Reforming the UK data protection landscape: creating an attractive global data marketplace, or regulatory uncertainty?
October 2022 | EXPERT BRIEFING | DATA PRIVACY
financierworldwide.com
In this article, we outline some of the key changes to the UK’s privacy regime expected to be implemented by the UK government’s proposed Data Protection and Digital Information Bill.
The bill was introduced into parliament in July 2022 as part of the UK government’s aims of making the post-Brexit UK a competitive and dynamic global marketplace, where international and UK organisations can benefit from flexible data and privacy regulation. Unlocking the power of data is one of the UK government’s technology priorities.
In 2019, data-driven trade generated an estimated £234bn for the UK economy and is a clear area for growth, being less affected than other sectors by issues such as coronavirus (COVID-19) pandemic-related lockdown measures and supply delays with raw materials.
The UK government’s impact assessment sets out that while there will be initial costs in familiarisation with the new regime, the decreased compliance burden under the bill will deliver a reduction in net costs for businesses of £66.1m per year. On top of costs savings, making the UK a less prescriptive data marketplace could make it a jurisdiction of choice for international and innovative processing. There will need to be a balancing act between the desire to reduce the burden of compliance and the need to safeguard individuals’ interests, in particular where data is being transferred between the UK and other jurisdictions with different regulatory requirements.
Current regime
UK data protection law currently largely follows the European General Data Protection Regulation (GDPR), which came into force in 2018. Following Brexit, the GDPR was made part of UK law with the UK GDPR and Data Protection Act 2018 being the key UK legislation.
The proposed reform will see a move away from the European position, with the UK to have its own independent regime. The bill has not been finalised and is due to be further debated over the coming months. The reforms suggested will entail real changes to both the use of personal data in the UK and international transfers involving the UK.
Contents of the bill
The contents of the bill broadly follow the proposals in the ‘Data: a new direction’ consultation into reforming the UK’s data regime launched in September 2021. The consultation made a large number of proposals to move toward an outcomes-based approach instead of the more prescriptive GDPR-based approach.
The government published the responses to the consultation in June 2022 with the bill having followed a month later. While it is not proceeding with some of the more ambitious proposals in the consultation (such as making research in itself a basis for processing data), a large number of proposals are to be implemented.
An indication of how the bill may work in practice may be found in other global data regimes which work on a similar outcomes-based approach. Interestingly, John Edwards, the new information commissioner, moved to that role after being privacy commissioner in New Zealand, where the Privacy Act 2020 is also outcomes-focused. He will doubtless bring his New Zealand outcomes-based experience to the Information Commissioner’s Office (ICO) regulation of the proposed new regime.
International transfers
Currently the UK’s international transfer regime follows the European list of countries deemed safe for international transfers. The government proposes implementing an independent framework for international transfers, adding in territories not currently deemed adequate by the European Commission (EC), including Singapore and America. The UK has already started to take steps toward independent international transfer agreements, such as having earlier this year released the International Data Transfer Agreement, its equivalent of the European Model Clauses, and having recently agreed in principle a recent data adequacy agreement with the Republic of Korea.
Under the new regime, a new ‘data protection test’ will be used by both the UK to undertake adequacy assessments of other jurisdictions, and by businesses to assess the appropriateness of data transfers in the absence of an adequacy decision. The test will be outcomes and risk focused, with the ability to transfer data where the standard of protection in that country is ‘not materially lower’ than the UK regime. This is a clear move away from the European regime. While it may well result in more fluid and frequent data transfers between the UK and countries outside Europe, it may potentially put the EU’s adequacy decision for the UK at risk. This will be a key point to watch.
Privacy management programmes
One change which will impact every business processing personal data in the UK is the move to privacy management that will be more flexible than the current regime and focused on the outcomes of data processing rather than a set format of record keeping. Data protection impact assessments will become more streamlined and only ‘appropriate’ processing records will be required as organisations reflect upon the extent and risk of their processing and the resources they have available to them.
This decreased record-keeping requirement will save costs in particular where processing is lower risk. However, there is a risk of confusion and mixed outcomes, with a lack of certainty over how to exercise judgement and which compliance steps to take. Businesses will also doubtless incur costs in reviewing and implementing these changes, although it is currently unclear in practice the extent of what will need to be revised. The government’s impact assessment envisages that businesses will need to take initial legal advice upon compliance, but will then be able to follow a data regime that is clearer than the GDPR-based regime.
Anonymisation and the reuse of personal data
The anonymisation (or pseudonymisation) of personal data is of interest to organisations across many sectors with businesses using personal data in increasingly innovative ways and implementing artificial intelligence (AI) algorithms to analyse data and inform future decisions.
It is not always clear whether personal data is being anonymised or just pseudonymised, and several guidance notes have been issued on this point by different supervisory authorities. The UK government proposes to make this more prescriptive and clearer by implementing a statutory test, being whether the data subject can be reidentified by using ‘reasonable means’. This clearer and more objective test is welcome in our view and may mean that the use of anonymised data becomes easier.
Another challenge faced by many businesses is whether they can reuse personal data for a reason other than the original purpose for which it was collected. This can be especially relevant where data is used to provide a service, and the business then wishes to use the data to analyse customer trends. The UK GDPR only allows the reuse of personal data when the further processing is compatible with the original purpose. The bill sets out a non-exhaustive list of risk-based factors to take into account when considering whether personal data can be reused and also usefully sets out a number of specific situations when reuse of data will be lawful, for example in relation to statistical purposes, scientific or historical research, public security and crime. The ability to use data for statistical and scientific research will be of particular interest to businesses operating in many sectors.
Regulation
A big question for many businesses is how the new regime will be regulated.
We are all familiar with the hefty fines currently available to the ICO in the event of a data breach or non-compliance. That regulatory approach, while unwelcome to many, fits well with the prescriptive way that the current UK regime operates, and provides certainty to businesses about how non-compliance will be treated. Since the advent of the GDPR, the ICO’s regulatory approach has become clearer, and the way that courts interpret the legislation and treat non-compliance in the context of civil claims has developed alongside this clarity. However, this has taken over four years to slowly filter through and for businesses to find their feet in terms of the regulatory environment.
While the legislative changes on the roadmap once more are more ‘evolution’ than ‘revolution’, the future regulatory environment looks a little more uncertain. Once the new legislation is in force, we will need to closely watch the ICO, and the courts, to see how the legislation will be interpreted and enforced in practice in light of the new risk-based approach.
There are clear proposals in the bill to increase the ICO’s regulatory powers (including the power to compel individuals to attend interviews), and to maintain the current high levels of fines. However, this is set against increased flexibility for businesses in how they comply with the new risk-based approach. Given the UK government’s focus on data-related markets, the ICO will also be required to have regard to ‘the desirability of promoting innovation and competition’ when carrying out its functions, and the government will also have a say in what the ICO’s strategic priorities should be.
It is unclear how this will work in practice. In our view, the current proposals add up to a more subjective and less certain regime for businesses, which will still be threatened with the ICO’s huge enforcement powers. Businesses will need more clarity over where their operational, financial and reputational risks will lie in this new environment, in particular as rather than replacing the UK GDPR and Data Protection Act 2018, the bill is envisaged to sit alongside and amend these pieces of legislation.
There is a potential risk that the regulatory environment under the proposed data protection reforms will put the UK in the worst of both worlds: eye wateringly high fines, but uncertainty around operational compliance requirements.
What next?
We will keenly be watching the passage of the bill through parliament. We will be particularly interested in seeing how quickly it proceeds and whether the text is revised in any substantial way. While much of this may depend on whether the new prime minister sees data protection reform as a key, further guidance will be needed for businesses to properly understand how the bill will affect them in practice.
Victoria Robertson and Charlotte Clayson are partners at Trowers & Hamlins LLP. Ms Robertson can be contacted on +44 (0)161 838 2027 or by email: vrobertson@trowers.com. Ms Clayson can be contacted on +44 (0)20 7423 8087 or by email: cclayson@trowers.com.
© Financier Worldwide
BY
Victoria Robertson and Charlotte Clayson
Trowers & Hamlins LLP