The Government has introduced a new Data Protection Bill to UK Parliament, outlining the next stages of the UK Data Protection Regime post-Brexit. The new direction will replace the UK GDPR, adopted from the EU, with a reportedly less restrictive and more innovation-focused approach to data protection.
Formerly “Data: A New Direction”, the Data Protection and Digital Information Bill was introduced to the House of Commons and Lords by a statement delivered by Minister for Media, Data and Digital Infrastructure Matt Warman on Monday 18th July.
The Bill contains changes to data protection, law enforcement access, online identity verification, biometrics, research, AI and the structure of the ICO, the UK data protection watchdog and regulator.
The Bill is the latest attempt by the current Government to shift away from what they consider restrictive and burdensome EU regulations. These include the European Convention on Human Rights (overseen by the Council of Europe, not the European Union) and the General Data Protection Regulation (GDPR).
While introducing the Bill, Matt Warner stated, “we will realise the opportunities of responsible data use whilst maintaining the UK’s high data protection standard,” noting that countries are not required to have the same rules to be granted data adequacy.
Adequacy is the mechanism that allows free cross-border data transfers between EU countries and those with compatible or ‘adequate’ data protection standards. Privacy and civil rights experts have warned that the new Bill could seriously compromise the UK’s adequacy status, which it only recently gained in June 2021. The loss of adequacy would jeopardise hundreds of businesses and organisations that rely on EU data transfers, potentially stopping such transfers in their tracks.
The New Direction of UK Data has been contentious since its inception by the UK Government in September 2021, with privacy experts and digital rights proponents taking umbrage with the proposed changes. These groups cite stripped-back rights for individuals in exchange for more freedom for businesses and organisations to use data, with less accountability and oversight that underpins the current GDPR.
But what are the changes, and how will they affect individuals and businesses?
Several proposals directly challenge existing parts\ of the UK GDPR, which the Government has deemed ‘restrictive’, intending to provide a more flexible data regime for businesses to operate in. Many of these proposals are a radical departure from the EU data protection philosophy, which is undoubtedly a significant driver behind the decision-making process during the consultation: to build a distinct data protection regime that isn’t beholden to the high standards of the EU.
- Creating a limited list of legitimate interests for businesses to process personal data without applying the balancing test
- Replace the requirement to appoint a DPO with a requirement to designate a suitable individual to oversee the organisation’s DP compliance
- Remove the requirement for Data Protection Impact Assessments
- Subject Access requests now have a test to determine excessive nature
The above proposals infer a shift away from the prescriptive accountability controls that underpin the GDPR and suggest a framework based on self-assessment, allowing businesses more flexibility when undertaking data processing. This comes at the expense of reduced transparency and objectivity that the Data Protection Officer role provides and less visibility of risks to data subjects that Data Protection Impact Assessments provide.
The reduction of the data protection role is alarming. These new proposals will introduce further challenges for businesses to navigate, instead requiring a ‘responsible person’ to oversee company data protection efforts. This will likely present several challenges to organisations that are not sufficiently clued in on data protection and privacy developments. It may push UK data protection into box-ticking compliance territory for many companies who do not have the resources or expertise to sufficiently inform and manage their data protection program.
Subject Access Requests will have a balancing test to determine if they are vexatious/excessive. Whilst many companies have dealt with Subject Access Requests of a frustrating and challenging nature, this new mechanism may allow organisations to effectively refuse to enact data subject rights by utilising this test as a roadblock, making it more difficult for data subjects to be in control of their digital footprint.
Law enforcement agencies would no longer have to provide a justification for accessing specific data from companies and organisations, which could open the doors to abuse of power and significantly reduces the transparency of such operations.
Perhaps the most alarming revelation is Article 91A, which gives the Secretary of State the power to amend existing regulations, including the GDPR, without the need to go through a parliamentary debate process. This is a worryingly undemocratic inclusion, allowing circumvention of legislative processes and enabling the Secretary of State to act with impunity regarding changing established law. Such changes will still be required to go through the Statutory Instruments procedure in the House of Commons. However, they would be bereft of any additional oversight.
Some of the more radical proposals are directed at ICO operations, including changes to its internal structure, and shifting enforcement priorities. The Government maintains that the proposals will enhance the ICO’s independence; a sentiment echoed by current Information Commissioner John Edwards:
“I share and support the ambition of these reforms. I am pleased to see the Government has taken our concerns about independence on board.”
The Bill contains several measures affecting the ICO’s operational structure. The changes include a new focus on economic growth, competition, and innovation; removing consulting requirements for high-risk data processing; increased oversight by the Secretary of State, including the ability for said Secretary to initiate reviews at their discretion; and the establishment of a non-executive board and CEO, to be appointed by the Secretary.
During its introduction, Warner stated, “The ICO will remain operationally independent while enabling the public and parliament to more effectively hold it to account through key performance indicators.”
However, Mariano Delli Santi of the Open Rights Group highlights his concerns with the changes to the ICO:
“The secretary of state becomes the political master of the ICO,” Delli Santi says. “This makes the use of personal data by the government and other public authorities substantially unsupervised and exposes the entire function of the ICO to political manipulation, corporate capture, and cronyism.”
Here are the main proposals regarding the ICO:
- Remove the requirement for Prior Consultation with the ICO on high-risk processing.
- Empowering ICO to take action against organisations for the number of unsolicited direct marketing calls ‘sent’ as well as calls ‘received’ and connected
- Empowering ICO to impose assessment notices on companies suspected of PECR breaches
- New statutory framework sets out the ICO’s strategic objectives and duties
- A new overarching duty for the ICO is to uphold data rights and to encourage trustworthy and responsible data use
- New duty for the ICO to have regard to economic growth and innovation
- New duty for the ICO to have regard to competition issues
- New duty for the ICO to consult with relevant regulators and any other relevant bodies when exercising its duties to have regard to growth, innovation and competition
- Establish an independent Board and Chief Executive for the ICO
- Appointing the non-executive board members by the DCMS SoS
- Chief Executive to be appointed by the DCMS Secretary of State. The alternative recommendation is for this to be an ICO Board appointment in consultation with the DCMS Secretary of State.
- Requirement for the ICO to develop & publish KPIs
- Requirement for the ICO to publish critical strategies and processes guiding its work
- Requirement for ICO to publish other information to aid transparency
- A power for the DCMS Secretary of State to initiate an independent review of the ICO’s activities and performance .
Several proposals regarding the use of data in scientific research have been accepted, with the Government planning to proceed with implementation. These include:
- Consolidating research provisions into a single chapter
- Creating a statutory definition of scientific research
- Incorporating broad consent for scientific research into legislation
- Extending the “disproportionate effort” exemption on information provision requirements for further processing for research purposes of personal data collected directly from the data subject
These proposals suggest the removal of regulatory barriers to research by making consent capture less prescriptive, intending to make the research sector more innovative, perhaps at the cost of data subject rights and freedoms. The consultation declined to set out a new legal basis for research processing, citing that existing legal basis are sufficient.
Currently, data used for research can only be used in the scope of the specific research activity defined at inception. The new, broader interpretation may allow companies to repurpose data in new research ventures without informing or obtaining the data subjects’ consent. This could lead to abuse of the proportionality and necessity clauses of the GDPR, allowing businesses to retain research data ‘just in case’, which is currently prohibited.
Going hand in hand with the push toward reducing regulatory barriers to research and development, a few key proposals have been accepted to enable AI and Machine Learning development.
- Enable organisations to use sensitive personal data to manage the risk of bias in their AI systems by clarifying that Schedule 1 Paragraph 8 can be used for processing necessary for ensuring bias monitoring, detection and correction
- Clarifying the limits and scope of Article 22 UK GDPR
Article 22 of the UK GDPR refers to the right of individuals to object to automated data processing, which is currently broad in scope. Imposing limitations on this suggests that the justifications individuals can use to object to such processing will be restricted to allow greater impunity for organisations to engage in automated processing.
This may make it more difficult for individuals to enact their data subject rights and moves a layer of accountability away from companies and onto data subjects to uphold their rights, which is seen by some as a move towards the American litigious model of data protection.
The Bill lists some 28 criminal offences without specific definitions, examples, or context. Clause 14 mentions that online platforms must pre-empt a court of law judgment and then act based on said self-assessment.
Online platforms will also be asked to tackle “content harmful to adults”, but they are not put under a statutory duty to remove it. Instead, they must state how they will treat this content under the oversight of Ofcom rather than the ICO.
Offending content should be removed, and users prevented from accessing it. The basis for removal appears to be based on a subjective statement provided by the company, which can cite the basis to “reasonably consider” meeting the criteria. This has raised many questions by campaigners around pre-emptive censorship and a possible resurfacing of ‘prior restraint’, a term for government action prohibiting speech before the speech happens.
Despite the underlying tones of the Bill, little discussion has been had around free. The new Minister for Online Safety, Damian Collins, insisted that “the Bill does not require platforms to restrict legal speech—let us be absolutely clear about that”.
However, MPs on both sides of the house have criticised the proposals. Joanna Cherry of the SNP acknowledged the “risk of an increase in content moderation” and that “freedom of speech is an important right that this House should promote, with the checks and balances set out in Article 10 of the ECHR.” Article 10 enshrines the Freedom of Expression, which would mean safeguards would have to be introduced to protect lawful free speech. However, the recent move by the Government to move away from the ECHR may hamper efforts in this area.
On the other side of the aisle, David Davis of the Conservatives proposed an amendment to remove Clause 13 entirely on the grounds of likely unintended consequences to free speech and warned that such proposals would be ‘catastrophic’ for ordinary people’s freedom of speech.
The Data Protection and Digital Information Bill is, at the very least, a controversial shake-up of the established UK data protection regime. On one side are ministers, entrepreneurs and regulators, who view it as a slashing of regulatory burdens on businesses allowing innovation and competition to flourish. On the other side are the privacy campaigners, technology experts and human rights advocates who argue the new Bill will significantly weaken protections for individual data rights while giving a broader mandate to businesses and organisations seeking to utilise personal data, all under less scrutiny.
During the Bill consultation, Human Rights NGOs, including the Open Rights Group, were not invited to provide evidence or counterpoint, despite their vocal opposition to the Bill. The empty chamber during the introduction of the Bill also casts a worrying light on the Bill, suggesting a lack of urgency or oversight regarding the future of UK Data Protection.
Despite the controversies, the Bill has a way to go before it becomes law. The intention was to progress the Bill to the 3rd reading stage in the Commons before the Parliamentary Recess on 21st July until September. However, it is currently in its 2nd reading stage. It is expected that the following stages will be taken in the Autumn, likely under the direction of the new Prime Minister.
This gives businesses and organisations time to prepare for the changes and best position themselves to comply with the new data protection regime. Whilst the changes claim to be streamlining data protection for businesses, there is still much work to be done to comply with current and future developments. This is no chance to rest on laurels, particularly if the UK’s adequacy status is threatened. Compliance departments and data privacy professionals will have much more on their plates in the coming months.
Get in touch with Samurai Digital Security today to see how we can help improve your compliance and data protection posture.