Do our Data Protection laws need an overhaul?
Data plays a key role in all modern societies and economies.
Given the importance of data, it is unsurprising that different interest groups have different views on the appropriate content and shape of data law and regulation.
Following the UK’s exit from the European Union, reform of data protection legislation has been proposed by the government. It has been suggested that our laws should be simplified and that there is an opportunity to create a world leading model for data legislation.
At present, the UK’s current regime comprises at its heart our version of the General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. Elements of the regime have been criticised as cumbersome by business organisations since its inception due to its strict controls on the processing of personal data. By contrast, data advocates have applauded the high standards set by the European model. Some see it as the gold standard.
The Department for Digital, Culture, Media & Sport (DCMS) has recently published a consultation setting out its proposed reforms to move away from certain aspects of the existing model, but what might that involve and what is the significance?
DCMS Consultation
On 10 September 2021, DCMS published a consultation document titled “Data: A new direction” setting out its proposals.
The consultation document includes several key reforms including the following:
Accountability Principle:
Reforms of the accountability principle under Article 5 of the UK GDPR are expected to be introduced to reduce “unnecessary burden” on organisations. Article 5 sets out the principles relating to the processing of personal data.
Under the current regime, organisations need to fulfil several detailed requirements to document their compliance for processing data responsibility. Under the new proposals however, a more flexible framework based on privacy management programmes is slated to be introduced.
Organisations would need to develop and implement a risk-based privacy management programme which has a holistic approach. The programme would include personal data policies, processes for the protection of personal data and would be overseen by a “responsible individual” rather than a Data Protection Officer (DPO).
Data Sharing:
The government seeks to amend the rules for data transfer “adequacy” assessments by establishing new data relationships with other countries.
A data adequacy finding makes it easier for organisations to send personal data to that respective country without having to impose enhanced measures to ensure that personal data is sufficiently protected. The proposed reformed process will have a four phased approach including the following stages to identify the adequacy of a countries data protection regimes: (1) Gatekeeping, (2) Assessment, (3) recommendation and (4) Procedural.
This proposal is likely to be welcomed by tech organisations in particular following the vocal criticism of the European Court of Justice’s decision in Schrems II which invalidated the European Union’s adequacy decision for the EU-US Privacy Shield. Notably the majority of the major platforms are based in the US.
Subject Access Requests:
The government proposes the reintroduction of a fee regime which would be paid by individuals wishing to access personal data held by data controllers. Organisations were previously permitted to charge a fee of £10 for responding to a data subject access request.
The purpose for the reintroduction of a fee is, it is said, to ensure that organisations are not overstretched by the volume of speculative data subject access requests which can drain time and resources.
Organisations could also be permitted to refuse to process part or the entirety of a request if it is deemed to be “vexatious”. To determine this, an organisation would need to consider the context and history of a request including the identity of the data subject and the nature of the organisation’s previous relationship with them.
Information Commissioner’s Office (ICO):
The government also proposes reforms of the ICO including the implementation of a statutory framework confirming the scope of the ICO’s objectives and duties. The ICO’s tasks under the present regime are set out in a long list of tasks under Article 57 of the retained UK GDPR, but this does not currently set out their duties and objectives.
The ICO would also have increased powers to issue larger fines to organisations that make unsolicited marketing calls to individuals who have advised they do not wish to be contacted. The ICO can currently impose fines of up to £500,000 for such breaches under the Privacy and Electronic Communications Regulations 2003 (PECR). The proposed reforms will seek to increase this ability to impose fines beyond the £500,000 cap.
Significance of the Proposals
Although there are several reforms contained within the consultation document, it does not seek to completely overhaul the current data protection regime. It remains to be seen whether overhaul is the long term objective. The proposals will retain many of the key elements of the existing regime.
On one view, the amendments are pro-business. It has been argued that the focus is on reducing the administrative burden on the ICO and reducing bureaucracy for organisations, rather than reducing the rights of individuals.
However, the proposals have been criticised by data rights campaigners as an attempt to “water down” the rights of data subjects ie individuals. Indeed, some of the reforms are certainly likely to receive scrutiny and potential criticism from data subjects, such as proposals for the removal of the requirement on organisations to obtain prior consent for all web cookies from the data user and to change the threshold for when organisations are required to report a data breach to the ICO. It remains to be seen whether the proposals, if implemented, will lead to certain organisations processing personal data to the disadvantage of data subjects.
Having had data rights increasingly recognised and protected in recent times, will citizens be keen to see the trend towards privacy protections reversed? Big tech has used “data privacy” as a selling point in its marketing of late, to rebuild trust and enhance brand. Equally, the ICO’s campaign regarding the introduction of GDPR was very successful in raising awareness of data rights.
The UK’s further divergence from the current EU regime has caught the attention of the European Union who intend to closely monitor any developments in the UK’s data protection regime. If any problematic developments arise, there is the potential that the European Union could suspend or terminate the European Union’s adequacy decision for the UK which could make data sharing on the continent more difficult.
There is clearly a need to simplify data protection law. It is overly complex. However, any changes must balance the interests of all interested parties, particularly business and private individuals.
For now, we will eagerly await the outcome of the DCMS’ consultation once the public consultation has closed on 19 November 2021, and the responses have been considered.