Series
Blogs
UK - Proposals to reform the GDPR are significant but not radical
UK - Proposals to reform the GDPR are significant but not radical
10 September 2021
Series
Blogs
10 September 2021
The UK Government has today released its proposals to reform UK data protection laws. Unsurprisingly, it seeks to deliver on its Brexit promises through deregulation, such as scrapping data protection officers, records of processing and data protection impact assessments.
However, it is less radical that it might have been and many of these obligations are replaced by a new, more flexible obligation to implement a “privacy risk programme”. More flexible, of course, means that the programme might be more burdensome in some situations. In addition, while the ancillary obligations in the UK GDPR will change, the core principles and definitions will not.
The key uncertainty is whether it will provoke the EU into revoking its adequacy finding for data transfers to the UK. There are good reasons to think this should not happen, but the loss of adequacy would have immediate and significant effects that might well outweigh the other benefits these reforms will deliver.
The Government’s proposals for reform are set out in its 146 page paper Data: A new direction. It provides a detailed and well-thought-out series of proposals for reform to UK data protection laws that raise valid questions about the cost and effectiveness of many aspects of the UK GDPR.
The answers to those questions, at least on the face of it, appear to be underpinned by the UK Government’s desire to deliver a Brexit dividend and remove unnecessary red tape for UK businesses. As a result, the UK Government proposes removing the obligation to:
Similarly, there are broader reforms to other aspects of UK data protection law, such as:
However, this is far from a bonfire of red tape. Rather it appears to replace the more rigid requirements of the UK GDPR with a more flexible obligation to implement a “privacy management programme”. This will require organisations to:
Given the Information Commissioner’s likely demanding expectations for such a programme (particularly given its recently released Accountability Framework) it is not immediately clear this is a less onerous framework, particularly for larger businesses. Many may retain their DPOs, DPIA processes etc. as the building blocks to deliver that new “privacy management programme”.
The UK Government is also proposing significant changes to better allow the use of data for innovation, particular for AI projects.
The centre piece of these particular reforms is to either remove, or more tightly limit, the restriction on automated decision making in Article 22 of the GDPR, which is thought to hold back the practical deployment of AI and its use in robo-decision making. The focus on automated decision making is interesting given Article 22 remains an enigma. While it is an interesting and potentially significant right, it does not seem to apply very frequently in practice and rarely seems to cause problems. Moreover, the UK will be swimming against the tide when both the EU and China are seeking to regulate this area, to protect consumers better.
There are a series of other broad reforms proposed in this area. For example:
Importantly, while these are significant and wide-ranging changes, the core principles in the GDPR are unaffected. There is no significant change to the data protection principles or lawful bases for processing (noting there are proposals to whitelist some processing under the legitimate interests conditions). Similarly, the key concepts such as that of personal data, and the distinction between processors and controllers remains.
As such this is more a case of incremental reform rather than a radical reinvention. For example, the UK Government might have considered if the processor-controller dichotomy is still fit for purpose or if unstructured electronic personal data ought to be subject to separate, less onerous regulation. Similarly, the Government does not appear to want to thin the current legislative thicket created by the UK GDPR and Data Protection Act 2018 by combing them into a single consolidated instrument.
However, given the last few years have been so tumultuous, many UK businesses may welcome the continuity and stability these proposals provide.
Finally, the proposals contain a range of proposals to change the powers of the Information Commissioner and the way her office operates. This includes:
One of the most significant implications of these new reforms is the impact on the EU’s finding that the UK has adequate data protection laws, thus enabling the free transfer of personal data from the EU to the UK. The EU’s adequacy finding includes an obligation on the EU Commission to monitor developments with UK data protection laws and, in any event, is only for a four-year period.
There are good arguments that these proposals should not affect the adequacy finding. As set out above, the changes will not necessarily result in a lessening of the protection of personal data, rather it means the process to ensure that protection is more flexible. However, this is ultimately a question for the EU Commission who will, no doubt, be scrutinising these proposals closely.