UK – Modest data protection reforms with a handful of big changes

The Department of Digital, Culture, Media and Sport has released details of its proposed reforms to UK data protection laws following last year’s consultation.

The proposals set out a series of sensible, if relatively limited, changes to the law (summarised here). While the effect of these changes will vary from entity to entity, only a handful are likely to be significant for most UK businesses.

Some may be disappointed by the lack of significant deregulation, but others will be pleased by the continuity and stability these changes provide. In particular, the changes are unlikely to disturb the EU’s finding that the UK has adequate data protection laws.

The path to reform

The starting point for these reforms is Brexit. Following the UK’s departure from the EU, the UK incorporated the GDPR into national law to create the UK GDPR. The UK GDPR was subject to minimal changes to make it “work” post-Brexit, such as removing the Information Commissioner’s participation in the European Data Protection Board. The substantive obligations under the law remained largely unchanged.

The UK Government was, however, keen, to take advantage of Brexit to shape its own regulatory framework for data. The Taskforce on Innovation, Growth and Regulatory Reform published a report in June 2021 suggesting the UK GDPR should be scrapped and replaced with a UK Framework of Citizen Data Rights, though that was predicated on some unconventional views about the operation of the current framework.

This was followed by a detailed paper – Data: A new direction – issued by the Department of Digital, Culture, Media and Sport in September 2021 (discussed here). That set out a very detailed and well-thought-out series of proposals for reform to UK data protection laws. Following an extensive consultation, with 2,924 responses and over 40 roundtables, the Government has now issued its response and proposals for reform.

Into the weeds of mainly modest reforms

The key point is that the UK GDPR emerges largely unscathed. There is very little change to any of the key concepts, data protection principles, legal basis or many of the other building blocks to the law.

While the Government’s proposals for reform are detailed and wide ranging, the effect is likely to be relatively modest. There are a number of reasons for this:

• Changes dropped: A number of proposed changes will not be taken forward. For example, the proposal to require a nominal fee (e.g. £10) to make a subject access request has been dropped, as has the proposed cost ceiling on the cost of responding to subject access requests. Given the burdensome nature of some subject access requests, this may be disappointing to some businesses.
• Changes watered down: Some changes have been kept but significantly watered down. For example, it was suggested that a number of processing operations would be “whitelisted” to automatically satisfy the legitimate interests legal basis (Art 6(1)(f)). While the Government has retained this concept, the list of “whitelisted” processing will be very limited initially, largely limited to reporting crime, safeguarding activity and similar public interests.
• Clarificatory changes: Many of the changes are simply clarificatory and should not make a substantive change to the law. For example, a number of changes will move provisions from the recitals of the GDPR into the operative provisions.
• Deferred: Finally, a number of changes have been deferred. The Government has proposed very radical changes to remove cookie banners by moving to an “opt-out model” for all cookies. However, this change will not take place until new technological solutions are in place to help people manage their cookie and opt-out preferences. This may not happen for some time.

The table here contains a detailed breakdown of these changes.

A handful of significant changes

This means that for most UK businesses there are only a handful of really significant changes. These include:

• Privacy management programmes: The accountability framework will be supplemented by an obligation to implement a “privacy management programme”. This is intended to be a flexible obligation that will reflect the sensitivity of the volume and sensitivity of personal data being processed. However, if the Information Commissioner’s excellent, but very broad, Accountability Framework is the benchmark against which these programmes will be measured, this could be a material additional regulatory burden.
• Removal of DPOs, DPIAs and RoPAs: This will be a significant change but given the expectation that the “privacy management programme” will include designating a “senior individual” to be responsible for data protection and maintaining a “personal data inventory” there may be little change for larger organisations.
• Cookies: The obligation to get consent to set cookies will be removed for a wide range of non-intrusive cookies, including analytics cookies and cookies set in compliance with an ICO-approved sector code or regulatory guidance. This is an interim measures pending the broader reform to the cookie rules discussed above.
• PECR enforcement powers: There will be significant uplift in the sanctions available to the Information Commissioner for breach of PECR. For example, fines will increase from £500,000 to the greater of £17.5m or 4% of annual turnover.
• Other enforcement powers: The Information Commissioner will also obtain other important new enforcement powers such as the ability to compel witnesses or commission “skilled persons” reports.
• Data transfers: There will also be greater scope to take a more risk-based approach both in terms of the assessment of the adequacy of third countries and the appropriateness of safeguards used in conjunction with the SCCs or IDTA. This is welcome given the current uncertainties around international transfers.
• ICO governance: The Information Commissioner will cease to operate as a corporate sole and instead will be run by a statutory board with a chair and chief executive. This is similar to the model used by other regulators and is long overdue given the way the previous model concentrated power into a single person.

Scoring the reforms – Why the lack of ambition?

The success of these reforms will be judged against three criteria. First, do they continue to deliver a high level of protection to UK citizens’ personal data? Secondly, is there a real benefit to UK businesses by removing excessive or inefficient regulation? Thirdly, will they preserve the EU’s finding that the UK’s data protection laws are adequate?

While the reforms score well on the first and third criteria, there is precious little by way of deregulation. The reforms will help clarify and streamline the law, and will remove some burdens, such as appointing DPOs, preparing DPIAs and maintaining RoPAs, but even these are largely replaced by equivalent obligations.

Why is this? Much of the answer comes from consultation responses. The vast majority of the respondents opposed any significant reforms to, or watering down of, the UK GDPR. Put differently, the rights in the UK GDPR are now so embedded there was little desire, even amongst some businesses, to move away from them.

Added to that is the fact that UK businesses that operate in the EU will have to continue to comply with the EU GDPR in any event, and more and more countries around the world are moving to a GDPR-style model. 

Having said that, it is disappointing not to see smarter reforms capable of balancing each of the criteria above. For example, the UK could have distinguished between structured or unstructured electronic data in relation to subject access requests (unstructured electronic data being inherently very burdensome to handle in response to a request) or could have trimmed off some of the UK’s “gold plating”, such as the obligation to prepare an appropriate policy when processing special category personal data.

Limited impact on UK adequacy

The elephant in the room is the risk the EU revokes its finding that the UK has adequate data protection laws. This could seriously disrupt data flows from the EU to the UK, which would lead to significant real-world effects.

The UK Government is very confident that these reforms will not endanger the UK’s adequacy status and, given their modest ambit, seems justified in its views.

However, the EU’s adequacy process is partly legal and partly political. From a legal perspective, it is possible a concerned EU citizen or body could bring a challenge in the CJEU. From a political perspective, the current standoff between the UK and the EU over Northern Ireland might escalate and push the EU Commission to re-scrutinise the UK’s data protection law. These reforms might provide the pretext for either challenge.

Finally, the end of the “Information Commissioner’s Office”?

The final reform is a surprise. The Department of Digital, Culture, Media and Sport has suggested that the “Information Commissioner’s Office” may no longer accurately reflect the organisation's functions and it is “considering options for a new name for the regulator”.

No alternatives are suggested. Perhaps “The Office of the Data Authority” or “OfData”? One assumes that this will not be put to the public, though “Data McDataface” would certainly suggest the UK is shaping its own regulatory framework post-Brexit.