The UK government’s response to its data protection reform consultation is out (press release 17 June 2022).
Certain proposals will proceed under the Data Reform Bill announced in the 10 May 2022 Queen’s Speech (more info). Others won’t, while still others are to be be considered further. The devil’s always in the detail, of course, so when the Bill’s text is available the proposed changes will be clearer – it's still unknown exactly when it’s to be published (updated: TechUK says the Bill will be laid "this summer to undergo several rounds of amendments before it is formally passed into legislation". So, presumably June/July before the August summer holidays).
Some highlights below.
Anonymisation
- To use Convention 108+ test para19: “Data is to be considered as anonymous only as long as it is impossible to re-identify the data subject or if such re-identification would require unreasonable time, effort or resources, taking into consideration the available technology at the time of the processing and technological developments. Data that appears to be anonymous because it is not accompanied by any obvious identifying element may, nevertheless in particular cases (not requiring unreasonable time, effort or resources), permit the identification of an individual. This is the case, for example, where it is possible for the controller or any person to identify the individual through the combination of different types of data, such as physical, physiological, genetic, economic, or social data (combination of data on the age, sex, occupation, geolocation, family status, etc.). Where this is the case, the data may not be considered anonymous and is covered by the provisions of the Convention”.
- The test for anonymisation will be relative, i.e. will the individual remain identifiable by that controller, cf. a third party?
Artificial intelligence (AI) & machine learning (ML), and ADM
- Anti-discrimination - the UK DPA sch1 para8 exemption allowing processing of special category data and criminal offence-related data for equality of opportunity or treatment will be expanded to allow bias monitoring, detection and correction in AI systems.
- Fairness - the government will consider the role of UK GDPR “fairness” in wider AI governance in its forthcoming AI White Paper, but will not legislate here.
- Art.22 automated decision-making (ADM) - will be retained, but with clarified limits & scope, including ADM as a right to specific safeguards, rather than a general prohibition on solely automated decision-making. The approach to ADM will be aligned with the broader approach to governing AI-powered ADM, which will be addressed as part of the upcoming UK White Paper on AI governance.
- Explainability and intelligibility of AI-powered ADM, including the role of DP legislation in that context, will be considered in the White Paper on AI governance.
- See also above on purpose limitation.
Accountability
- Organisations must have a privacy management programme.
- No need for DPO, but must designate a suitable individual to oversee data protection compliance
- No more data protection impact assessments (DPIAs), or requirement for records of processing activities (ROPAs) as such.
- Controllers must have simple, transparent complaint-handling processes for data subjects (but retaining clear pathway to complain to the ICO).
Legal basis - legitimate interests
- No balancing test will be needed for a limited number of carefully-defined processing activities in the clear public interest based on legitimate interests, likely to include processing activities undertaken by controllers to prevent crime, report safeguarding concerns or that are necessary for other important reasons of public interest (the government will consider if any additional safeguards are needed for children’s data). Hopefully this should “encourage organisations to make the authorities aware of individuals who are at risk without delay”, including children and other vulnerable groups with protected characteristics. However, core principles like lawfulness, fairness & transparency, and further conditions for processing special category data, etc., would of course continue to apply.
- Power to update the list of activities, subject to Parliamentary scrutiny.
Special category data, criminal offence-related data
The UK DPA 2018 sch1 part 2 exemptions for processing in the substantial public interest could be expanded to add certain activities, but “substantial public interest” will not be defined specifically.
Purpose limitation
- Further processing or reuse by the same controller for incompatible purposes will be permitted “when based on a law that safeguards important public interest”, with “greater clarification on the rules and permissions of data re-use and the need for greater transparency”.
- On consent-based processsing, “further processing cannot take place when the original legal basis is consent other than in very limited circumstances”. We’ll have to wait to see what those new circumstances will be.
- Distinctions between further processing and new processing by a different controller to be clarified.
Transfers
- Adequacy decisions - a risk-based approach will be taken; judicial or administrative redress are both acceptable. There will be ongoing review, cf 4-yr review of adequacy decisions.
- The Secretary of State can recognise alternative transfer mechanisms (ATMs).
- (But no repetitive derogations or reverse transfers etc.)
DSARs
- No nominal fee to be introduced.
- No cost ceiling, but controllers can refuse to deal with DSARs that are “vexatious or excessive” (cf. the current “manifestly unfounded or excessive”).
Research
- No new lawful basis for research, but various changes will be made to assist and promote research.
- E.g. a “scientific research” definition (hopefully making crystal clear the position on commercial scientific research, and what's research in the "public interest"?); and clarifying that broad consent is possible and can be relied on.
- Privacy notices – the UK GDPR's Article 14(5)(b) “disproportionate effort” exemption will be replicated, but only for research purposes, to allow personal data being used for a research purpose differing from the original purpose to be exempt from re-providing information under Article 13(3) - but without exempting controllers who obtain personal data directly from data subjects from providing the required Article 13(1) & (2) information to them on collection. “Disproportionate effort” to be clarified by bringing in the GDPR's Rec.62 language into the operative text.
ePrivacy under PECR
- Fines - to be increased to GDPR levels.
- ICO powers - to include assessment notices etc.
- Cookies and similar technologies (i.e. mobile apps, smart devices too)
- Analytics will be considered “strictly necessary”.
- Consent to be unnecessary in more situations: "a small number of other non-intrusive purposes" (e.g. website fault detection?), "where the controller can demonstrate legitimate interest for processing the data".
- Websites must respect users’ browser preferences; the UK will move to no cookies banners for UK residents and an opt-out model for cookies once preferences management technology is widely available.
- Direct marketing
- Soft opt-in to be extended to political parties and non-commercial organisations like NGOs/charities.
- Nuisance phone calls e.g. automated telephone marketing
- The ICO will be able to take enforcement action against organisations based on the number of calls generated (cf. only the number that are connected, currently)
- Communications service providers must report to the ICO “suspicious levels of traffic on their networks”.
ICO
- New duties (e.g. to uphold data rights and to encourage trustworthy and responsible data use, have regard to economic growth and innovation, competition issues and public safety, to consult with relevant regulators and any other relevant bodies).
- Structural changes e.g. independent Board and Chief Executive.
- New powers for the DCMS Secretary of State, e.g. to prepare a statement of strategic priorities which the ICO must respond to; to approve statutory codes of practice and statutory guidance ahead of laying them in Parliament.
- Legislative criteria for a more risk-based proportionate approach to complaints - ICO discretion to decide when/how to investigate complaints, including discretion not to investigate vexatious complaints, and complaints where the complainant has not first attempted to resolve the issue with the relevant data controller. "This will empower the ICO to exercise its discretion with confidence."
- New ICO powers
- To issue technical report notices where fair and reasonable, having regard to alternative investigatory tools, relevant knowledge and expertise available to the controller or processor and the impact of the cost of producing the report.
- To compel witness interviews, without interfering with the right not to self-incriminate, rights to legal professional privilege and various procedural mechanisms to ensure proportionality & fairness of interview.
- Must provide organisations with the expected timeline at the start of all investigations.
Note: on ICO resources and funding, the ICO announced, on 14 June 2022, its agreement with its sponsor department the Department for Digital, Culture, Media & Sport (DCMS) and with the Treasury (HMT) that the ICO will now able to retain some of the funds paid as a result of its civil monetary penalties i.e. fines to cover pre-agreed, specific and externally audited litigation costs. (Previously, all fines money went to the UK government’s central Consolidated Fund.)