The UK left the European Union (EU) in January 2021. Of the many strands left unresolved, the future position of data-sharing arrangements between the UK and the EU was one of the most significant, given its impact on trade. This impasse was closed on 28 June of this year when the EU Commission granted adequacy status to the UK’s post-BREXIT data protection regime. Now, however, the UK has published a consultation paper, Data: a new direction, outlining its plans for reshaping those laws for the post-BREXIT trade landscape.
In this blogpost I will critically examine the salient changes contained within the above-referred consultation paper by focusing on eight key points, all the while drawing comparisons with the European General Data Protection Regulation (GDPR). Finally, by way of conclusion, I will analyse the political-economic agenda that underlies the suggested reforms, arguing that the sweeping proposals are excessively pro-business, as well as highlighting the ways in which the amendments, if made law, are likely to negatively affect the UK’s chances of retaining its valuable EU adequacy decision.
Data – A New Direction: Key Points
As regards accountability, the paper advances major changes to the current UK data protection regime, proposing to remove the mandatory requirements surrounding data protection impact assessments, records of processing and the appointment of data protection officers – requirements which the paper views as being ‘disproportionately burdensome for many organisations.’ In its place, it submits the concept of a privacy management programme (PMP) as a kind-of hold-all ‘risk-based accountability framework’ that assesses and manages data protection risk. Taking the pulse of risk exposure across an organisation, the idea is that such an assessment allows organisations to make their own decisions about how to manage their accountability framework.
I will now examine the key changes suggested in the area of accountability.
Data Protection Officers. In a controversial proposal, the consultation paper advances the idea of removing the obligation for certain organisations to appoint a data protection officer (DPO), and instead permitting a ‘suitable individual’ to be appointed as the PMP manager, who will also ensure data protection compliance. Citing the challenges that organisations might face in appointing ‘an individual with the requisite skills and who is sufficiently independent… especially in the case of smaller organisations’ , the paper argues that the GDPR is insufficiently flexible on the nature and role of DPOs.
This, however, is not borne out by the legislative reality. Articles 37 to 39 of the GDPR contain much flexibility which, precisely, takes account of the size and complexity of organisations. Article 37(2) allows ‘a group of undertakings to appoint a single data protection officer’; Article 37(3) permits groups of public authorities to appoint a single DPO ; Article 37(6) allows for the appointment of external parties to the DPO role; while Article 38(6) makes it clear that the DPO may be part-time, as well as holding other duties.
Additionally, as I have recently commented in a consultation response prepared by the Confederation of European Data Protection Organisations:
The proposed reform, which suggests that a person may be appointed as being responsible for data protection, (with considerable latitude for organizations to select that person) will risk a return to an unsatisfactory situation where data protection compliance will become the brief of a potentially unsuitable role-holder, – whether that be a Chief Information Officer, or a Head of Compliance, – and that, in the process, there will be an obvious loss of subject-matter expertise, not to mention the fact that data protection may thereby become a secondary consideration, or, at worst, an afterthought.
Data Protection Impact Assessments. In the area of risk management, the paper proposes to remove the mandatory requirement to conduct data protection impact assessments (DPIAs) in certain cases. Instead of an obligatory DPIA process, the paper notes that ‘organisations may adopt different approaches to identify and minimise data protection risks that better reflect their specific circumstances’ and that removing the obligation to conduct DPIAs would be ‘mitigated by the requirements of the privacy management programme’ which would ensure the management of ‘data protection risks across the organisation.’ Although there is merit to the paper’s nod to a context-specific risk methodology, the corresponding reality is that giving considerable leeway to organisations to manage risk via a range of alternative, unspecified means will allow uncertainty to seep into data protection risk management. A proliferation of methods for gauging risk, will in particular, make it more difficult for the ICO to establish, and enforce, a baseline standard for mitigating data subject risk.
Closely related to DPIAs, the paper further proposes to remove the prior consultation requirements contained in Article 36 of the EU GDPR, which oblige organisations to consult supervisory authorities where ‘the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.’ The reasons given are, firstly, that it would be preferable to encourage ad hoc dialogue with the ICO concerning high risk processing, rather than prescribing when and how organisations should communicate with the body, and that, secondly, the existing consultation mechanism is not used all that often. In the first instance, it is utopian to believe that significant numbers of organisations will voluntarily invite the ICO into internal considerations of high risk processing, and, in the second instance, the low use of the mechanism should not be a reason for jettisoning it, but instead, it should be a call for guidance on how the process could work better. The Article 36 mechanism remains a vital tool for ensuring that large organisations, in particular, consult supervisory authorities before launching initiatives.
Record Keeping. In a fundamental amendment, the paper tenders the notion that organisations would not need to retain full records of processing, as currently required by Article 30 of the GDPR, but instead would only have to retain ‘certain records’ based on their ‘volume and sensitivity of personal data’. Records of processing, from an external scrutiny perspective, represent the ‘keys to the kingdom’, the comprehensive map that allows a supervisory authority to question and peer into every corner of an organisation’s processing activities. Without this synoptic view, owing to incomplete records, it is questionable how the ICO could fulfill its regulatory brief.
Additionally, from the angle of ensuring data protection by design, the more detailed a picture an organisation has of its personal data, the more relevant its technical measures can be for safeguarding that data. As the cyber-security maxim goes ‘you can only protect what you know’, and, so, if the requirement for complete records is replaced by a sieve-like system that allows gaps based on the organisation’s assessment, the meaningful protection of data will be in doubt.
Subject Access Requests
Directly impacting data subject rights, the paper additionally suggests a return to fixed fees for lodging data subject access requests, (a fee which Article 12(5) of the EU GDPR has abolished ), a cap on the costs that organisations would be expected to incur from a request, as well as lowering the threshold for when organisations can refuse requests for being vexatious. Although the paper rightly points out that some access requests are motivated by ulterior purposes, beyond data protection concerns, and that a fee would winnow out the more spurious of these applications, a fixed charge will have a chilling effect on this right’s exercise. This will inevitably impact the poorest, and in many cases the most vulnerable data subjects, and, tellingly, the paper is notably silent on the matter of assessing this impact, yet it loudly proclaims the cost-impact to organisations.
Materially, such a change, compared to the current higher GDPR standard, could only amount to a diminishment of data subject protections. If the UK government is concerned about business cost-impact, a more balanced alternative would be the introduction of a turnover-based tiered system, with smaller organisations being allowed to charge a fee and cap costs, while with larger organisations continuing to be barred from such exemptions. This system would honour data subject rights in a proportionate manner while vitiating against the absurd prospect of trillion-dollar-valued companies, such as Google and Amazon, effectively claiming penury to avoid complying with access requests. As a bulwark against opaqueness, and the attendant threat of invisible processing, free access to data is essential to guarantee the fundamental transparency requirements of Article 5(1) (a) of the GDPR.
Data Breach Reporting
In a further significant proposal, the consultation paper suggests a relaxing of the criterion for the submission of breach reports to regulatory bodies. Currently, the UK legal position is that all breaches must be reported to the ICO ‘unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.’ The change is motivated by the contention that, unnecessary breach reporting is taking place, because, it is argued, the ‘exemption can only be relied upon where there is likely to be no risk to an individual’s rights and freedoms, so even breaches which represent a low risk would be notifiable.’
The net effect, the argument continues, is costly precautionary over-reporting of breaches which realistically represent little or no risk to individuals. In place of such a regime, the paper’s proposal is to introduce a requirement that a material risk to data subjects must exist before a legal reporting duty would arise.
Tellingly, however, the paper’s suggestion provides ample room for organisations to not report a large range of breaches to the ICO. In a converse risk, this would likely lead to under-reporting of data breaches, with data subjects bearing the brunt.
Focusing on artificial intelligence (A.I.), the paper also advocates for the abolition of Article 22 of the GDPR , which mandates a right to human oversight for data subjects when certain automated decisions are taking place. The UK government’s position, showing a marked commercial leaning, is to remove the requirement for human involvement and instead, to ‘permit the use of solely automated A.I. systems on the basis of legitimate interests or public interests’.
If implemented, this change would expose data subjects to the risk of machines making unfair decisions about their lives, a situation which may also contravene the fairness obligations of the GDPR. Recent case law also supports this contention, notably the Ola case heard before the Dutch courts, which underlined the importance of human intervention in A.I. processing. To add extra spice to an already heady brew, with the publication of its draft Artificial Intelligence Act in April 2021, the direction of travel for the EU is towards greater, not less, regulation of the A.I. arena, thus opening up an even wider potential fault line with the UK.
International Data Transfer Mechanisms
With one eye firmly on post-BREXIT trade deals, the UK government has also outlined its intention to reconfigure its international data transfer mechanisms. Specifically, the paper tenders that the government could introduce new transfer mechanisms, that organisations could develop their own transfer mechanisms, and that the UK could rely on internationally certified schemes for the free flow of data. Of these proposals, the most alarming is the suggestion that organisations could fashion their own transfer mechanisms, leading to the prospect of a heterogeneous patchwork of transfer arrangements governing onward transfers of EU data. Compared to the highly standardized, consistent set of EU transfer mechanisms codified in the GDPR, such a potpourri of transfer measures will not give certainty to businesses (within or without the UK), and will certainly not endear hearts in Brussels.
These amendments, in the area of international data transfers, may well pose the greatest threat to the UK’s adequacy status. The manner in which EU personal data is transferred onwards from the UK to non-EEA locations is a risk that was highlighted in the UK’s adequacy decision, and any excessive loosening of standards will not likely be tolerated in Brussels. The tone was strident: ‘the Commission will closely monitor the situation’… and assess whether the different transfer mechanisms are used in a way that ensures the continuity of protection.’
Oversight of the ICO
On a governance level, the paper clearly evinces the UK government’s intention to assert greater control over the ICO, a step which will materially reduce the regulator’s independence. Of particular significance are amendments which would allow the relevant government minister to set strategic objectives for the ICO, to overrule the content of guidance documents, as well as a new duty for the ICO to get in line, and show greater deference to ‘economic growth and innovation when discharging its functions.’ On foot of these changes, compared to the independence enjoyed by EU supervisory authorities, the ICO will be a substantially weaker regulatory body. Furthermore, the progressive weakening of its powers will render the ICO helpless to halt the UK’s divergence from the EU standard – if the government sets the authority’s objectives, how can it offer meaningful resistance? It would appear that the UK government is keen to place structural, strategic handicaps on the remit of the ICO so as to clear the decks for a more determined economic agenda, a measure which will again weaken data subject rights.
Geo-Political Context and the Future of Adequacy
Although framed in the context of data protection reform, the sound and fury of BREXIT sabre-rattling bubbles away uneasily beneath the polite veneer of the paper, revealing an underlying political-economic agenda. The UK, now freed from the perceived constraints of the EU, wants to set its stall out to the business world as a light-touch-regulation outpost on the edge of the EU – a honey pot, if you will, to attract valuable tech business away from the EU with the alluring promise of a more innovation-friendly environment, all the while socialising the attendant risks by passing them on to data subjects. UK data protection reform is being subsumed into the wider BREXIT refrain of ‘Taking Back Control’ – the political slogan favoured by the Leave campaign. Keen – and in a considerable hurry – to realise the BREXIT dividend, political exigency is leading the UK to reform its data protection laws in a rushed and ill-considered manner.
Loudly proclaiming that the UK’s aim is to become ‘the world’s most attractive data marketplace’, no less – and mentioning ‘business’ 47 times, and ‘innovation’ no less than 71 times –the paper portrays an obvious preference for the interests of business and trade over those of data subjects.
Further belying this commercial agenda, accompanying the paper is a ‘Data Impact Analysis’, which breezily concludes that the UK stands to bank a net saving of £1.04bn from overhauling its data protection laws. I would argue that this analysis is an egregious, and profoundly misguided example of shoehorning qualitative matters (namely, impact to data subject rights) into quantitative financial analysis. Although qualitative matters are covered in a section entitled ‘Impacts on Privacy and Trust’, the treatment is less than one-page long – hardly a careful weighing of the scales. Rights have never made much sense when measured with an abacus – a point painfully demonstrated by this one-sided exercise in Panglossian economic optimism.
The UK, however, is not content to recast its own data protection laws, it also wishes to reshape the global data protection map. Its goal is to coax other jurisdictions out of the arms of Brussels, away from the growing perception that the GDPR standard is the gold standard, and instead towards adopting data protection laws that mirror the emerging UK framework. The ‘Brussels Effect’ has long been recognised within the international community, namely, the way in which the EU’s legal and policy regime influences the governmental direction of non-EU nations. Brussels, however, now has an aspiring contender on the world stage: the ‘London Effect’. Although the EU enjoys many years head start on the UK, as well clear realities to point to, such as Californian, Brazilian and South African data protection laws that consciously mimic the GDPR, the last punches in this geo-political tussle have not yet been thrown.
When the EU granted data adequacy to the UK, it did so subject to some key conditions. Importantly, for the first time in such deliberations, the EU Commission included a sunset provision that sees adequacy expiring automatically after four years, with its continuance depending on a satisfactory review. Additionally, the accompanying press release underlined that this clause has teeth, emphasising that close scrutiny would be given to the ‘possibility of future divergence from our standards in the UK’s privacy framework… and if anything changes on the UK side, we will intervene’.
The UK, meanwhile, is confident it can walk the tightrope and retain adequacy, while revamping its data protection regime. ‘The government believes it is perfectly possible … to expect the UK to maintain EU adequacy as it … moves to implement any reforms in the future.’
The reality, however, is that the UK is most likely playing with fire, and faces the real prospect of losing its EU adequacy decision, something which may mean more to the UK economy in the longer term than any short-term trade deals. What is more, and what may, perhaps, be the most decisive factor in the future of its data protection laws, is the fact that even domestic UK companies, faced with the prospect of a diluted UK regime and the more robust EU framework, are likely to prefer to adhere to GPDR practices, knowing that doing so will prove much more beneficial in a world that is increasingly viewing the GDPR as the gold standard of data protection. Trade may well determine this matter after all, just not in the manner that Whitehall had imagined.