On Thursday 16 June, the Department of Media, Culture & Sport (DCMS) published the response to its Data Reform consultation, outlining the proposals which would make it into the UK’s Data Reform Bill (announced in the Queen’s Speech in May). A copy of the Bill itself hasn’t yet been published, but now we know it will include:
- Removing the consent requirement for analytics cookies (they will be treated similarly to “strictly necessary” cookies). Consent requirements will be removed for all cookies “once automated technology is widely available to help users manage online preferences”. In other words, once browser-based or other technological solutions can be found. The opt-out model won’t apply to websites likely to be accessed by children, who will still need to provide opt-in consent.
- The creation of a limited list of approved “legitimate interests” processing, for which businesses won’t need to conduct a balancing test. Note that the Government will proceed with a narrower list than initially suggested in the consultation. (Even proponents of this reform noted the need for these permitted activities to be defined very precisely, so the devil may be in the drafting on this one.)
- Removing the requirement for DPIAs, Article 30 Records of Processing and mandatory DPOs, but organisations will still be required to have a “privacy management programme”, and a suitable individual appointed to oversee data protection compliance. (Potentially, therefore, a change which is more style than substance.)
- Reforms to the processing of personal data for scientific research, including a definition of “scientific research”, and allowing broad consent for scientific research. (The definition will be simply moved from Recital 159 to the operative text, so questionable whether this is a change at all.)
- Amending the threshold for refusing to comply with a Subject Access Request (SAR) to “vexatious or excessive”. (There may be some disappointment with this one, as “vexatious” still seems like a relatively high bar.)
- Extending the ‘soft opt-in’ so that it can be relied upon by non-commercial organisations, campaign groups and political parties. (No self-interest there, of course…).
- Increasing fines for non-compliance with PECR (the UK’s implementation of ePrivacy) to GDPR levels. This is particularly interesting because the ICO has been so much more active in issuing PECR fines than fines under GDPR (usually several each month).
- Various reforms to the workings of the ICO, including changes to the process for issuing penalties for example the power to compel witnesses to answer questions in investigations.
A number of proposals from the Consultation did not make it into the final list of proposals, including the suggestion to introduce a nominal fee for SARs, raising the threshold for personal data breach reporting, and removing the restrictions on automated decision-making under Article 22.
Much of the swirl around these new proposals will no doubt focus on whether they could impact the UK’s “adequacy” status by the EU, when it is reviewed in 2025 (or before then by way of a legal challenge). We know now that, when it comes to data transfers, nothing is ever certain, but we remain optimistic as to the UK’s continued adequacy. Whatever the Government may say, these are not “wholesale” reforms; the UK regime will remain very closely aligned with the GDPR.
It is also worth remembering that the UK’s adequacy status was never about our data protection regime – after all, our adequacy status wasn’t certain even with the UK retaining the GDPR ‘as is’. Rather, it was about the other UK laws allowing public authorities to access personal data, particularly for national security reasons (e.g. the Investigatory Powers Act), once the UK left the European Charter of Fundamental Rights. Any changes to these rules would pose far more of a threat than this tinkering with the GDPR.