News and Views
Data: A new direction? The ICO’s input regarding the future data protection reform
Posted on 21 Oct 2021
On 10 September 2021, the Department for Digital, Culture, Media & Sport (“DCMS”) launched a public consultation on reforms to the current UK’s data protection regime following the end of the Brexit transition period. The public consultation will close at 11.45pm on 19 November 2021 and can be accessed here. With this new data regime, the DCMS seeks to enhance competition and innovation in line with the principles laid out by the Government’s Mission 2 of the National Data Strategy: Securing a pro-growth and trusted data regime.
What are the aims of the DCMS public consultation notice?
The DCMS consultation launch has already garnered significant interest, giving members of the public the opportunity to reflect on the current, and future UK data protection legal framework and regulatory regime. The reforms can be divided into five goals:
Reducing barriers to responsible innovation.
Feedback from various stakeholders has shown that the current law is unclear. The lack of explanatory case law and regulatory guidance coupled with the uncertainty surrounding lawful grounds for processing personal data has created an unnecessary burden for both consumers and organisations and that needs to be clarified.
Reducing regulatory burdens on businesses and delivering better outcomes for citizens.
In Chapter 2 of the proposal, the Government describes the current EU GDPR as a ‘box ticking’ regime effectively criticising the current model. The Government’s proposal seeks to dissociate itself from a ‘one-size-fits-all approach,’ which in their opinion undermines innovation. To reduce burdens on organisations, one of the proposals seeks to introduce a fee regime for SARs (Subject Access Requests). It also proposes to remove the record-keeping requirement under Article 30 of the UK GDPR, the requirement for prior consultation with the ICO under Article 36 (1)-(3), the requirement under Article 35 for organisations to conduct a data protection impact assessment and, finally, to remove the current data protection officers' requirements under Article 37-39.
Boosting trade and reducing barriers to data flows.
Government proposes to change its overall approach to adequacy assessments. It will introduce a risk-based and four-pronged assessment procedure whilst continuing to consider the principles laid down in the Human Rights Act 1998. It also proposes to amend and clarify how Alternative Transfer Mechanisms will work under the new regime and suggests giving the Secretary of State the power to create new Alternative Transfer Mechanisms.
The delivery of better public services.
In light of the global pandemic, the new regime will seek to reform the use of personal data if required for the greater good of the public (i.e. Track and Trace). The use of British public data in a non-intrusive fashion was seen as paramount to the countries response to COVID-19. One approach advocated by the government is to extend Article 6 (1)(e) UK GDPR on Legtimiate Grounds. As such, they are looking into creating the scope of when and how public and private bodies can utilise Personal Data when deemed for the greater good of public health/safety.
Reform of the ICO.
The current scope of the ICO’s mandate will be amended to reflect the new strategic objectives laid out by the government. In addition to the introduction of a new statutory framework setting out the regulator’s objectives, the ICO will now also have to factor in its decision-making process economic growth, innovation, and competition.
The ICO’s stance on the DCMS’s new reforms: The devil is in the details
The Information Commissioner’s Office (ICO) published on 6 October 2021 a thorough expert advice report in their Response to DCMS Consultation.
Elizabeth Denham CBE, the outgoing UK Information Commissioner, reiterates that the ICO supports the Government’s aim to reduce the unnecessary regulatory burdens of businesses allowing for further room for innovation. It is also in the ICO’s view that upholding higher standards of data protection will automatically reduce barriers to innovation, while at the same time delivering better outcomes for people and boosting trade.
Yet Denham also reinforced, that high data protection standards are ‘good for the public and good for business’ and urged the Government to reconsider several of its proposals. Most importantly, she points out that a more flexible and competitive regime cannot be implemented at the expense of the rights of individuals. The Government should bear in mind that the public trust in data sharing and the people’s willingness to share their data with public and private bodies alike rests on whether it is seen as being respectful of the rule of law. As with most regimes, democratic principles of transparency and due process as well as a healthy system of checks and balances should be the driving forces.
The ICO has also voiced concerns over the DCMS proposal to remove the balancing test for legitimate interest in some instances. This removal would include creating an exhaustive list of types of data processing activities where organisations do not need to use the balancing test before using personal data. Currently, this “balancing test” considers a wide variety of different contextual factors to determine the necessity of the use of this data. Whilst the ICO has stated that it appreciates the desire to provide greater clarity and certainty in this area, this standardising of the different legitimate interests would put the onus on the Government to be confident that it can draw up the list of legitimate interest use of data that do not have a proportionate impact on people’s rights.
The ICO also urges the Government to reconsider its stance on Subject Access Requests and to maintain the requirement of prior consultation with the ICO on high-risk data processing issues. The ICO has also pointed out the lack of precision and details of the proposals dealing with AI systems. Accordingly, the ICO commented on the government’s proposal to remove under Article 22 the right to human review as ‘not being in the people’s interest and…likely to reduce trust in AI.’
Changes to the ICO’s structure: a warning from the current UK Information Commissioner.
Denham also voiced her concerns regarding the impact of the ICO’s future governance model and the regulator’s independence. Under Chapter 5 Para 380, the Government proposes to give ‘the Secretary of State a parallel provision that afforded to Houses of Parliament in Section 125(3) of the Data Protection Act 2018 in the approval of codes of practice, and complex and novel guidance.’ Suffice to say that such a provision might indeed endanger the regulator’s independence. She urges the Government to reconsider these proposals so that the future ICO can hold the government to account and that the regulator remains ‘strong, effective and independent.’
If the ICO is to be trusted by the public then it should be able to hold both Government and Public institutions to account and ‘it is vital its governance model preserves its independence and is workable, within the context of the framework set by parliament and with effective accountability.’ It remains to be seen how much of the ICO’s report the DCMS will consider.
Laven and GDPR
The GDPR has been in force since 2018 and aims to ensure that all firms processing personal data of EU individuals observe all six GDPR principles. Additionally, it requires that the same firms are able to demonstrate their compliance with the six principles through its accountability framework. Failure to either follow or demonstrate the following of the GDPR principles will bring heavy fines ranging between 2-4% of the annual turnover. We are here to help you satisfy both of these requirements.