The UK is engaging in a delicate balancing act to reform its previous data protection regulations with an eye toward making their compliance burdens less onerous
The United Kingdom recently announced a Data Reform Bill in the Queen’s Speech aimed at loosening data protection and privacy rules that are contained it is UK General Data Protection Regulation (GDPR), which was implemented in 2018. The new bill will reduce compliance burdens and make it easier for personal data to be reused for research, as well as reform the Information Commissioner’s Office (ICO), the government’s post-speech briefing pack said.
The UK’s Department for Digital, Culture, Media and Sport (DCMS), which leads this legislative agenda, is set to publish its response to the Data: a new direction consultation shortly. A timeline for a draft bill has yet to be set, a DCMS spokesperson said.
“While the government promises a lighter-touch, more outcomes-focused regime going forward, a potential further upheaval of the data protection regime in the coming months and years, and a regulator with more teeth, is likely to be a concern for many organizations,” wrote London-based law firm DAC Beachcroft in a report on the speech. “However, it is possible under the approach promised by the government in the Data Reform Bill that current compliance models will not need to be overhauled but could mean that UK organizations could adapt to have a more flexible approach to data protection compliance.”
EU equivalence decision threatened
Any material deviations could jeopardize the UK’s adequacy decision with the European Union, which allows for the free flow of personal data between the European Economic Area and the UK, based on a decision that was adopted in June 2021.
“Based on the consultation and the briefing notes, the suggestion is that the Data Reform Bill is likely to lead to de-regulation with respect to personal data in the UK. As yet, without sight of the bill itself, it is unknown exactly how far the UK government will in fact de-regulate and therefore deviate from the EU’s data protection regime,” wrote London-based Osborne Clarke.
The DCMS consultation makes the UK’s position clear. It is “perfectly possible and reasonable” to expect the UK to maintain EU adequacy even as it aims to change its current regime. Adequacy does not mean “verbatim equivalence of laws”, the DCMS paper said.
Data privacy professionals, however, point out that the UK starts from a position of already matching the EU GDPR, and changes to data transfers — particularly prioritizing countries the EU deems inadequate — could compromise the equivalence decision and encourage firms not to host personal data in the UK.
“Other countries have to change their regimes to move closer to the EU GDPR. It appears illogical, when EU GDPR is driving data protection law reform around the world, that the UK should be almost the only country looking to move in the opposite direction,” wrote Robert Baugh, chief executive at London-based privacy software company Keepabl, in his response to the DCMS consultation. “This will place additional burdens and disadvantages on UK businesses to change yet again for no proven benefit and major risk and uncertainty.”
Consultation concerns
The DCMS consultation, published in October, was met with concern, including from the Law Society, that its desire for innovation might erode the regime’s effectiveness, diminishing individuals’ controls over their personal data as well as the UK’s data protection regime overall.
“The fundamental right to protection of an individual’s privacy is underpinned by broad international consensus that personal data belongs to the individual, not to businesses. Any perception that the scales may start to tip in favor of businesses being allowed to use personal data for wider reasons at the cost of respect for (and effective measures to preserve) that privacy runs the risk of the UK no longer being seen as a global leader in data protection,” the Law Society wrote at the time.
The consultation proposed a laundry list of rule changes ranging from eliminating on-screen data privacy-pop ups to making it easier for firms and researchers to reuse personal data for purposes other than those originally intended, and potentially by another data controller. Making it easier to reuse data without obtaining further consent from the data subject will benefit research and technological innovation, DCMS said.
Many respondents, however, challenged the idea that data privacy laws stifled innovation. “It is crucial we continue to see the opportunities of digital innovation and the maintaining of high data protection standards as joint drivers of economic growth. Innovation is enabled, not threatened, by high data protection standards,” the UK ICO wrote in its consultation response.
The consultation further suggests the removal of data subjects’ right to have algorithmically executed decisions reviewed by a human. The volume of decisions to be made using algorithms will grow, and allowing human review will be too complex, DCMS said. “Resolving the complexity by simply removing the right to human review is not, in our view, in people’s interests and is likely to reduce trust in the use of AI,” the ICO said in its response.
BIS paper prioritizes individuals
A recent Bank for International Settlements (BIS) paper took a different approach to addressing complexity associated with managing personal data. The paper proposed a framework to empower individuals’ ability to manage their personal data instead of dealing with the problem by granting data processors broad and sweeping consent, which is included in some of the UK DCMS’ proposals.
The paper, The design of a data governance system, argued that a data governance system should restore control of data to the consumers and businesses generating it. A system that encompasses notice and consent, purpose limitation, data minimization, retention restriction, and use limitation can only be implemented digitally, the BIS stated.
“To obviate the need for provision of broad and sweeping ex ante consent, as is now the case, the granting of consent should be made more granular, specifying to whom data are provided, for how long, and for what purpose. Since multiple players are involved in data-sharing — such as financial service providers, data services providers, and data held by the government — the system must be open and interoperable. Data subjects should provide consent just before data is shared, it should be revocable once provided, and data subjects should have the right to audit data-sharing transactions ex post,” the BIS paper noted.
The BIS paper pointed to India’s Data Empowerment and Protection Architecture (DEPA) as an example of how a data governance framework could work using consent managers to oversee data and consent flows between data subjects and service providers. DEPA launched with nine financial services firms in 2021.
“This consent system embodies the protocols that translate privacy principles to the digital space, not least by mandating specialized data fiduciaries whose primary task — as the advocates of data subjects — is to ensure that data is shared in a fashion that respects widely agreed principles of effective data governance,” the BIS paper continued, adding that “the early results from the account aggregator framework are encouraging.”
