UK GDPR: all change or no change?

Alexander Egerton provides an in-depth assessment of the UK’s reforms to GDPR

The UK government has used London Tech Week as the opportunity to showcase its proposals for the deregulation of UK privacy law. Following on from the 2020 UK National Data Strategy and indeed as the first step in delivering on ‘mission 2’ of that strategy, the Department of Digital, Culture, Media and Sports (DCMS) published Data: A New Direction.

Data-driven trade has generated nearly three quarters of the UK’s total service exports and generated an estimated £234bn for the economy in 2019.

The UK government wishes to strengthen the UK’s high data protection standards while reducing burdens on businesses to deliver around £1bn in cost savings.

The objective is to remove aspects of GDPR which are regarded as ‘box ticking’ or unduly prescriptive. The consultation is also part of a wider drive by the UK government to change its approach to privacy regulation, now we are no longer part of the EU and do not have to follow EU GDPR. EU GDPR is an EU ‘regulation’, which gives member states limited room for change. No member state could pursue the reforms the UK is considering. The UK government’s recent approval of New Zealand's ex Privacy Commissioner, John Edwards, as the next Information Commissioner to follow Elizabeth Denham, is viewed by many as another important step towards reforming the strategic direction of UK data protection law and the ICO's enforcement of it.

In terms of the consultation process, I understand John Edwards previously warned ministers against scrapping certain safeguards the GDPR gives data subjects. That the Data Reform Bill has won his backing suggests he is satisfied the new regime will maintain high standards of data protection. A number of more radical suggestions have been removed from the final proposals, including the possibility of replacing GDPR entirely in favour of a brand-new framework.

Direct marketing

It is interesting to note that whereas the EU has two privacy regulations – the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR) which govern marketing (i.e. direct marketing and cookies) – the UK may well have one privacy statute. 

In recent years, the ICO has become proactive in enforcing the direct marketing rules which are part of PECR and not GDPR. The EU is reforming PECR. The intention was to introduce the GDPR in 2016 with the new PECR, but for the EU agreeing changes to PECR has taken longer than anticipated. The UK is no longer mandated to wait until the new PECR is ready so has been able to start its reform process earlier. In due course, we will see the extent to which the two regimes are similar.

The reforms will include tougher fines for firms who make nuisance calls. The fines will increase from the current ‘PECR’ maximum of £500,000 and be brought in line with current UK GDPR penalties which are up to four per cent global turnover or £17.5m, whichever is greater.

PECR permits a business to market to customers if it can show the customers have given a ‘soft opt-in’ marketing consent. If the customer has expressly opted in, direct marketing is also permitted. There are rules as to what constitutes ‘consent’. If the customer has to agree to receive marketing communications to conclude the purchase, that is unlikely to be valid consent.

The ‘soft opt-in’ permits email and SMS marketing messages without obtaining consent, if:

1.      the contact details are collected during the course of a sale, or negotiations for a sale, of a product or service;

2. an opportunity to refuse or opt-out of the marketing is given at the point of collection and again in every subsequent communication;
3. the subsequent marketing is restricted to similar products and services.

Any business-to-business (B2B) marketing is covered by GDPR. PECR relates business-to consumer (B2C) marketing.

This ‘soft opt in’ will be extended to non-commercial entities, such as charities and political parties.

Other reforms evidence how determined the ICO is to clamp down on unlawful direct marketing: there will be a 'duty to report' on communication service providers in relation to suspicious traffic transiting their networks; the ICO will be able to impose assessment notices on companies suspected of PECR breaches.

Cookies

Another change to PECR: the PECR rules will also be updated to cut down on ‘user consent’ pop-ups and banners – the boxes users currently see on every website – when browsing the internet. An exception to the consent requirements exists where the cookie is “strictly necessary” for the provision of a service explicitly requested by the user.

In the immediate term, the government plans to allow cookies(the data points which allow sites to remember information about an individual’s visit)  to be placed without the user’s consent for a small number of purposes, which have not yet been set out in full.

Currently, users must give their consent for cookies to be collected. To do so, users must opt in to cookie collection every time they visit a new site.

The government’s new opt-out model for cookies will heavily reduce the need for users to click through consent banners on every website they visit.

Under the new rules, internet users will be better enabled to set an overall approach to how their data is collected and used online – for example, via their internet browser settings. Certain functional cookies will not be subject to the browser’s consent. The opt-out model would not apply to websites likely to be accessed by children.

DCMS has suggested legislative changes to fully switch the UK to an opt-out for online tracking will not take place until the necessary browser-based ‘technology’ is “effective and readily available so people can set their online cookie preferences to opt out via automated means”. However, this development began its life in 2009 and the technology is not as yet functional. 

Research

Researchers will be given more flexibility. At present, the consent is prescriptive and the researcher cannot operate beyond the purposes of the research.

The Data Reform Bill will more clearly define the scope of scientific research and give scientists clarity about when they can obtain user consent to collect or use data for broad research purposes.

This reform removes the need for researchers to have the ultimate purpose of their research project finalised before collecting data. For example, scientists will be able to rely on the consent a person has given for their data to be used for ‘cancer research’ as opposed to a particular cancer study. At present the consent has to be revised as the research progresses.

Internal data management

This is probably the change that will affect businesses the most. The requirement to audit data and conduct data impact assessments are seen by many as bureaucracy with little commercial benefit.

The article 30 requirement for “records of processing activities” will be replaced by a bespoke risk assessment and data inventory, ‘Privacy Management Program’.

Businesses will no longer need to appoint a Data Protection Officer (DPO). A DPO is a statutory role which gives the person the right not be dismissed and in return the DPO owes duties to the ICO. Businesses will need to have a nominated individual who is responsible for privacy. The role has not yet been fully particularised, but it seems likely to be less formal than that of DPO and without the independence requirements. The individual’s role will include:

·        to represent or delegate a representative to the ICO and data subjects;

·        to ensure appropriate oversight and support is in place for the programme and to appoint appropriate personnel;

·        to provide tailored training to ensure staff understand the organisation’s policies

·        to regularly audit the efficacy of the programme.

The need to undertake and record privacy impact assessments (PIA) will be reduced. A PIA occurs if a new process or new technology is introduced which the company considers will impact on people’s (employees, customers, etc) privacy. The assessment will identify the extent to which privacy will be affected and the measures taken to reduce the impact. Similar to Legitimate Interest Assessment (see later), the competing needs of business interest and privacy need to be balanced with a record retained.

However, the objective of the reform – namely a non-prescriptive, bespoke risk assessed approach – remains. Privacy Management Plans will be required. These will include personal data inventories which set out what and where personal data is held, why it has been collected and how sensitive it is. An organisation will still need to demonstrate it has identified and managed risks.

Data Subject Access Requests – where data subjects can ask to receive copies of personal data held by a company – will be easier for companies to reject. Organisations can currently do this where the request is “manifestly unfounded or excessive”. The government wants to change this to when the request is “vexatious or excessive” instead.

Legitimate interest

Personal data has to be processed using a lawful basis. Many businesses rely on ‘legitimate interest’. This is less prescriptive than the other grounds – consent and performance of a contract. However, the wide-ranging uses of the legitimate interest basis of processing means the decision to use legitimate interest as the lawful basis has to be documented.

The legitimate interest lawful basis of processing involves the right to privacy being balanced against the business interests of the company. An example here is B2B marketing. This analysis is called the legitimate interest impact assessment or balancing test. This can be an uncertain and complex process, despite the ICO guidance. The government has looked to Singapore for ideas and proposes a list of legitimate interests for which organisations can use personal data without recourse to the balancing test. For example, the list may include: 

• the improvement or review of an organisation’s system or network security;
• the improvement of the safety of a product or service;
• pseudonymisation or anonymisation of data;
• the use of audience measurement cookies or similar to improve webpages for service users; and 
• the use of personal data for internal research and development or business innovation purposes to improve customer services.

Reducing the assessment burden would be beneficial for some. However, the ICO is understandably wary that the categories of activity are too broad, and data subjects will lose out through lack of a more nuanced and case-specific processing analysis.

Currently, there is an obligation to report a data breach to the ICO if there is a risk to data subjects rights arising out of the breach. The proposal is to change this to a requirement to report only those breaches that represent a material risk to data subjects. This is to deal with a perception of over-reporting of data security breaches to the ICO. The latest figures in the ICO’s Annual Report for April 2020 to March 2021 back this up to some extent. There were 9,352 data security breach reports in the period (down from 11,854 in 2019/20). No further action was taken in just over 74 per cent of them.

AI profiling

The government also addressed the issue of AI-powered (artificial intelligence) automated decision-making in its response paper. Plans are being considered in relation to automated decision-making and profiling under UK data protection law and it wants to ‘align proposals’ with measures expected to be set out in an upcoming white paper on AI governance. Any reforms enabling the deployment of AI-powered automated decision-making will have “appropriate safeguards in place”.

The ICO

The ICO will be modernised to have a chair, chief executive and a board to ensure it remains an internationally renowned regulator. The change will introduce a wider set of skills to support robust decision-making and broaden the legal responsibility underpinning the ICO’s work, which currently sits solely with the role of Information Commissioner.

The ICO will have new objectives which will give parliament and the public better ability to hold the regulator to account. Currently, the UK GDPR does not provide the ICO with a clear framework of objectives and duties. It is instead obliged to fulfil a long list of tasks. Clearer objectives to prioritise its activities against and a more modern governance framework will better equip the ICO to fulfil its role and bring it in line with the best practice of other regulators.

Strategic objectives will be set out in the bill. They will underline the importance of the regulator continuing to uphold data rights and encouraging the responsible use of personal data, but will have greater emphasis on taking into account growth, innovation and competition.

The reforms will introduce a new way for how the ICO develops statutory codes and guidance, which share best practices for organisations using, sharing or storing personal data in specific instances, such as protecting children’s data online.

The ICO will be required to set up a panel of experts in relevant fields when developing each piece of statutory guidance. The Secretary of State will also need to approve ICO statutory codes and guidance before they are presented to parliament. This will bring the ICO in line with other UK regulators, such as the Electoral Commission, and strengthen the accountability of the privacy watchdog when it makes legal rules.

International

It is hoped the government’s International Data Transfer Expert Council, made up of global experts on data, will play a major role helping the UK secure cross-border data flows.

The group, which combines world-leading academics, organisations such as the World Economic Forum and the Future of Privacy Forum, alongside digital industry figures including Google, Mastercard and Microsoft, will be empowered to remove barriers to data flows and ensure services from smart devices to online banking can be provided more reliably, cheaply and securely.

The government will take forward reforms which enable the UK to approach adequacy decisions by taking a risk-based decision, which accounts for the different cultural and legal traditions in which countries operate (and which allows it to take into account administrative as well as judicial redress in the assessment). Decisions will not be reviewed every four years.

The need for companies to carry out a transfer impact assessment for every transfer of personal data to a country without adequacy status will remain, but the government has proposed a regime which allows a proportional approach. We assume that for less risky and smaller data transfers, the requirements for standard contractual clauses and transfer impact assessments will be lessened.

The GDPR is dead long live the GDPR

The question is where will UK privacy law be in five years?

Looking at these reforms there may be less change here than the government’s press statements suggest. Organisations will still be required to have a privacy management programme to ensure they are accountable for how they process personal data. The same high data protection standards will remain, but organisations will have more flexibility to determine how they meet these standards. These changes do not change the compliance goal of risk assessments, but exclude the more prescriptive and bureaucratic approaches the GDPR mandates. These changes do not allow companies to ignore how and why personal data is processed.

A lot of the changes have little detail and some are aspirational. The government is aware of the need to allow AI technology to flourish and sees the GDPR as an obstacle, but this is a medium to long term project. The cookie reform relies on technology that is not functional. If momentum is lost, these reforms may never happen.

The major constraint is the UK will seek renewal of the European Commission’s adequacy decision when it expires in 2025. Without this, personal data will no longer continue to flow uninhibited between the EU and the UK. Any change in the UK’s data protection regime that would lower the standard of data protection in the UK may, however, put at risk the UK’s status as an adequate destination for EU personal data under the EU GDPR. There will be debate as to whether these UK changes lower this standard. This will be subjective and will be difficult to objectively calculate. There is no right of appeal.

To that end, a number of the more controversial proposals in the initial consultation have been dropped, such as the abolition of the right to object to solely automated decision making completely and allowing repetitive use of export derogations. 

The figures suggest that the economic benefits of these reforms equal the cost to the UK of the potential loss of its adequacy status. The reaction of the EU to the detail of these proposals may well decide the extent and scope of these changes and future reform.

The adequacy status decision by the EU will not be solely dictated by UK reforms to GDPR. The UK can now make its own adequacy decisions for other countries with no reference to EU. The UK may regard Australia as ‘adequate’ and allow data transfers, but the EU may not. If the UK is taking a different approach with domestic privacy law than the EU, this can only increase the possibility of the UK taking a different view of another country’s privacy set up. The UK may regard that country as adequate, but the EU may disagree.

The award by the UK of its own adequacy decisions could impact on the EU-UK adequacy decision. For example, the EU-US data transfer arrangements are controversial, with the EU always being sceptical about US privacy law. We had the “Safe Harbour” followed by the “Privacy Shield”.

The UK is pursuing adequacy decisions with priority jurisdictions, including the US. If the UK awards unqualified adequacy status to the US when the EU does not, that would make doing business with the US simpler for the UK, but could jeopardise the UK’s adequacy status with the EU. If the EU were to ignore the UK-US arrangements, this would mean EU personal data could be transferred to the US – a country not adequate – via the UK, a country that is adequate. The UK becomes a ‘trojan horse’. That alone may jeopardise the UK’s adequacy’s status – even if the EU was happy with its domestic reforms.

Loosing adequacy status would mean a lot of extra complexity for international organisations with a presence in the EU and UK, as well as for UK organisations doing business with the EU.

I close by speculating whether UK organisations will also need to continue to comply with EU requirements, as they have obligations under the EU GDPR. International organisations tend to take a regional approach to compliance, so might wish continue to follow EU requirements in the UK.

With the UK following GDPR this is not an issue but after the changes have been made what will the view of the ICO be regarding multi nationals based in the UK following EU GDPR and not UK privacy law? This means UK business may ‘opt in’ to EU GDPR in order to avoid following two regimes. This raises the question as to whether the ICO will regard EU GDPR as offering the same privacy standard as the UK privacy regime. Please note that under EU law, EU citizens have the right to have their personal data processed outside the EU in accordance with EU GDPR.

Alexander Egerton is a corporate partner at Seddons seddons.co.uk