UK's Data Reform Revealed: A case of evolution, not revolution?

Re-plastering the "red tape": Accountability and governance proposals dropped

That said, a number of the DPDI proposals have fallen by the wayside, particularly those provisions around accountability and governance that were originally intended to streamline compliance for organisations with the UK GDPR. For example, gone are proposals to: replace DPOs with a "senior responsible individual"; exempt controllers and processors from maintaining records of processing activities, unless controllers are carrying out high risk processing activities; scrap the requirement for overseas data controllers subject to the UK GDPR to appoint a UK-based representative; and replace the requirement to conduct data protection impact assessments, with the less prescriptive "assessment of high risk-processing".

The "clarification" to the definition of "personal data" (through a personal data "test") has been reversed back to the EU GDPR position. As has the introduction of the "vexatious or excessive" threshold (instead of "manifestly unfounded or excessive") for a controller to reject data subject access requests (which was more than just a cosmetic change).

It seems likely that the Government had one eye on the upcoming European Commission review of the UK's adequacy status next summer, when deciding which proposals to retain or drop.

AI "de-regulation" continues

Against the backdrop of the UK's pro-innovation, light touch, principles-based approach to the regulation of AI and in an era of AI hype, the Bill appears to be trying to find a 'happy medium' approach to automated decision-making ("ADM").

The proposals in the Bill seek to amend, and arguably relax, the rules which already apply to ADM under Article 22 of the UK GDPR; they reframe the existing requirements as a right to certain specific safeguards, rather than a general prohibition on the use of ADM, allowing use of ADM as long as those safeguards are implemented. Except where ADM involves special category personal data (in relation to which tighter restrictions remain, albeit not as restrictive as is currently the case), this allows organisations to rely on wide-ranging lawful bases for data processing under Article 6, UK GDPR – effectively lowering the bar which they are required to meet to legitimise their data processing activities. For further details refer to our article on the topic here.

It remains to be seen whether this is an attempt at a compromise that will please everyone or no one.

Scientific research remains at the fore

Perhaps on a similar theme, and as with its predecessor, the Bill looks to help researchers make "more life enhancing discoveries" in a number of ways. This includes through greater clarity around the definition of "scientific research" (explicitly including both commercial and non-commercial activities), which enables more certainty for organisations wanting to benefit from the existing exemption to disapply certain provisions of the UK GDPR for scientific research purposes. This sits alongside changes to the definition of consent, so that any further research purpose is always compatible with the processing, providing certain safeguards have been implemented. 

Legitimate interests recognised with a public sector focus…

In another case of déjà vu from the DPDI, Schedule 1 of the Bill sets out a list of "recognised legitimate interests" where the usual balancing test does not need to be undertaken. The list reads as an uncontroversial list of circumstances in which processing personal data is essential (e.g. in the context of safeguarding national security and preventing crime). Processing for the purpose of democratic engagement is the only scenario that has been dropped in this latest iteration. Given the slightly "niche" nature of the items on the list, the intended compliance easing seems to be aimed more at public sector authorities – for now at least. With the explanatory notes making it clear the Government is keen to encourage personal data processing and sharing "for important public interest scenarios".

… alongside flexibility for change

As with other proposals under the UK data protection reform, flexibility is built into the list of recognised legitimate interests, giving the Secretary of State power to amend certain aspects directly and to set out variations through secondary legislation. This is despite the House of Lords Delegated Powers and Regulatory Reform Committee recommending this power be removed from the DPDI – but is the likely reason for the Government adding further criteria to be considered when adding processing activities to the list this time round.

The Bill restates other similar powers of variation around, for example, what amounts to a "significant decision" or "meaningful human involvement" for the purpose of Article 22, and the current exemptions set out in Schedule 1 of the DPA 2018. The Bill also requires data controllers to have a complaints procedure for data subjects, and gives the Secretary of State power to make regulations requiring controllers to notify the Information Commissioner of how many complaints they have received.

In a significant new addition in this regard, the Bill also empowers the Government to add new special categories of personal data (to the current exhaustive list at Article 9(1), UK GDPR), tailor the conditions that apply to their use and add new definitions, if necessary. This is to enable the Government to "rapidly respond to future technological and societal developments", including recent calls from the Regulatory Horizons Council to add "neurodata" to the list. This power does, however, require consultation with the Information Commissioner.

Spotlight on direct marketing and the higher stakes

The new Bill also sets out examples of "processing that is necessary for the purposes of a legitimate interest" (and in relation to which the balancing test will still need to be undertaken). Again, the list mirrors its predecessor and includes processing necessary for the purposes of direct marketing, intragroup transmission of personal data for internal administrative purposes and ensuring the security of network and information systems. The inclusion of "direct marketing" in this list has (again) not been accompanied by a consequential change to PECR, meaning that all of the rules that currently apply to electronic marketing under PECR, including the obligation to obtain consent or rely on soft opt-in consent for email marketing, will still apply.

Communications service providers and network providers can breathe a sigh of relief, as the Bill rejects previous proposals requiring them to report suspicious activity relating to unlawful direct marketing to the Information Commissioner. Although the Bill also rejected plans to expand the "soft opt-in" to organisations with charitable, political or non-commercial objectives when sending electronic marketing communications for the purpose of furthering their objective (still a benefit afforded just to commercial organisations).

However, the Bill does retain the Conservative's plan to significantly increase sanctions for not complying with PECR, so they align with the heftier financial penalties introduced by the UK GDPR. Something that the (now stalled) ePrivacy Regulation also tried to address in the EU. A wake-up call for those currently relying on a risk-based approach for undertaking direct-marketing (plus use of cookies and the like) - the stakes are going to be considerably higher.

Cookie consent does not crumble

Speaking of PECR, of course cookies feature in the proposals. The new Bill revives the previous proposals to waive the cookie consent requirement for first party analytics cookies (for statistical purposes and website appearance analytics), as well as strictly necessary cookies.

However, for anyone hoping this may mean the end of cookie banners on websites, unfortunately organisations will still be required to get user consent to cookies used for other purposes such as advertising. Whilst the Secretary of State has powers to bring in other circumstances where cookies might be used without consent (and a related consultation is expected in due course), the "Accept All" and "Reject All" buttons are here to stay!

Mirroring the DPDI, the Bill also refers to the scope of the cookie consent requirement including "instigating" the storage or access to data – a potential expansion of the requirement through the supply chain.

Codifying existing principles

Some elements of the Bill do little more than codify existing principles of good practice, as was the case under the DPDI.

On the subject of DSARs, the Bill clarifies the time limits associated with exercising data subject rights (particularly where the data subject's original request does not identify the data subject), and, in doing so, build on rights to "stop the clock" under current ICO guidance. The Bill also makes clear that the controller need only conduct a "reasonable and proportionate" search in response to a request for information and personal data (echoing both the principle under domestic case law and the related ICO guidance).

In a similar vein, the proposals also relax the personal data breach notification requirements placed on public electronic communications services under PECR (e.g. telecoms providers and ISPs); from "no later than 24 hours" of becoming aware of the breach, to "without undue delay and, where feasible, not later than 72 hours". This aligns with the both the  ICO's more relaxed approach to enforcing the timeframe articulated by its February 2023 statement as well as the deadline under the parallel notification regime under the UK GDPR.

Easing the international data transfer challenge?

Eyeing up the lucrative prize of international trade for digitised services, the Bill impact assessment touts cross-border data transfers as a "key facilitator" of international trade - with SCCs acting as a non-tariff barrier between the UK and the rest of the world. Moving to a "pragmatic" transfer system via data adequacy regulations and alternative transfer mechanisms is estimated to have "an annual benefit of between £159 million and £316 million".

It is therefore unsurprising that Labour's proposals re-iterate changes to rules on international data transfers, including the ability for the Secretary of State to approve third countries, alongside a data protection test requiring a "not materially lower" standard of data protection in the recipient country to permit personal data transfers across borders. Given the ever-increasing complexity around international data transfers, it will be interesting to see how these transfer easing UK-centric powers play out in practice.

A makeover for the ICO

Labour's proposal carries across most of the ICO over-haul from the previous Government - a new name, structure, responsibilities and enforcement powers. The Government has said these changes would give the regulator a "more modern structure – while maintaining its independence".

Perhaps to (optically) support this independence, the Bill does not replicate the Secretary of State's previous ability to publish a "statement of strategic priorities", to which the Information Commissioner would have had to have regard. However, arguably the Government can still influence decision making, for example, through its ability to appoint non-executive members and determine the number of members of the Information Commission.

A right under the DPDI for the Government to veto or make recommendations on codes of practice has however been replaced with a right to be consulted before the Information Commissioner prepares codes of practice.

The proposals "clarify" some of the ICO's powers (e.g. that the regulator is entitled to request both "documents" as well as "information" under existing information notice powers) and add to them (e.g. the Information Commission can require the controller or processor to appoint an approved person to prepare a report on a specified matter and provide it to the Commissioner under an assessment notice, with the cost borne by the controller or processor). 

Wider data reform: An umbrella bill for all things data?

In perhaps a nod to the new title of the Bill, the Bill addresses a hotchpotch of areas in the name of "data" (beyond just the data protection and privacy reform). Even more so than the DPDI before it.

From giving statutory footing to three innovative uses of data ((i) smart data schemes to enable sharing of customer data, at their request, with third party providers beyond the GDPR's portability right; (ii) digital verification services to support the creation and adoption of secure and trusted digital identity products; and (iii) the national underground asset register to help with installing and operating underground utilities), to the newly crafted provisions around information for research into online safety, the DUA covers it all.

In fact, public sector data sharing, along with the financial benefits of doing so, sits front and centre of Labour's unveiling of this data reform - perhaps in a bid to keep up appearances with the plethora of data-related legislation coming out of the EU (including the EU Data Act and the EU Data Governance Act). However, with the detail of the UK regimes still to be bottomed out in both secondary legislation and sector-specific approaches, only time will tell how these schemes will operate in practice.

Our experts will shine the spotlight on a number of these areas in subsequent pieces.

Greater alignment with the EU, for adequacy's sake and business?

It is likely no coincidence that the day before the Bill was introduced, the House of Lords European Affairs Committee published recommendations from its recent inquiry into UK-EU data adequacy.  

(Speaking of the DPDI incarnation) the recommendations suggest potential bones of contention could include: the independence of the Information Commissioner's Office; the role of Government in "adding new grounds of "legitimate interest" for data processing"; as well as its "international data protection policies". 

Whilst the UK's adequacy status is not a slam dunk, the Bill is the reform that diverges the least from the EU GDPR, and the one that least resembles the more radical reform that was first touted in the DCMS' Consultation Paper (Data: A new direction) back in October 2021.  

The risk of the Commission deciding the UK is not adequate now seems relatively low. Something that will chime well with industry, given the Bill impact assessment estimates between £190 million and £460 million in one-off SCC costs and an annual cost of between £210 million and £420 million in lost export revenue if the UK were to lose its EU adequacy status. Even the Committee's recommendation suggests a "successful challenge to the legality of Commission decisions before the CJEU is more likely than a Commission decision not to renew the UK's adequacy status."

Unsurprisingly, the Committee also urges the Government to secure a future adequacy renewal which does not expire after a fixed period, as is the case with the EU's other data adequacy arrangements.

Adequacy aside, perhaps there was also too much of a risk that deviating from an established EU framework (that UK organisations had already invested considerable time and cost implementing in recent years), may not prove to be as "business friendly" in practice as the Government originally claimed, at least at the outset?

Impact of the UK data protection reform in practice

Whilst some proposals under the UK data protection reform impose greater burdens for controllers (such as the more robust sanctions regime under PECR and the need for controllers to have a complaints procedure for data subjects), for those that already comply with the current UK data protection and privacy regimes, other proposals require relatively minor adjustments to their compliance programmes.

As for the potential for the Bill to ease the compliance burden, it is worth factoring in the added layer of complexity for organisations operating across both a UK and EU footprint and needing to comply with dual diverging regimes. These multi-jurisdictional organisations may well continue to apply the potentially higher EU "gold standard" across all jurisdictions for consistency across their compliance programmes – regardless of the UK charting its own path. Data protection compliance is not an exact science at the best of times and the proposed divergence may unintentionally introduce further "grey" areas and a greater degree of uncertainty for some organisations.

That said, those based solely in the UK or headquartered in the jurisdiction, seem more likely to be able to take advantage of any de-regulation by adopting a more localised approach to compliance and product launches. It remains to be seen whether the UK will, in fact, become a hotly anticipated sandbox for innovation.

A case of third time lucky?

It seems likely that the UK data reform will take place at last. Already, momentum from its First Reading looks to be sustained for the Second Reading in the House of Lords on 19 November 2024. 

And this latest iteration has the backing of the ICO, which welcomes "the Bill as a positive package of reforms…[that]…maintains high standards of data protection and protects people's rights and freedoms, whilst also providing greater regulatory certainty for organisations and promoting growth and innovation in the UK economy."

Whilst the Bill is in its early stages, its predecessor (on which much of the Bill was based), proceeded almost to enactment with few outstanding points, before it fell at the final hurdle when the General Election was called. Twinned with the Government's majority in the House of Commons and the introduction of the Bill in the House of Lords first, a smooth trajectory is expected at a reasonably rapid pace.