On 17 June 2022 the Department for Digital, Culture, Media & Sport (DCMS) published its response to its consultation "Data: a new direction" (the Data Reform Bill). In its response, the government confirmed its lofty ambition “to establish the UK as the most attractive global data marketplace" by “reduc[ing] the burden on businesses that impede the responsible use of personal data and to give individuals greater clarity over their rights and a clearer sense of how to determine access to and benefit from their own data”. It is still early days whether the government, through the Data Reform Bill, can walk the very fine line between maintaining EU data adequacy whilst delivering a Brexit dividend for data.
We have included some observations from the consultation response below. For a full breakdown of the response to the consultation please refer to the government’s website.
In the short term the government intends to remove the requirement for cookie banners to be displayed on websites directed at UK residents. Long term, the government’s intention is to move towards an “opt-out” regime for cookies.
An “opt-out” regime for cookies means that cookies will be set without seeking consent, but websites would need to give clear information on how users can opt out. This is a significant departure from the current trend that “it should be as easy to reject cookies as it is to accept them”. By moving away from the “Reject All” button which places power over personal data use in the hands of the individual, the government’s “opt-out” regime shifts the power to businesses in response to criticisms that their “ability to collect potentially useful information, such as website traffic information and what pages they are looking at the most, is restricted by current strict rules on consent”. This “opt-out” regime would not be introduced until the government is satisfied that an effective browser-based or industry solutions exists to manage cookies and opt-out preferences. But such solutions have been tried before and were largely ineffective.
Extending the "soft opt-in"
The "soft opt-in" enables organisations to send emails and other electronic "direct marketing" messages to individuals who have previously been in contact with them during a sale or transaction. The “soft opt-in” is currently only available to commercial businesses. The government intends to extend this rule to other non-commercial organisations such as charities which may bring some needed relief as long as there is clarity on the specific types of non-commercial organisations that will be able to take advantage of the “soft opt-in” extension.
In an attempt to introduce a "more flexible" accountability framework, the government plans to remove certain parts of the UK GDPR and instead introduce a requirement for organisations to maintain a "Privacy Management Programme." Specifically, the following UK GDPR requirements would be removed:
- designation of a data protection officer under Articles 37 to 39 of the UK GDPR;
- data protection impact assessments under Article 35 of the UK GDPR; and
- maintenance of a record of processing activities under Article 30 of the UK GDPR.
Instead, the government proposes to replace these parts of the UK GDPR with the following complementary measures under the "Privacy Management Programme", such as:
- appointing a suitable senior individual to be responsible for the programme;
- ensuring organisations implement risk assessment tools which help assess, identify and mitigate risks; and
- a more flexible record keeping requirement.
The government’s proposed changes raise several practical implementation questions. For example, if an organisation requires an independent DPO under the EU GDPR but under the proposed Data Reform Bill such a role is not required and can be replaced by the Manager of the “Privacy Management Programme” then many organisations may require multiple roles to ensure compliance with both EU and UK law adding another level of complexity and potential overlap and duplication.
Data Subject Access Requests (DSARs)
The government intends to proceed with changing the current threshold for refusing or charging a reasonable fee for DSARs from “manifestly unfounded excessive” to “vexatious or excessive.” This will bring the requirements in line with the Freedom of Information regime. The proposal to introduce a nominal fee for subject access requests will not be implemented.
Cross-border data transfers
The government proposes a set of reforms to address the current uncertainty when transferring personal data across international borders. These reforms will include:
- Adopting a more flexible approach regarding adequacy by making future adequacy assessments based on risk and proportionality. Adequacy will also not need to be reviewed every four years but will be subject to ongoing monitoring.
- Adopting alternative transfer mechanisms – this will potentially fall under the remit of the DCMS Secretary of State.
These changes may be beneficial to an organisation that only transfers UK personal data, but an organisation that also transfers EU personal data will still need to follow the EU GDPR.
Increasing fines for Privacy and Electronic Communications Regulations (PECR) violations
The government also intends to align fines for breaches under the PECR with the GDPR. This means that fines for nuisance calls, texts and other serious data breaches under the PECR will increase from the current maximum of £500,000 to up to 4% of global turnover of £17.5m.
Risk-based approach to privacy
Current proposals in the Data Reform Bill around boosting trade and reducing barriers to data flows include a risk-based approach to adequacy and potentially allowing alternative transfer mechanisms such as data intermediaries.
In 2021, the UK was granted an adequacy decision by the European Commission which only guaranteed the free flow of personal data between the EU and UK until 27 June 2025. Adequacy depends on the UK continuing to provide an "essentially equivalent" level of data protection as that provided by the EU. The EU has already expressed its concern with UK divergence from the GDPR and any changes will be scrutinised by the EU raising questions as to whether the EU will allow its residents’ personal data to flow freely into a country that adopts a “flexible, risk-based approach” to adequacy or that reduces “red tape” by essentially dispensing with the current accountability framework.
Reducing red tape
The government's proposed aim through this Bill is to "clampdown on bureaucracy, red tape and pointless paperwork." But these benefits may only confer to companies that only carry out business involving UK personal data. Any wider benefits rests on the government’s position that it believes it can convince Brussels that its proposed changes to the UK GDPR via the Data Reform Bill will meet the EU’s "essentially equivalent" requirements thus maintaining adequacy. Companies that transfer personal data across borders, who have, control, or process EU citizen’s data, or who offer goods or services to data subjects in the EU will likely have to comply with two regimes – the new UK regime under the Data Reform Bill and also the GDPR.
The government’s desire to move in a new direction regarding personal data raises many questions for companies with operations or aspirations beyond the UK. Will UK companies that have EU connections opt for the more lenient new UK regime but risk non-compliance with the GDPR or will they (presumably) continue to follow compliance with the GDPR especially since they have probably already invested significantly into their organisation’s GDPR compliance? How will the new UK regime affect UK companies who are already on their way towards GDPR compliance? Or, will the government’s efforts through the Data Reform Bill result in additional paperwork as companies figure out their privacy and data protection compliance framework?
For more information on the Data Reform Bill, GDPR or for any data protection and privacy queries, please contact Deloitte Legal or a member of the team.