UK Consultation on New Data Regime: Opportunities and Costs

On September 10, 2021, the UK government launched a consultation to reshape the data protection regulatory framework, looking at the country’s exit from the EU as an opportunity to enhance the current regime.

The aim of the consultation is to set a data protection framework that although considers the protection of data at its core, will:

• Support competition, technology developments and innovation.
• Avoid the creation of obstacles to the use of data.
• Ensure the UK's reputation as a hub where data is handled in a safe and smooth manner, so as to support trade deals with important economies around the world.
• Assist businesses to avoid unnecessary risks when using data.
• Provide the Information Commissioner’s Office (ICO), the country’s data protection authority, with the tools necessary to perform its functions.

This regulatory analysis looks at the proposed reforms and the potential impact they may have on organisations, both from a compliance and economic perspective.

Background

According to the “Analysis of expected impact” accompanying the consultation, “approximately 40% of UK businesses report lacking certainty on key definitions in the UK's data protection regime, what people’s data rights are and how and when to report a breach”.

It also found that the current framework may negatively affect innovation, business opportunities, investment in new technology firms and data-driven sectors. According to the impact analysis, “[t]he current data protection regime is complex to interpret and apply”, with 53 percent of the respondents who believe that the General Data Protection Regulation (GDPR) needs clarifications claiming to have to spend large amounts of time identifying the requirements with which they have to comply.

This consultation is part of a wider government plan. On December 9, 2020, the UK government announced the National Data Strategy, which sees the responsible and strategic use of data as an opportunity for innovation in both public and private sectors, as well as to increase productivity. It identified the following five area of priority for the UK data regime:

• Exploiting the full potential of data, making “data usable, accessible and available across the economy, while protecting people’s data rights and private enterprises’ intellectual property”.
• Supporting both small and large companies, avoiding areas of uncertainty or risk.
• Improving the use of data across the public sector, as the COVID-19 pandemic has shown that access to data can protect and benefit society.
• Ensuring data infrastructure is secure and resilient.
• Supporting the UK’s role as leader in the international data protection scene, so as to allow a profitable and secure cross-border flow of data.

Earlier this year, the government also announced the Digital Regulation Plan and Online Safety Bill. The plan is aimed at “setting out a pro-innovation approach to regulating digital technologies”, with three key objectives: promoting competition and innovation; keeping the UK safe and secure online; and promoting a democratic society. The Online Safety Bill aims to establish “a new regulatory framework to tackle harmful content online”.

Decreasing obstacles to responsible innovation

One of the reform’s aims proposed in the consultation is to ensure certainty of the regulatory framework, so that it can be interpreted and applied more easily, avoiding burdens and risks due to unclear legal provisions. It also recognises that it should be adaptable to data-driven technology changes, so as to facilitate and support innovation.

To this effect, the document focuses, among others, on the following:

• “Re-use” of data, also known as “further processing”, as lawfulness of data re-use can benefit data controllers, data subjects and society. Article 6, paragraph 4 of the UK GDPR provides the conditions under which further processing can be considered “compatible with the purpose for which the personal data are initially collected”. The government has identified a lack of clarity in the interpretation of these provisions:
• When data can be re-used by a controller who differs from the one who collected the data. The government will consider if these circumstances should be clarified.
• The current provisions suggest that the original lawful purpose can be used for the further processing of the data. However, the government will consider whether allowing the re-use for another purpose that differs from the one used for the initial purpose, specifically the re-use for public interest.
• Clarifying lawful purpose to process data. The consultation document states that a high percentage of stakeholders who engaged with the government expressed a need for clarification. The government believes that the uncertainty is particularly due to over-relying on consent. Therefore, the government is considering specifying a list of circumstances of when a lawful purpose can be identified, such as reporting of criminal acts or improving the safety of a product or service.
• Establishing “the role of data protection legislation in increasing public trust in the use of AI systems”, as the government recognises the importance of data-driven artificial intelligence (AI) systems tools.
• Clarifying when data can be considered anonymous. When data is not anonymous, it needs to be safeguarded through pseudonymisation or anonymisation. Anonymous data does not currently fall within the UK GDPR’s scope.

Reducing costs and delivering better results

The government intends to encourage businesses to invest in tools and practices that ensure effective data protection policies and processes as part of a risk-based privacy management programme, to “ensure data privacy management is embraced holistically rather than just as a 'box-ticking' exercise”. The aim is to relieve small and medium-sized enterprises (SMEs) and organisations that undertake low-risk processing from the often disproportionate costs of demonstrating compliance.

Among its proposals, the government proposes to:

• Remove the obligation to designate a data protection officer, to be replaced by a “suitable individual, or individuals, to be responsible for the privacy management programme and for overseeing the organisation’s data protection compliance”.
• Modify the data Subject Access Request (SAR) regime. It appears that responding to SARs is often time consuming and sometimes access requests are used for purposes other than exercising the right to which they relate (i.e. to circumvent other longer procedures in civil litigation). The UK GDPR allows businesses to refuse the request or charge a “reasonable fee” in cases where it is “manifestly unfounded” or “manifestly excessive”. However, it appears that these circumstances are not commonly used by organisations. Although the government states that it will maintain and protect the right of access, it is considering introducing a fee regime to overcome these issues.

Boosting trade and reducing barriers to data flows

The government has expressed its intention to support the use of data to trade digital products and services, making the UK “an open, welcoming and secure destination for companies from all over the world to share data, grow their businesses and innovate across all sectors of the economy”, highlighting that the UK’s independency from the EU allows it to make separate agreements with other countries on data sharing.

Among other proposals, the government:

• Is reviewing the alternative transfer mechanisms (ATMs) framework, which can be used to share data with a country that does not benefit from an adequacy decision, to ensure that it “is clear, flexible and provides the necessary protections for personal data”. Adequacy decisions are made by the European Commission under Article 45 of the GDPR to establish if a country outside the EU offers an “adequate” level of data protection, as a consequence of the decision the data transfer to this country does not need any further safeguard.
• Proposes to exempt “reverse transfers” from the scope of the UK international transfer regime. When the UK receives data that originates from another country, this data falls under the UK GDPR protection. Therefore, when making a “reverse transfer” back to the sender, a UK GDPR transfer mechanism must be used. The exemption would relieve businesses from having to use such a mechanism when carrying out reverse transfers, as the government believes the data is sufficiently protected.
• Proposes to empower the Secretary of State “to formally recognise new alternative transfer mechanisms”.

Reform of the Information Commissioner's Office

The government intends to invest in the ICO, ensuring it has the resources necessary to protect data rights and support businesses “that want to innovate responsibly”, while “tackling poor practices by those that do not meet the UK's high standards for data protection”. It also proposes “to strengthen the ICO’s existing obligations by placing a new duty on it to have regard for economic growth and innovation when discharging its functions”.

Specifically for complaints, the government proposes a more efficient and effective regime:

• Introducing a requirement for individuals to attempt to resolve the issue with the data controller before turning to the ICO.
• Introducing an obligation for data controllers to have in place clear, smooth and transparent procedures to resolve complaints.

Under the current framework, the ICO has six months from the issue of the notice of intent to issue a final penalty notice. The government proposes to extend this period to 12 months to allow the ICO more time for its investigations.

The government is also proposing the provision of a so-called “stop-the-clock” mechanism, which would allow the ICO more time to assess cases when further information or documents are requested from the parties following their representations, but they are not provided on time, discouraging “delaying tactics”.

Costs arising from UK GDPR

According to the impact analysis, the following are the key compliance activities in relation to data that are generating costs in terms of time and money for firms:

• Seeking legal advice.
• Establishing a lawful ground for data processing.
• Collecting consent to process personal data.
• Responding to SARs.
• Notifying data breaches to the ICO.
• Keeping records of data processing activities.
• Providing privacy notices.
• Preparing data protection impact assessments (DPIAs).
• Other internal compliance activities.

Expected impacts of the reforms

Benefits

The “Analysis of expected impact” estimated the reforms would reduce barriers to responsible innovation and burdens on business, while delivering better results for people, quantifying a net benefit of £1.45bn over ten years.

The impact analysis suggests that clarifying requirements would reduce uncertainty, consequently reducing compliance costs for firms (i.e., reduced need of seeking legal advice, fewer breaches to be notified, etc..) and increasing use of AI systems. Data can enhance productivity via its use for decision-making and to improve processes, as well as “enabling new products (often personalised and free), and powering new technologies through big data, AI and data analysis”. It will also produce benefits for consumers.

Costs

The analysis has also estimated a one-off cost of between £75m and £184m for organisations to get acquainted with the new measures to be borne in the first year.

Trade impacts

Benefits

The proposed use of ATMs to transfer data internationally is expected to reduce transaction costs and increase data flow to countries which do not benefit from an European Commission’s adequacy decision. “Cross-border data transfers are a key facilitator of international trade, particularly for digitised services,” according to the government.

Costs

If the UK were to lose its adequacy decision from the EU, both EU and UK firms would have to bear costs for missing business opportunities and for using ATMs. Estimated costs for UK businesses would amount to around £1.4bn over five years.

Other impacts

Overall the reform is expected to reduce ambiguity for businesses, offering better public services, enhancing regulatory oversight, increasing innovation, as well as maintaining high standards of data protection and consumer trust on data sharing. Particularly, improving the regulatory oversight would mean that the ICO would dedicate its resources to address issues related to “public trust and inappropriate barriers to responsible data use”, rather than handling small complaints.

ICO’s response

On October 7, 2021, the ICO published its response to the consultation, generally welcoming the government’s review. The response highlights the importance of maintaining and further developing public trust and of supporting innovation via high levels of data protection. It shares the view that requirements imposed on firms should be proportionate to the risk of handling personal data and broadly agrees with the reforms, such as providing the ICO with the necessary resources to exercise its functions and supporting international trade. However, the information commissioner invites the government to reconsider its “proposals for the Secretary of State to approve ICO guidance and to appoint the CEO”, as the ICO does not deem them sufficient to safeguard its independence. Specifically, it stated that “giving the Secretary of State the power to approve or reject codes of practice and complex or novel guidance (chapter five) would reduce the ICO’s independence”.

Conclusion

The UK government sees Brexit as an opportunity to strengthen and enhance the country’s data regime. It intends to keep protecting people’s data protection rights while supporting innovation and use of data-driven solutions, which would enhance productivity and could benefit both firms and consumers. The reforms are also expected to clarify the requirements for firms, so as to reduce compliance burdens in terms of costs and time. The government also intends to build a framework which supports agreements with other countries to guarantee a safe and international data flow that benefits trade deals. However, the proposed reforms are also expected to produce costs, such as the one-off cost for organisations to get familiar with the new provisions and the ones which would arise in case of loss of EU adequacy.

Next steps

The consultation is open until November 19, 2021. Responses can be submitted online, via email to DataReformConsultation@dcms.gov.uk or via post to: Domestic Data Protection team, DCMS, 100 Parliament Street, London, SW1A 2BQ.

The government will publish its response once it has taken into consideration all the responses received. However, it did not provide a specific date of when this will happen.