UK government’s plans for reforming the Data Protection Act

The United Kingdom’s post-Brexit reform of its data protection laws took another step forward with the government’s final response to its data consultation. The proposals, published on Friday 17 June in response to a consultation, include plans to restructure the UK’s data protection authority, the Information Commissioner’s Office (ICO), introduce an opt-out model for cookie consent and make it easier for London to initiate new data partnerships with other countries.

Initially launched September 2021 under “Data: a new direction,” and opened to public comment for more than two months, the final response features several incremental reforms, such as altering some accountability provisions including the removal of a data protection officer requirement, adding an opt-out model for a wide swath of online tracking, and updates to the U.K. Information Commissioner’s Office.

A key element of the plan is a proposal to “modernise” the Information Commissioner Officer. Under the plans, the body’s top official, the Information Commissioner, would be replaced by a chair, chief executive and board, and it would be issued with “new objectives”.

This structure will be to allow a better parliamentary and public oversight and will place greater focus on growth, innovation and competition.

Another key aim of the reforms is to allow businesses more flexibility in how they go about meeting data protection standards, in order to reduce what the government says are disproportionate administrative burdens.

The proposal suggests that smaller enterprises will no longer be required to contract a Data Protection Officer (DPO) to conduct a Data Protection Impact Assessment (DPIA) of their risk management approach if they can independently prove that it is adequate.

The government sets out the importance of removing unnecessary barriers to cross-border data flows, including by progressing an ambitious program of adequacy assessments. The reforms are also set to boost the UK’s potential to foster data transfer links with international partners. Under the Bill, a group of organisations, tech companies and academics, will be afforded the power to remove barriers to data flows.
London has expressed a desire to establish new data partnerships with countries including the US, Australia, Singapore and the Republic of Korea.

The government also plans to introduce fines for unsolicited marketing calls and messages. The bill is set to raise the maximum penalty from £500,000 to £17.5 million or 4% of global turnover if that is a greater figure.
Existing regulations will also be updated to reduce cookie consent pop-ups by putting in place an opt-out model which will apply to a person’s whole internet browser. In practice, this would mean cookies could be set without seeking consent, but the website must give the web user clear information about how to opt out.” However, the opt-out model would not apply to websites “likely to be accessed by children.”

Researchers will also be handed more flexibility and clarity when it comes to data use. In practice, this could mean that people are asked whether they consent to have their data used for research in a particular field of study, rather than on a specific project within it.

1. Not mentioned in the government’s statement is its need to steer a course between taking an independent UK line and not risking the UK’s adequacy declaration from the European Commission which enables the free flow of personal data between the UK and the European Economic Area. For most companies doing business internationally, this is a major concern.

2. The list of countries in the announcement with which the government is discussing international data agreements include Korea, although this is a country with which the EU has already granted an adequacy agreement. This means that, in principle, Korea should not need to be on the UK’s list because the UK accepted all the adequate countries as part of the Brexit agreement negotiated with the EU.

3. The language of the government’s announcement has a focus on reducing burdens for business and cutting costs. It states that “the reforms will create more than £1 billion in business savings over ten years by reducing these burdens on all businesses.” There is little focus on individuals’ rights which is the purpose of the data protection law. Critics will look at the detail of how the reform can at the same time pull away from the EU GDPR and at the same time keep to the widely recognised EU gold standard.