Tower bridge in the early morning hours showing UK Data Protection Act reforms

Terms of UK Data Protection Act Reform Take Shape as DCMS Publishes Response to Consultation Proposals

The lengthy process of reforming the UK Data Protection Act took a big step forward and came into clearer focus recently as the long-awaited government response to a late 2021 consultation was finally published. This response lays out specific key changes that the government is seeking, and pares back some prior proposals that had caused an outcry.

UK Data Protection Act reform plan takes more definite shape with government response

The process of reforming the UK Data Protection Act dates back to the country’s complete “Brexit” break with the EU at the outset of 2021. No longer bound to comply with the EU’s General Data Protection Regulation (GDPR) terms, the UK opted to proceed in the near term with a GDPR-equivalent 2020 update to the UK Data Protection Act. This was meant as an immediate gap-bridging solution for data partnership with the EU, however, with much of the UK government in favor of eventually making substantial changes to these rules.

A flurry of proposals followed throughout the summer of 2021, with the government undertaking a consultation running from September to November of 2021 to review them. The publication of the government’s response to the sprawling consultation results marks a more specific direction for the intended changes to the UK Data Protection Act.

One of the government’s themes for this transformation has been loosening data handling regulations to provide an economic boost to the UK, potentially at the cost of privacy. Some of its controversial proposals of this nature have been pulled back, but others remain. One of the lead items in this area is the end of the GDPR requirement that companies have a Data Protection Officer (DPO), instead allowing any “senior official” to take the lead on privacy programs.

Another key item is the proposed relaxing of cookie consent requirements. The government is looking to create a broader class of cookie types that are not viewed as being as personally invasive, such as those used to track anonymized website metrics or for fault detection, that would no longer be subject to the “banner ad” notification and consent requirements. The government did specify that cross-site tracking cookies would not be eased up on, however.

Some general loosening of handling of personal data has also been proposed. The government wants to establish new categories of personal data that can be processed under more lax rules in the “public interest,” though it declined to name these categories as of yet. The government also said that it will consider relaxing data sharing rules for public service delivery, but called for further public consultation and review by Parliament.

Balancing act required for UK data privacy reforms

While prominent government figures have openly expressed desire for a more “business friendly” UK data market in recent months, the country is still essentially limited by the GDPR in that it must maintain a relative level of parity to continue to be considered an “adequate” data transfer partner by the EU nations. The proposals are thus far from being a complete privacy backslide from the current UK Data Protection Act terms.

One example is an increase in the current fine amounts prescribed by the Privacy and Electronic Communications Regulations 2003 (PECR), bringing the potential penalties in line with those allowed for by the GDPR. Another is additional opt-in requirements for political and charity organizations that collect personal data. And telecoms will be required to improve their network monitoring abilities to keep in compliance with tighter restrictions on nuisance calls.

The primary benefit for businesses at this point appears to be a strong focus on not requiring most of those that are already compliant with the UK Data Protection Act’s GDPR-equivalent standards to have to scramble to meet new requirements. It would appear that many organizations in this position will have little to do to stay in compliance if these terms hold, save perhaps to review the handling of the DPO position and present risk management program standing under the new rules.

One area that remains to be fully developed is the handling of adequacy decisions for cross-border data transfers. The government is aiming to reduce barriers introduced by the UK Data Protection Act, introducing a risk-based approach that weighs the relative value of approving a data partner. The proposal also removes the requirement that adequacy decisions be reviewed every four years, instead introducing a lower-impact monitoring system that runs on a continual basis.

Finally, the government looks to expand the capability of the Information Commissioner’s Office (ICO). The office would have greater flexibility in determining how it handles and investigates complaints, and would be governed by a new statutory board with a chief executive appointed by the board in consultation with the Department for Digital, Culture, Media & Sport Secretary of State (DCMS).

 

Senior Correspondent at CPO Magazine