UK government’s plans for reforming the Data Protection Act (EN)
UK government’s plans for reforming the Data Protection Act
June 21st, 2022
The United Kingdom’s post-Brexit reform of its data protection laws took another step forward with the government’s final response to its data consultation. The proposals, published on Friday 17 June in response to a consultation, include plans to restructure the UK’s data protection authority, the Information Commissioner’s Office (ICO), introduce an opt-out model for cookie consent and make it easier for London to initiate new data partnerships with other countries.
Initially launched September 2021 under “Data: a new direction,” and opened to public comment for more than two months, the final response features several incremental reforms, such as altering some accountability provisions including the removal of a data protection officer requirement, adding an opt-out model for a wide swath of online tracking, and updates to the U.K. Information Commissioner’s Office.
The extensive document comes after the government heard nearly 3,000 responses from the public and more than 40 roundtables with stakeholders from academia, technology and industry, as well as consumer rights groups. The response features 30 headings across five chapters: Reducing barriers to responsible innovation; mitigating burdens on businesses and improving better outcomes for people; minimizing barriers to data flows; improving public services; and reform of the ICO.
Information Commissioner’s Office
A key element of the plan is a proposal to “modernise” the Information Commissioner Officer. Under the plans, the body’s top official, the Information Commissioner, would be replaced by a chair, chief executive and board, and it would be issued with “new objectives”.
This structure will be to allow a better parliamentary and public oversight and will place greater focus on growth, innovation and competition.
Data protection administration
Another key aim of the reforms is to allow businesses more flexibility in how they go about meeting data protection standards, in order to reduce what the government says are disproportionate administrative burdens.
The proposal suggests that smaller enterprises will no longer be required to contract a Data Protection Officer (DPO) to conduct a Data Protection Impact Assessment (DPIA) of their risk management approach if they can independently prove that it is adequate.
International data transfers
The government sets out the importance of removing unnecessary barriers to cross-border data flows, including by progressing an ambitious program of adequacy assessments. The reforms are also set to boost the UK’s potential to foster data transfer links with international partners. Under the Bill, a group of organisations, tech companies and academics, will be afforded the power to remove barriers to data flows.
London has expressed a desire to establish new data partnerships with countries including the US, Australia, Singapore and the Republic of Korea.
Cookies, calls and conducting research
The government also plans to introduce fines for unsolicited marketing calls and messages. The bill is set to raise the maximum penalty from £500,000 to £17.5 million or 4% of global turnover if that is a greater figure.
Existing regulations will also be updated to reduce cookie consent pop-ups by putting in place an opt-out model which will apply to a person’s whole internet browser. In practice, this would mean cookies could be set without seeking consent, but the website must give the web user clear information about how to opt out.” However, the opt-out model would not apply to websites “likely to be accessed by children.”
Researchers will also be handed more flexibility and clarity when it comes to data use. In practice, this could mean that people are asked whether they consent to have their data used for research in a particular field of study, rather than on a specific project within it.
Some questions and interrogations from our side at MyData-Trust :
1. Not mentioned in the government’s statement is its need to steer a course between taking an independent UK line and not risking the UK’s adequacy declaration from the European Commission which enables the free flow of personal data between the UK and the European Economic Area. For most companies doing business internationally, this is a major concern.
2. The list of countries in the announcement with which the government is discussing international data agreements include Korea, although this is a country with which the EU has already granted an adequacy agreement. This means that, in principle, Korea should not need to be on the UK’s list because the UK accepted all the adequate countries as part of the Brexit agreement negotiated with the EU.
3. The language of the government’s announcement has a focus on reducing burdens for business and cutting costs. It states that “the reforms will create more than £1 billion in business savings over ten years by reducing these burdens on all businesses.” There is little focus on individuals’ rights which is the purpose of the data protection law. Critics will look at the detail of how the reform can at the same time pull away from the EU GDPR and at the same time keep to the widely recognised EU gold standard.