Now that the dust has begun to settle following the UK’s withdrawal from the EU, the Department for Digital, Culture, Media and Sport (the ‘DCMS’) has released a consultation on the reform of UK data protection legislation. The consultation has now closed for responses and we await the outcome of public feedback, however the DCMS’s proposals were wide-ranging, and hint at significant changes.
Personal data can currently be received from the EU without additional safeguards under an EU ‘adequacy decision’. The decision is subject to the UK and EU maintaining comparable data privacy regimes. However, if the UK begins to stray from the EU standards, it is not out of the question that the UK’s adequacy decision could be revoked, or alternatively it may not be renewed at the end of its current four year term. The changes proposed by the consultation could therefore have a significant impact on the free flow of personal data from the EU to the UK.
Subject Access Requests
The DCMS has proposed a number of steps to lighten the administrative load of the subject access request (‘SAR’) regime. Currently, there are no operational limits on handling a SAR – costs and time spent are not accounted for. Broadly, the DCMS’s proposals aim to bring SARs into alignment with the freedom of information (‘FOI’) framework. Under the FOI regime, where the cost of complying with a request would exceed a costs ceiling, the receiving organisation is entitled to either refuse the request, or charge a fee for responding. The DCMS is proposing that under a new SAR regime, organisations would have to comply up to the cost limit (which would include explaining what information it would be possible to retrieve under that limit) but could thereafter charge or refuse to comply.
Reducing barriers to responsible innovation
The DCMS’s consultation recognises that the UK GDPR has been imported as-is from the EU (except for minor amendments required so that the legislation works in a UK context), and would benefit from active interpretation, clearer guidance and application to new technologies.
The proposals go much further than the current regime to facilitate processing for research purposes and acknowledge the benefits that can arise from re-use of personal data within the research community. The consultation plans to clarify when it is permissible to re-use personal data for a purpose different from the purpose for which it was collected, in hope that doing so will help to unlock the potential of the data that we collectively hold.
The consultation also sets out a proposed list of situations where, when personal data is processed under the legitimate interest lawful basis, a balancing test would not be needed to weigh up the interests of the data subject against the legitimate interest. These situations include:
- reporting criminal acts or safeguarding concerns;
- delivering public health and safety messages by non-public bodies;
- improving the safety of a product; or
- anonymisation/pseudonymisation to improve data security.
The intention is that introducing a list of pre-determined legitimate interests will remove some of the complexities involved with this lawful basis, and also help to resolve an over-reliance on consent, which has likely arisen as a result of data controllers not being certain about when the legitimate interests balancing test is met.
Data protection enforcement
The key obligations under data protection legislation are contained in the UK GDPR and Data Protection Act 2018, as well as the Privacy and Electronic Communications Regulations (‘PECR’). However, there are some differences between the two regimes despite an overlap in the spheres they cover. The maximum fine under PECR is £500,000, whilst under the UK GDPR it is £17.5 million or 4% of the total annual worldwide turnover. Additionally the Information Commissioner’s Office (the ‘ICO’) can issue an assessment notice under the UK GDPR, but not under PECR. An assessment notice enables the ICO to assess whether an organisation is compliant with the legislation by requesting copies of certain documentation or even visiting relevant premises.
The DCMS is proposing to bring enforcement of PECR in line with the UK GDPR, to make it easier for the ICO to assess potential breaches of PECR and then issue increased fines for any contravention that is identified. This could ultimately result in much higher fines for marketing-related infringements, a space in which we have seen a large amount of ICO enforcement action in recent months.
The DCMS’s consultation also discusses a change in strategic vision for the ICO, in particular focusing on a risk-based and proactive approach to facilitate responsible data processing and innovation support, and moving away from a ‘high volume of low-level complaints’. To many this will be a relief, enabling organisations to test and develop new technologies with the support of ICO resources.
In addition the ICO will be tasked with working alongside other regulators to ensure responsible development of digital technologies and to fulfil the following three objectives:
- Actively promoting competition and innovation in the digital economy.
- Keeping the UK safe and secure online.
- Shaping a digital economy that promotes a flourishing, democratic society.
However, the Republic of Ireland data protection authority is already under fire for failing to properly investigate complaints and remain independent from industry (see for example, the criticism of its initial fines against Facebook). This shows that a shift towards collaboration with other regulators and arguably away from investigating privacy complaints may not be seen favourably by the EU.
The consultation provides meaningful solutions to facilitate innovation, whilst also giving organisations greater clarity on how to comply with the UK data protection regime and promoting confidence in collecting and processing personal data.
However, there is a fine line to tread to ensure that individual rights remain protected in the face of an economy which is rapidly digitalising, and also to ensure that the UK does not stray too far from the EU’s current regime, in order to avoid disrupting international data flows.
For more information please contact the Ashfords Data Protection team.