Data: a new direction – government response to consultation

The consultation

On 17 June 2022, the government published its response to the ‘Data: a new direction’ consultation. The consultation was originally launched in September 2021 and aimed to develop proposals to reform the UK’s data protection laws with a new Data Reform Bill. In May 2022 the Queen’s Speech formally announced this Bill, which is expected take forward the consultation proposals this year.

The response

As a response to the consultation the government amended some proposals and provided much needed clarity to organisations on elements that will be included in the Bill later this year. Although  many of the proposals have been amended and re-defined, the items to be taken into the Data Reform Bill affect a wide number of areas within the current legislation:

• (i) Research and Innovation

The government has rescinded its proposals to establish a new basis for processing personal data for research purposes. However, in response to concerns on a lack of clarity affecting research (including to provide a definition of scientific research) and innovation, they do intend to simplify the law around further re-use of personal data after it has been collected.

Plans have also been outlined to change the transparency obligations on businesses. This will be achieved by making a ‘disproportionate effect’ exemption available in cases where researchers collect personal data directly from subjects however, it is confirmed that further definition is required.

• (ii) Artificial Intelligence (AI)

The increasing use of AI-powered automated decision-making has been addressed. The government originally proposed abolishing the right not to be subject to a decision based solely on automated processing (Article 22) however, confirmed in their response that this proposal will not be pursued. This amendment is in response to the majority of respondents stating that the right to human review of important decisions taken by a computer algorithm was a key safeguard.

A new condition will be inserted to enable the processing of sensitive personal data for the purpose of monitoring and correcting bias in AI systems.

• (iii) Pre-approved legitimate interests

The government intends to pursue the pre-approved legitimate interests proposal to an initially limited number of processing activities, which appears narrower than requested by respondents. This is likely to include processing activities which are undertaken by data controllers to prevent crime or report safeguarding concerns, or which are necessary for other important reasons of public interest.

• (iv) International data transfer

Not all the proposals to create flexibility for international data will be taken forward, however, the response proposes to give the Secretary of State power to create and recognise “alternative transfer mechanisms” for personal data outside the UK, in addition to changes in the law regarding the proportionality of using alternative transfer mechanisms.

The key issue will be the weight the Secretary of State gives to this power and whether the European Commission considers it problematic when reviewing the adequacy decision.

• (v) Cookies

A three-phase plan to cookies is intended, which is a more substantial departure from the EU regime. These plans involve allowing cookies to be placed without the user’s consent for a small number of purposes, moving to an opt-out model of consent for website cookies and remove the requirement for cookie consent banners. In the third phase, the Department for Digital, Culture, Media and Sport (DCMS) will look to rely on browser-based and automated technologies to give users the ability to manage their own online preferences.

• (vi) Subject Access Requests (SARs)

Although fees to process routine SARs will not be reintroduced, the threshold in which organisations can refuse to respond to SARs or charge a reasonable cost to process them will be changed. The government is also proposing to alter the criteria for when a business can refuse to respond, namely from the existing “manifestly unfounded or excessive” to when the request is “vexatious or excessive”. The DCMS state this will align the law to the Freedom of Information Act 2000 (FOIA).

• (vii) Administration and Accountability

Plans to remove some administrative requirements from UK data protection law have been confirmed, as part of the commitment to reduce “red-tape” however the proposed change to the legal threshold for notifying data breaches will not proceed. Although widely criticised by respondents, the government is pressing ahead with changes to impact assessments and the role of the DPO, with proposals that aim to allow a more proportionate approach and reduce the burden on smaller businesses.

• (viii) Fines

Significant changes have been identified to the penalty regime under the Privacy and Electronic Communications Regulations (PECR) to enable the ICO (Information Commissioner’s Office) to tackle nuisance marketing. The level of maximum fines that can be imposed under PECR are to be increased from £500,000 to align with the UK GDPR (up to £17.5m or 4% of a business’ annual global turnover (whichever is highest).

ICO response

The proposals in the ‘Data: a new direction’ consultation have been broadly welcomed by both the ICO and the trade association techUK. The ICO in particular confirmed that the government had taken their concerns about independence on board and felt the proposed changes would enable the office to continue to work effectively and fairly.

Next steps

We now await the text of the Bill implementing those proposals, the timing of which is not yet clear. If you need legal advice regarding ‘Data: a new direction’ on any issue concerning data protection, contact our experts.

This article has been co-written by Elisabeth Bell, Tomos Lewis and Katie Greenaway.