other than just the UK, EU and other laws will still have to be complied with in any event, despite any changes that do come in within the UK.
For more information on the above proposed changes, how your business might be impacted and in relation to data protection alignment generally, please get in touch.
Madeleine Rhodes email: MRhodes@redfernlegal.com