Corporate: Developments and divergence in data

Recently there have been several developments in relation to data protection. On 18 July, the Government introduced the Data Protection and Digital Information Bill, together with a policy paper on artificial intelligence, and the next day, the Information Commissioner’s Office put forth its strategic three-year plan (“ICO25”) at its annual conference. On 21 July the US and UK released a joint statement announcing their intention to bring into force the Data Access Agreement.

Data Access Agreement

Taking the last development first, the agreement (signed in 2019) aims to further co-operation between the UK and US, by allowing investigators in both nations to gain better access to vital electronic data, and law enforcement agencies to access evidence needed to “bring offenders to justice”. Although the statement declares the agreement will not “compromise or erode… human rights and freedoms”, it will allow the US to access personal data and it is uncertain how this will affect the UK’s EU adequacy status. The agreement will come into force on 3 October 2022.

ICO25

ICO25 is open for consultation until 22 September and will be finalised in the autumn. One of the main initiatives proposed involves reducing compliance costs for businesses by publishing previous advice and additional compliance templates. However, given that the new bill will overhaul the ICO and its operations, how ICO25 progresses after the consultation should be carefully considered.

Data Protection Bill

The bill is long and complex, and aims to allow more innovation and reduce compliance burdens (but see below). Focusing on the many changes to existing data protection and privacy legislation, some of the notable changes currently proposed include:

Personal data – A more subjective approach would determine whether information is personal data or anonymous. This could have the effect of certain data being regulated in the EU but not the UK, and could affect the UK’s EU adequacy decision.

Cookies and tracking proposals – Again, contrary to the European route, the bill proposes to relax consent requirements regarding cookies, particularly for information collected for statistical purposes or in order to improve a website or service. Web users are also to be given the choice of opting in or out of cookie tracking while in a browser.

Data protection impact assessments (“DPIAs”) and records of processing activities (“ROPAs”) – DPIAs are proposed to be scrapped and replaced with the need to carry out an assessment of high risk processing (in what way this will differ from DPIAs is yet to materialise). Similarly ROPAs are to be replaced with a “record of processing personal data”.

DPOs – The obligation to have a data protection officer in some circumstances is to be removed. Instead, public bodies and high risk processing entities are to appoint a “senior responsible individual”, to be a member of, as opposed to reporting to, senior management. Without further guidance, this could mean external/outsourced DPOs will face issues.

The ICO itself – Significant changes are proposed here, with the abolition of the office of Information Commissioner, a new governance structure and the transfer of functions to a new statutory body, the Information Commission, with new powers (such as to compel individuals’ attendance at criminal/civil interviews). In short, the Government is proposing much more involvement with the new body (it has been described elsewhere as political control), which is along the lines of other regulators but again potentially at odds with the EU, should it consider there to be no UK independent regulator of personal data.

Automated decision making – The right of individuals to challenge automated decision making is proposed to be reframed and restricted to significant decisions, as opposed to decisions that produce legal or similarly significant effects. This will form part of the next discussion in relation to AI systems and proposed regulations on these.

DSARs – At the moment data subject access requests are to be treated as “purpose blind”, a right available no matter the purpose behind the request and in the majority of cases at no cost to the individual. The bill proposes a broader range of circumstances in which organisations can refuse to respond, or charge a fee where DSARs are regarded as “vexatious or excessive” (such as requests not made in good faith, intended to cause distress, or an “abuse of process”).

International transfers of personal data – Several significant changes are proposed, including a new “data protection test”, met if the standard of protection for processing is “not materially lower” than that of the UK GDPR and parts of the Data Protection Act 2018. However the requirement to consider whether the country has an “independent authority” (an EU requirement) would be removed; there would be a new requirement to consider “the constitution, traditions and culture of a country”, on which no guidance is available as yet.

Privacy and Electronic Communications Regulations 2003 – The level of enforcement fines is to be on the GDPR scale (£17.5 million or 4% of global turnover, whichever is higher), among other changes.

Legitimate interests – The existing balancing test for some activities would be dropped.

Access to customer/business data – Regulations can be proposed to make data holders disclose customer and business data to customers or third parties (as well as in relation to the processing/retention of such data).

The bill is at an early stage and we recommend paying close attention to its progress. If it passes, although there will be some wins for organisations (such as in relation to DSARs), they come at a cost of lowered standards for individuals, a potential dual regulatory approach for entities which operate internationally, greatly increased fines for marketing breaches and overall a general increase in complexity. Given some organisations are still reeling from GDPR, we remain hopeful that the UK will not lose its EU adequacy decision in relation to data, but taking into consideration the aims of the bill together with the US/UK Data Access Agreement, does this seem likely?