The Government's consultation on changes to the UK data protection regime make for eye-opening reading (particularly, one suspects, for the EU Commissioners who certified the UK's laws as offering adequate protection for personal data less than 3 months ago).
The focus of the consultation is overwhelmingly on liberalising the UK's data protection laws. It's undeniable that some businesses have struggled with GDPR compliance, particularly the need to create paper trails, and a focus on substance rather than form would be a welcome development. But many will feel that the consultation proposals tip the balance too far against the privacy rights of individuals, as well as setting up potential conflicts with the EU as to whether EU-based controllers will be able lawfully to transfer personal data to the UK in the future.
In more detail...
In the wake of COVID, few would disagree about the importance of scientific research. The Government's proposals would make it easier for personal data to be used for such research, either on the basis of the individual's consent (even when the purpose of processing was not identified precisely when consent was obtained), or when the data was collected for a different purpose, without informing the individuals first.
"Consent fatigue" is also cited as a reason for clarifying (and in reality loosening) the rules governing the processing of data on the basis of an organisation's "legitimate interests". Currently, organisations seeking to rely on their legitimate interests as a basis for processing have to weigh this against the individual's privacy rights. The Government proposes to develop a list of legitimate interests where this balancing exercise would no longer be required. The Government also proposes to introduce a separate lawful ground for processing to improve customer services through innovation, which is potentially broad in scope.
The importance of AI is a constant theme of the proposals. The proposals would enable organisations to make purely automated decisions affecting individuals without human involvement, providing that the processing was on a lawful basis (and other requirements under the UK GDPR were met). There are also proposals aimed at making it easier for organisations to eliminate bias from AI technologies by enabling them to process personal data for this purpose.
Another theme is reducing perceived bureaucracy. The consultation indicates that the Government wishes to move away from the detailed record-keeping requirements of the GDPR to a more flexible requirement for organisations to have a risk-based 'privacy management programme'. The requirement for data privacy impact assessments and prior notification of the ICO for certain processing activities would also be removed.
HR teams and employment lawyers will be interested to see the proposals for data subject access requests, which are widely used in employment disputes. The Government proposes the return of fees for making such requests (although it seems unlikely that a fee would deter many requests, particularly where used as a litigation tactic). If the fee is linked to the costs of complying with the request, as under the Freedom of Information Act regime, this may, however, encourage more focused requests.
The ICO de-fanged?
The ICO would be subject to more Government oversight and individuals would need to seek to negotiate a solution with a data controller before making a complaint about them. Many individuals already perceive the ICO to be ineffective at dealing with such complaints, and this proposal would do little to alter that perception.
The requirement to report data breaches to the ICO would also be relaxed, with an obligation to report only where there is a 'material' risk to individuals.
The proposals also indicate that the Government intends to fast-track adequacy decisions for a number of countries, including the US, to enable UK-based controllers to share data more readily across borders. Given that the EU-USA data transfer arrangements have already been declared unlawful by the ECJ, this seems likely to raise concerns that the UK's stance would enable transfer of data from the EU to the US via the back door. Even if the EU did not proactively revoke the adequacy decision in favour of the UK, it seems likely that privacy campaigners would seek to challenge the adequacy decision through litigation if these proposals become law.
There's a lot to chew on, for businesses and individuals alike - and, in many cases, the devil will be in the detail.