On 31 December 2020, the United Kingdom (UK) formally departed from the European Union (EU). Following that, on 1 January 2021, the EU-UK Trade and Cooperation Agreement entered provisionally into force. Among other things, this agreement provided for an interim regime, which ensured free flow of personal data between EU and UK, but for no more than six months.
In February 2021, UK Secretary of State for Digital, Culture, Media and Sport signalled UK’s intention to diverge from EU’s Data Protection Law (hereinafter EUDP). The Secretary stated “we [UK] do not need to copy and paste the EU’s rule book”.
Notwithstanding this announcement on 28 June 2021, the European Commission (EC) adopted adequacy decisions for the UK under EU General Data Protection (EU GDPR) and Law Enforcement Directive (LED) . This allowed personal data to flow freely from the EU to the UK without any additional safeguards. The adequacy was provided on the basis that the UK provides for an essentially equivalent level of data protection to that provided under EU law.
Soon after, the UK moved forward with reforming its data protection law. On 26 August 2021, the UK Government stated its intention to seize the opportunity and take back control of its data protection law. It announced the UK will be “developing a world leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK”. Finally, on 10 September 2021 UK Government’s Department for Digital, Culture, Media and Sport (hereinafter DCMS) published a proposal for reforming the UK data protection framework (hereinafter UKDP). The proposal encompasses UK General Data Protection Regulation (UK GDPR) , Data Protection Act 2018 (DPA) and Privacy and Electronic Communications Regulations (hereinafter UK ePrivacy). DCMS dubbed this consultation document as Data: a new Direction (hereinafter Consultation Document) and it also opened the same for public consultation till 19 November 2021.
The UK Government has touted these reforms as part of their agenda to create “an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data” . Therefore, it can be argued that these reforms prioritise the interests of data controllers / processors over those of data subjects.
The reforms seem evolutionary and very expansive in nature. Some reforms in DPA, may lead to dilution of data controller’s ‘accountability’ and have the potential to negatively impact data subjects’ rights and freedoms. Nonetheless at a macro-level, the reforms do not change the blueprint of UKDP drastically and it has kept it aligned with Council of Europe’s Data Protection Convention 108+ (DPC). UK has signalled its strong commitment to DPC stating that “[t]he UK’s data protection standards will remain fully aligned with the revised Convention 108”.
Given the events that have transpired thus far and also the UK Government’s eagerness to diverge from the EU, it will not be surprising to see even more radical reforms to UKDP. However, if the UK Government stays principally aligned with DPC, then it is highly likely they will continue meeting the standard of staying essentially equivalent to EUDP.
This paper aims to critically analyse the aforementioned Consultation Document and intends to compare it with EUDP, while highlighting the extent of divergence. It begins by explaining the European heritage of UKDP and positions it amidst contemporary EUDP. Thereafter, it granularly analyses the Consultation Document, whilst mainly staying focused on proposals which envisage drastic divergence from EUDP.
The European Heritage of UK’s Data Protection Law
While the UK was a member of the EU, it transposed EUDP into its domestic law. Therefore, the European heritage of UKDP is quite evident because it is largely modelled on EUDP . Some of the most prominent EUDP components which are practically UKDP’s bedrock are:
- Data Protection Directive (DPD)
- EU GDPR
- EU ePrivacy Directive 2002/58
As evident, the essence of EUDP still exists in UKDP and this must have been a strong impetus behind EC’s decision of providing the UK with a conditional and time-limited adequacy status under GDPR. Additionally, the core EU GDPR data protection principles, rights and obligations continue to remain a part of UKDP.
The UK citizens also have a fundamental right to respect for private and family life , which correlates to Article 7 Charter of Fundamental Rights of the European Union (EU Charter).
Research and re-use of data
DCMS envisions creating a “pro-business” environment in the UK, one which cultivates a cutting-edge research sector fueled by use of data. DCMS indicated that currently UKDP acts as an impediment to this vision mainly due to its complexity and impracticality.
DCMS proposes to include a brand-new legal basis for scientific research under Article 6 UK GDPR which will provide a condition for processing sensitive personal data for research purposes, however this is in line with a condition which already exists under Article 9. Therefore, it is hard to ascribe any material value to this proposal, because even today, the research community heavily relies on the lawful basis of public interest or necessary for a legitimate interest.
The Consultation Document also proposes to change the rules on reuse of personal data for research purposes. Specifically, proposals made establish that further processing of data, when it is based on a law which is significant from public interest point of view, does not conflict with the principles of ‘purpose limitation’ and same in the situation where processing is carried out by a different controller and/or when the original lawful basis was consent. Although the consultation paper confusingly implies that it would be enabling processing for “incompatible purposes” even in the latter context. It is intriguing to see that this proposal has opted for legislative amendment to achieve its objective rather than regulatory guidance.
Legitimising use of general public interest as a lawful basis and allowing it to override purpose limitation is concerning as it has potential to significantly weaken rights and freedoms of data subjects. The Court of Justice of EU (CJEU) Opinion on EU-Canada PNR Agreement (2017) highlights how a loose/broad translation of ‘public interest’ may disproportionately impact the privacy of data subjects.
A substantial body of case law based on CJEU judgements, indicates that the principle of ‘purpose limitation’, as enshrined under GDPR, is narrowly interpreted with clear boundaries. The ruling under ECJ, Case C-543/09, Deutsche Telekom  is most noteworthy in this context, wherein the ruling clarified that providing access of personal data to a third party does not equate to change of purpose, even when this happens in compliance with a national law.
With an aim to reduce administrative burden, DCMS proposed an exhaustive list of a limited number of legitimate interests which data processors may leverage to process personal data, without the need of performing a legitimate interest balancing assessment. It suggests that the benefits of purposes in this list, shall always outweigh the interests of individuals/data subjects. Although it is important to note, that this is disapplication of the requirement of performing a legitimate balancing assessment, instead of its denial.
The primary criticism of this proposal lies in the paucity of details and its vagueness. Although, DCMS justifies this vagueness by citing it as necessary to enable such a list to withstand the test of time. Despite this justification, the UK Information Commissioner’s Office (UK ICO) still criticises it stating, “…any such list would need very clear parameters. It would need to set out the nature, context and detail of the processing, given that this is all relevant to assessing where the balance lies. We are concerned that as currently set out in the consultation, the types of processing are too broad to provide the necessary certainty ”.
In particular, the proposal with respect to safeguarded research has a potential gap when it comes to applicability of legitimate interest, mainly in the context of research performed by educational institutions. “It may present particular problems for UK universities which may lack an obvious, specific and proportionate legal basis for their core research tasks, but who are also prohibited as public authorities from relying on the legitimate interest legal basis in this context.”
Another example of a potential gap may exist with regard to processing activity mentioned in the exemption list which relates to “reporting of criminal acts or safeguarding concerns to appropriate authorities” . The CJEU has delivered a ruling in the past that held national legislation which allows mass surveillance of electronic communications, for the purpose of fighting crime, violating the right to privacy and data protection.
Lastly, the proposal to remove the requirement of legitimate interest balancing assessment for audience measurement cookies and similar technologies, exhibit a radical divergence from EU GDPR principles ‘accountability’, ‘lawfulness, fairness and transparency’. This also has potential to further misalign UK ePrivacy with EU’s e-Privacy Directive, where the latter is expected to be succeeded by EU ePrivacy Regulation with stricter rules w.r.t usage of website cookies.
Artificial Intelligence (AI) and Machine Learning
The DCMS proposed several amendments and adjustments to various aspects of UKDP which affect AI. In regard to processing of personal data by AI and similar technologies, the proposal intends to reform the areas of inter alia “AI fairness”, data intermediaries, concept of data anonymization, automated decision making and bias monitoring using sensitive data.
The most radical and perhaps most controversial change proposed concerns ‘automated decision making’ under EU GDPR Article 22. The proposal aims to remove or more tightly limit the right to restrict being subject to automated decision making. The Consultation Document clarifies that, this proposal stems from the Taskforce on Innovation, Growth and Regulatory Reform. Altering this data subject right will certainly exhibit a significant divergence from EUDP and DPC. The current rules empower a data subject to exercise the right to restriction to automated processing by way of ‘human intervention’. The Consultation Document argues “capability to provide human review may, in future, not be practical or proportionate”.
On data anonymization, the Consultation Document mulls a legal test for determining anonymity of data. It proposes to write Recital 26 into the text of UK GDPR and include legal provision to allow linkage between data anonymity and means available with data controllers to re-identify such data. The second suggestion is in line with the approach in the CJEU case of Breyer v Germany when assessing whether dynamic IP addresses constitute personal data.
DCMS proposed several changes to responsibilities of data controllers and processors, as given under UK GDPR. These responsibilities are linked to ‘Accountability’, as enshrined under EU GDPR Article 5(2). DCMS envisages to reduce administrative burden on businesses by making GDPR compliance more predictable and practical.
However, it is perplexing to see that on one hand DCMS proposes to remove requirements for appointing a Data Protection Officer (DPO), maintaining Record of Processing Activity and performing Data Protection Impact Assessment, but with the other hand, it proposes for organisations to designate an individual who will be responsible for the privacy compliance program, a personal data inventory, and risk management processes and associated tools.
EU GDPR ensures accountability of data controllers and processors in a risk-based manner, which is proportionate to the specific context of those processing activities. The CJEU ruling in Fashion ID further emphasises the broad applicability of accountability principle. Therefore, these proposals, if implemented, may be a significant departure from EU GDPR’s Accountability principle.
Supervisory Authority Framework – Reforms of the UK’s ICO
The proposals made with regards to UK ICO are probably most radical and may cause severe alienation between UKDP and EUDP.
The EUDP, from DPD and now to GDPR, has propagated a powerful and independent supervisory authority as the cornerstone of its data protection regime. Therefore, DCMS’s proposals will clearly distance UKDP from EUDP at a fundamental level.
DCMS attempts to assign new duties on the ICO to have regard to economic growth, innovation and competition when discharging its functions. Furthermore, a new ICO governance model is proposed, which aligns its structure with other regulators, in the finance sector (i.e. a structure with a CEO and independent board). The most ground-breaking proposal is to empower the Secretary of State to appoint the CEO of ICO and approve (or reject) ICO guidance.
The divergence from EUDP is further highlighted by CJEU case laws where it reiterates significance of supervisory authority’s independence and its power to operate without any influence, it also reminds supervisory authorities of their primary responsibility, which is to monitor application of GDPR and ensure its enforcement.
In light of “Schrems II” and associated guidance from the European Data Protection Board (EDPB) , international transfer of data from the EU and the UK has become remarkably complex. The consultation document proposed several reforms to improve adoption of existing mechanisms, such as, codes of conduct and broadening the scope of existing mechanisms (derogations under EU GDPR Article 49 etc.). There is a drastic proposal mulling data exporters to make bespoke transfer mechanisms to safeguard personal data being transferred out of the UK, that too, in absence of UK ICO’s review or approval.
On adequacy decisioning, the Consultation Document suggests that the requirement to review adequacy decisions every 4 years must be reduced/eliminated and it should be possible to grant adequacy to a cluster of countries, regions and members of internationally recognized multilateral bodies. To support this, it is proposed that both administrative and judicial channels should help to establish presence of effective redress in a third country.
These proposals exhibit a reasonably different position taken in the EU, as exhibited by case law established in Schrems II and EU GDPR as well. It appears that the UK is paving the way ahead for forming bi/multi-lateral trade agreements including data transfers as well.
Data Subject Rights
Consultation Documents proposes to institute a nominal fee for data subjects who choose to exercise their right to access their personal data. By this, it envisages a reduction in administrative burden and reduction in requests which are purpose-blind, vexatious and disproportionately onerous in nature.
Although these proposals are not very radical, however, even slight divergence from EU GDPR on this aspect can be seen in serious light due to the centrality of ‘right to access’ amongst all the data subject rights enshrined in EU GDPR. Also, it is worth to note, that due to the role which subject access is designed to play in addressing “informational and power asymmetries”, “a blanket requirement to pay a fee even when these asymmetries are clearly present, and the request is straightforward might reasonably be considered ‘excessive’.”
In addition to the points above, the Consultation Document also proposes slight amendments to data breach notification rules, as defined under UK GDPR Article 33(1).
The slow departure of UKDP from EUDP can be metaphorically described as drop of water on a leaf of lotus plant i.e. “Lotus Leaf Effect”. Essentially indicating that, while the EU and the UK stand together (the UK still has adequate status under GDPR), they are now more distant than ever before on Data Protection.
The UK government shows intention to diverge from EUDP, which DCMS implies is burdensome and impractical. The UK Government attempts to position the UK as a “pro-business” and “pro-innovation” market, where economic growth is fueled by responsible use of data. A huge focus is seen to be on promotion of research and development industry via usage of data-intensive technologies, such as, AI.
The proposals do not put forward any ground-breaking reforms to enhance data subject rights, data controller accountability etc. Even the name of the chapters indicate the intended target audience i.e. local and international business community. DCMS announced more than 70 proposals highlighting mostly their economic advantages. DCMS has made an ineffective attempt to balance commercial and data subject interests by embellishing Consultation Document with cliché pro-privacy statements.
Although, due to noticeable similarities at core level currently the divergence of UKDP from EUDP does not appear to be radical, however, these proposals have potential to create discernable distinctions between them if they continue to progress in this direction.
If the UK tries to make reforms while staying anchored to its commitment towards DPC, then it may build a robust yet realistic data protection framework. However, if it continues to devalue data subject rights, in favour of commercial interests, then it risks tarnishing its image as an untrustworthy destination, in the context of data privacy and protection.
Any divergence between EUDP and UKDP is further exaggerated by the inapplicability of EU Charter (Article 7 and 8) in the UK after its exit from the EU. Although Article 7 of the EU Charter is incorporated into domestic UK law, application of Article 8 remains questionable. The Joint Committee on Human Rights of the UK House Lords and House of Commons, stated, “…the Bill [i.e. Data Protection Bill] does not explicitly incorporate Article 8 of the Charter [the EU Charter of Fundamental Rights]. Given the vast number of exemptions and derogations from these rights provided for in the Bill, there is a question as to whether the Bill offers protection that is equivalent to Article 8 of the Charter” .
Most notably, the reforms proposed for the UK ICO have the highest potential of creating a considerable void between EUDP and UKDP. This along with reforms related to accountability will most certainly influence EC’s UK’s adequacy assessments in the future. Although while assessing adequacy the EC usually does not seek for equivalence and does not expect data protection laws to remain identical in the third country (such as the UK).