What we can expect in the Data Reform Bill: UK Government publishes consultation response on UK data protection law reform

The UK government has published its response to the 2021 Data: a new direction consultation (which we discussed in our September blog), outlining which of the consultation’s proposals will be included in the forthcoming Data Reform Bill. Some of the more controversial proposals look likely to be shelved or diluted, which will be a relief for organisations concerned that a significant departure from the EU GDPR would jeopardise the UK’s EU adequacy decision. However, other significant changes will be taken forward, with the UK aiming to “reshape its approach to regulation outside of the EU, and seize opportunities with its new regulatory freedoms”.

The key proposals for businesses that are likely to be retained in the Data Reform Bill (which is expected during this parliamentary term – before April 2023) include:  

 Changes to compliance programmes and processes

• the introduction of ‘privacy management programmes’ in place of the current GDPR accountability regime. This includes removing mandatory DPIAs and ROPAs – although organisations will still be required to identify and manage risks, and document their processing, albeit in a more tailored and proportionate way. The programmes should reflect the volume and sensitivity of the personal data being processed, with the UK government reasoning that this will give organisations, particularly SMEs, more flexibility in their approach to compliance. Helpfully, current accountability frameworks can be integrated into such programmes, meaning that “organisations that are currently compliant with the UK GDPR would not need to significantly change their approach to be compliant with the new requirements”.
• the removal of the mandatory DPO requirement. Instead, organisations will be required to designate a ‘senior individual’ to be accountable for their privacy management programmes.
• allowing organisations to refuse to answer or charge a reasonable fee for answering ‘vexatious or excessive’ DSARs, rather than the current ‘manifestly unfounded or repetitive’ threshold. The UK government’s anticipation is that this will make it easier for organisations to refuse requests that are clearly unreasonable, thus reducing the compliance burden on them.
• defining anonymisation under the UK GDPR to confirm that whether data is anonymous is a subjective test  - e.g. relative to the reasonable means available to the controller or processor to re-identify the data. This may help organisations share more data outside the scope of the UK GDPR regime.
• treating analytics cookies in the same way as ‘strictly necessary’ cookies, i.e. as no longer requiring user consent. Notably, the UK government has also indicated its ambition for further reform of the UK cookie regime towards an entirely ‘opt-out’ model as and when the necessary technology becomes available (e.g. via browser settings). We discussed the original consultation proposals on cookies in more detail in this blog last year.

Reforming (and renaming) the ICO  

• bringing the direct marketing penalties and ICO enforcement powers under PECR in line with those under the UK GDPR. Organisations carrying out direct marketing may need to reconsider their risk appetite in this area, as infringements could potentially incur a £17.5m / 4% turnover fine.
• placing a new hierarchy of statutory obligations on the ICO, including an overriding objective to uphold data rights and encourage responsible data use and new secondary duties to have regard for economic growth, innovation, competition and public safety. The ICO will also have to consider a set of statutory strategic priorities set by the UK government (and report against them annually). This may provide a clearer insight into the operations of the regulator and a better idea of the enforcement action the ICO will prioritise.
• granting the ICO greater discretion to decide which complaints to investigate – including discretion not to investigate vexatious complaints and those where the individual has not complained to the organisation first.
• moving the ICO away from the corporation sole structure and introducing a statutory board with a chair and chief executive, which will bring the ICO in line with other UK regulators such as Ofcom and the FCA. The ICO will also be renamed, with the UK government currently considering options.

Separately to the response, DCMS and the Treasury have agreed that the ICO will receive a funding uplift by retaining some of the funds paid as a result of civil monetary penalties (up to a maximum of £7.5m per financial year). This should help the ICO cope with the increased workload it may face if the Data Reform Bill progresses on the basis of the consultation response. 

The UK government has also rejected certain of the initial consultation proposals. Some of the proposals that will not be progressed include:

• fees on individuals submitting DSARs and a cost-ceiling on DSARs for organisations.
• the uplift to the data breach reporting threshold (as raising the threshold may lead to regulators missing systemic / industry-wide incidents).
• broad changes to the legitimate interests regime to ‘white list’ certain processing purposes (removing the balancing test), although changes in relation to very limited public interest purposes will proceed.
• the removal of the UK GDPR Article 22 safeguard relating to human review of automated decisions, with the UK government now promising to clarify the application of Article 22 in its future white paper on AI governance.
• the ability for organisations to design their own ‘adaptable transfer mechanism’ for international transfers, although the proposal for the Secretary of State to gain powers to recognise other alternative transfer mechanisms (e.g. other countries’ versions) will be progressed.

The consultation proposals had sparked some concern for the UK’s EU adequacy decision (including as a result of potential erosion of the ICO’s independence). However, the Commissioner has noted in his statement that he is “pleased to see the government has taken our concerns about independence on board” and the UK government has said it is confident that with this moderated set of proposals it can retain its EU adequacy decision. This will provide some comfort to UK businesses with operations across the EU as we await the publication of a Data Reform Bill.