UK GDPR 2.0: DCMS launches public consultation on data protection reform

On 10 September, Oliver Dowden (then Digital Secretary) announced a public consultation on reforms to the UK’s data protection regime. The consultation follows the publication of the Government’s National Data Strategy (discussed in our previous post) and is being described as the first step towards realising the Government’s aim to secure a pro-growth and trusted data regime (Mission 2 of the National Data Strategy). The ultimate aim of the consultation is to create a more pro-growth and pro-innovation data regime whilst maintaining the UK’s world-leading data protection standards.

The consultation seeks to present proposals that build on the existing UK GDPR regime rather than revolutionise it. In the paper, DCMS acknowledge that organisations have invested in understanding and implementing the current regime and indicates that organisations which are compliant with the current UK regime would remain largely compliant with the new regime, subject to a small number of new requirements.

The consultation focuses on 5 areas:

• reducing barriers to responsible innovation, for example by revisiting the use of legitimate interests, including in the context of AI, and clarifying the concept of anonymisation;
• reducing burdens on businesses and delivering better outcomes for people. This includes a proposal to rework the current accountability requirements, with the possible introduction of ‘privacy management programmes’ based on those in other jurisdictions (including Singapore) in place of some existing requirements such as mandatory DPIAs, DPOs and ROPAs. Other proposals include: an uplift in the threshold for data breaches to be reportable to the ICO, with a breach only being reportable where there is a ‘material risk’ to individuals (rather than ‘a risk’ currently); the introduction of a fee regime for individuals submitting data subject access requests (DSARs) and an associated ‘cost ceiling’ for organisations responding to DSARs; and amendments to the cookies and direct marketing rules (including bringing the ICO’s fining powers for direct marketing infringements under the PECR regime in line with those it has under the GDPR);
• boosting trade and reducing barriers to data flows. The section covers the UK’s strategy on adequacy for international transfers and puts forward proposals around the use of: alternative transfer mechanisms (including a new power for the Secretary of State/organisations to identify and create such mechanisms); codes and certifications; and derogations. Interestingly, some of DCMS’s proposals also overlap with the questions raised by the ICO in its consultation on international transfers. For example, DCMS propose that where data received by an organisation in the UK is sent back to the original transferor, that transfer should be exempt from the international transfer regime (the ‘reverse transfer exemption’);
• delivering better public services. This section covers issues such as the processing of personal data in the context of public health and other emergencies, including how private companies interact with public authorities to share data. It also considers transparency requirements and the ‘substantial public interest’ grounds for processing personal data; and
• reforming the ICO so it can better achieve the above aims, for example by refocusing its statutory commitments away from handling a high volume of low-level complaints and towards addressing the most serious threats to public trust and inappropriate barriers to responsible data use.

The consultation is lengthy with a number of proposals, only a few of which are highlighted above. There will undoubtedly be others worthy of attention as the detail of the consultation paper is analysed and digested in the coming weeks. 

Despite the number of proposals, DCMS indicates an expectation that it will be possible for the UK to retain its EU adequacy decision on the basis that “European data adequacy does not mean verbatim equivalence of laws”.

According to the consultation, the UK’s amended data protection regime is expected to have global influence with the UK planning to advocate for the principles underlying its reforms to be adopted in other jurisdictions.

The consultation closes on 19 November 2021.