Background
The UK government has issued its final response to its consultation “Data: a new direction” (launched on 10 September 2021). This was the government’s wide-ranging review of UK data protection laws post-Brexit.
Its response document was comprehensive. It is clear the government has considered the large volume of responses it received. However, it is also clear there are certain reforms that the government sees as priorities.
The big picture
The headline message from the response is that the package of changes proposed is not as radical or controversial as some of the possibilities proposed in the initial consultation. Recent Government comments indicate this was largely to protect the UK’s position as an “adequate” country from the EU’s perspective. However, there also appears to be a recognition that many fundamental concepts in GDPR remain sound.
Many organisations will likely be relieved that the hard work to develop GDPR-compliant frameworks and controls does not need to be completely revised. However, the proposals include sensible flexibility or clarification around some key topics – for example, see the approaches to automated decision-making and the use of special category data in connection with AI. There are also areas where further flexibility may come in the specifics, such as further processing permissions and international data transfers.
There is certainly plenty of detail for those organisations that wish to take the opportunity to review where they can benefit from the proposals.
Summary of significant changes
Some of the key headlines:
- Accountability: An overhaul of the accountability framework and replacement with a privacy management programme – although, in practice, organisations that are already compliant with UK GDPR accountability requirements will not be required to make further significant changes, which presents some flexibility for businesses.
- Cookies Consent: In time, the UK will move away from cookie consent to an opt-out model, along with further exemptions for non-invasive cookies.
- DSARs: Introduction of exemption from DSARs where vexatious (ICO guidance on this will be interesting in time).
- Legitimate Interests: Limited exemptions to the legitimate interests balancing test – details to follow, but seems that existing rules will continue to apply for most processing.
- International Transfers: More flexibility in process for UK adequacy decisions of third parties and scope to introduce additional international transfer mechanisms (although no details yet).
- ICO governance reforms: A mixed picture here, but certainly more opportunity for the government of the day to influence ICO priorities.
There were also clear developments to support greater use of AI technologies. This included the right to use special category data to train AI algorithms. However, further details about key elements of regulating AI are to follow in the government’s AI governance white paper due to be published soon.
What do organisations need to do? And what about the UK adequacy decision?
This response is an initial step in the UK data reform process, with detailed legislation to follow. It is notable that there was no specific reference to timing in the response documents, but we are expecting a draft Data Reform Bill during the next few months. Then the usual parliamentary process will take time. It is hard to know for certain now whether many changes would be expected during the parliamentary process. There may be other political priorities. And timing is uncertain – but perhaps 2022 or 2023.
At this stage, from a practical perspective, for those organisations that are keen to maintain their existing compliance frameworks (particularly if they are managing UK and EU GDPR compliance), there may be limited immediate actions that would need to be taken, although a review of the DPO role and appointment of a senior accountable individual will be necessary.
However, there is potential scope for organisations to adjust how they want to structure their risk management programmes, including flexibility in the type of privacy management programme implemented. Based on current proposals, this may include greater consideration of personal data processing, as well as volume and sensitivity, removal of mandatory DPIA and DPO requirements, removal of ROPA requirements and a greater emphasis on outcomes than documentation production. It is clear that high standards of data protection will be required, but how organisations can go about achieving them may present more opportunities.
A key concern for many organisations in relation to the UK’s data reform is the impact this will have on the EU Commission’s UK adequacy decision. As noted, the proposed changes are not generally controversial or particularly radical. The UK government has been closely engaged with its EU colleagues to find the right balance. Undoubtedly, the EU Commission will wait to see the specifics of the draft legislation. However, on this basis, obvious immediate threats to UK adequacy appear much reduced and, in reality, there will be both a legal and political dimension at play here.
The Dentons Privacy and Cybersecurity team will be preparing a more detailed analysis in relation to the- proposed changes and impact on organisations in the coming weeks, as well as hosting a series of webinars to discuss the proposals.
In more detail – an overview of the key changes
Further clarity on re-use of data
- Potentially helpful clarifications on re-use of personal data, but no major shifts in approach.
- Legislation to be simplified to clarify how personal data can be re-used, given lack of clarity in existing framework.
- Clarification to be provided on the difference between new processing and further processing – specifically in the context of a new data controller and whether or not this is considered new processing. The detail here may be interesting for organisations that wrestle with this, such as digital marketing etc.
- Further processing cannot take place when the original legal basis is consent, other than in very limited circumstances. This confirmed the existing law and guidance.
Exemptions for legitimate interests balancing test
- This appears to be a very limited exemption to the initial balancing test requirement (being limited to a short list of specific processing activities) with the ability for further processing activities to be added to that list (subject to parliamentary scrutiny). Therefore, there is some scope to avoid the balancing test, but initially this would only be in very limited circumstances.
- Initial limited number of processing activities to be exempt from balancing test.
- Likely to include crime prevention, reporting safeguarding concerns or, where necessary, for other important reasons of public interest. Anti-money laundering/fraud prevention proposals would be helpful here.
- Responses generally agreed that the balancing test should be maintained in respect of children’s data. Therefore, where the balancing test is removed, consideration is to be given as to whether additional safeguards are needed in respect of children’s data.
AI and machine learning
- There is a significant amount of detail on AI and machine learning but few concrete immediate changes with the majority of points to be considered at a later stage (e.g. consideration of fairness as part of wider AI governance white paper). Specific immediate changes include:
- The government plans to introduce a new condition to Schedule 1 of the DPA 2018 to enable the processing of sensitive personal data for the purpose of monitoring and correcting bias in AI systems.
- Automated decision making to be changed to right to specific safeguards rather than general prohibition. Aim is that reforms will enable deployment of AI powered automated decision making with appropriate safeguards in place.
Anonymisation
- The key change to anonymisation is the introduction of a specific relative test which may include:
- taking into account “reasonable means” and technology available; and
- where an organisation knows, or ought reasonably to know, passing data to another party is likely to result in re-identification.
- Intention is to avoid impossibly high standards for anonymisation. This would be a welcome, pragmatic approach to encourage use of this technology to increase security levels.
Changes to the accountability framework
- This is one of the more significant changes proposed. However, in practice, requirements are likely to be met by an organisation’s existing accountability framework with some practical changes to roles and documentation. Changes include:
- requirement for organisations to implement privacy management programmes. The response is clear that organisations which are currently compliant with UK GDPR would not need to change approach significantly in order to be compliant with these new requirements. The aim is to replace existing requirements with more flexible options and to avoid tick-box compliance exercises;
- privacy management programmes would be based on types of processing activities, and volume and sensitivity of data;
- removal of mandatory DPO requirements and replacement with senior accountable individual. Organisations can also continue to maintain the DPO role if they consider this the best way to manage compliance. Seems likely that new senior accountable individual would likely delegate/authorise a DPO-type role for operational/day-to-day management;
- removal of mandatory DPIA requirements but organisations still required to identify and manage risks
- removal of A30 record-keeping requirements. However, organisations are still required to have personal data inventories as part of privacy management programme which describe what and where personal data is held, why it is collected and how sensitive that data is. Organisations are also required to document purposes of processing. Therefore, in practice, whilst the content of the records of processing will change, there is still a practical requirement to maintain some details of processing activities; and
- removal of mandatory prior consultation and a move to voluntary mechanisms. This is a rarely used mechanism in any event.
Change to threshold for refusing to respond to DSARs
- The response acknowledges that DSARs can be time-consuming and resource-intensive and that they are being exploited (e.g. by claims management companies).
- Threshold for refusing to respond to a DSAR or charging a reasonable fee to be changed to “vexatious or excessive”. The extent organisations can rely on this exemption will be largely dependent on interpretation of this threshold by the ICO. However, this is a lower threshold to reach than “manifestly unfounded” and may give organisations greater scope to refuse to respond to truly vexatious requests (e.g. where used as a pre-disclosure exercise prior to litigation). ICO guidance seems likely on this point.
- However, proposals to impose a cost ceiling for DSARs are not being implemented. Therefore, this will continue to be a considerable administrative burden for organisations.
Privacy and electronic communications (PECR)
- Changes to cookie consent requirements are a key change highlighted in the response. These include
- immediate intention to permit cookies (and similar technologies) placed on user devices for small number of additional non-intrusive purposes, such as website traffic monitoring;
- future move to opt-out model for cookie consent, including requirement to provide clear information as to how to opt out. However, this would not apply to websites likely to be accessed by children;
- intention to legislate to remove cookie banner requirements for UK residents; and
- further consideration of browser-based solutions to manage cookies and opt-out preferences.
- Soft opt-in exemption to be extended to non-commercial organisations such as charities. This brings approach to non-commercial organisations in line with commercial organisations.
- PECR fines to be brought in line with UK GDPR and DPA 2018, allowing the ICO to issue fines of up to £17.5 million or 4% of a business’s global turnover.
International transfers
- A more agile approach to the international transfer regime will be adopted in order to facilitate the participation of domestic businesses in international markets and to encourage investment from abroad. The key changes that underpin this approach include the following:
- Adequacy
- Approach adequacy assessments with a focus on risk-based decision-making and outcomes, taking into account the likelihood and severity of actual risks to the rights of data subjects.
- Relaxation of the requirement to conduct a formal review of adequacy regulations every four years by implementing an ongoing monitoring process.
- Alternative Transfer Mechanisms
- Reforms to ensure that exporters of data can act pragmatically and proportionally when using alternative transfer mechanisms so that safeguards adopted are commensurate with the risks presented by the transfers. It is unclear what this approach entails; however, this may be an attempt to reduce the burden on organisations in complying with Schrems II requirements – this will depend on the wording of the Data Reform Bill.
- Provide the Secretary of State with the power to (i) create new UK mechanisms for transferring data overseas; and (ii) formally recognise the use of other international data transfer mechanisms where they achieve the outcomes required by UK law.
- Adequacy
Reform of the Information Commissioner’s Office
- ICO reforms provide greater oversight and control to the Secretary of State, including the right to sign off on guidance and codes of conduct, and set strategic priorities for the ICO.
- The response sets out how the government intends to improve the legislative framework which underpins the ICO including:
- government setting strategic priorities and clear strategic vision for the ICO;
- DCMS Secretary of State to prepare a statement of strategic priorities for the ICO;
- requirement on ICO to have regard to competition, growth and innovation as well as public safety; and
- new ICO reporting requirements, including publishing key performance indicators.
- Greater oversight for the Secretary of State with the introduction of a process for the Secretary of State to approve ICO codes of practice and statutory guidance (unless exempt).
- Changes to complaints process including:
- requirement on data subjects to first complain to data controller; and
- greater discretion for the ICO in terms of investigation of complaints, including refusal of vexatious complaints or complaints where data subject has not first attempted to resolve the issue directly with the data controller.
Credit: Source link
Bitcoin 
Ethereum 
Tether 
USD Coin 
BNB 
Binance USD 
Cardano 
XRP 
Solana 
Dogecoin 
Polkadot 
Dai 
TRON 
Shiba Inu 
LEO Token 
Wrapped Bitcoin 
Avalanche 
Lido Staked Ether 
Polygon 
Litecoin 
FTX 
OKB 
Cronos 
Chainlink 
Stellar 
NEAR Protocol 
Uniswap 
Cosmos Hub 
Algorand 
Monero 
Ethereum Classic 
Bitcoin Cash 
Theta Fuel 
Chain 
VeChain 
Flow 
The Sandbox 
Frax 
ApeCoin 
Hedera 
Decentraland 
Internet Computer 
Filecoin 
Tezos 
TrueUSD 
Axie Infinity 
Theta Network 
Elrond 
Bitcoin SV 
Helium 
KuCoin 
EOS 
Pax Dollar 
cUSDC 
Maker 
Aave 
Neutrino USD 
BitTorrent 
Huobi BTC 
Huobi 
IOTA 
eCash 
Quant 
Tenset 
USDD 
cETH 
The Graph 
Klaytn 
Zcash 
Fantom 
Radix 
Basic Attention 
Gate 
PAX Gold 
NEO 
Zilliqa 
cDAI 
THORChain 
Stacks 
Chiliz 
STEPN 
Waves 
Synthetix Network 
Arweave 
DeFiChain 
BitDAO 
Loopring 
Amp 
Enjin Coin 
Tether Gold 
Dash 
TerraClassicUSD 
PancakeSwap 
Kusama 
Evmos 
Gala 
Kava 
Celo 
1inch 
ECOMI 