On 10 September 2021, the UK Government launched a consultation entitled “Data: A new direction” intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” Cynics will say that it is an attempt to water down the UK GDPR just a few months after the UK received adequacy status from the European Union.
Back in May, the Prime Ministerial Taskforce on Innovation, Growth, and Regulatory Reform (TIGRR) published a 130-page report setting out a “new regulatory framework” for the UK. Saying that the current data protection regime contained too many onerous compliance requirements, it suggested that the government:
“Replace the UK GDPR with a new, more proportionate, UK Framework of Citizen Data Rights to give people greater control of their data while allowing data to flow more freely and drive growth across healthcare, public services and the digital economy.”
Many of the recommendations made in the TIGRR Report can be found in the latest consultation document:
Research and Re Use of Data
- Consolidating and bringing together research-specific provisions in the UK GDPR, “bringing greater clarity to the range of relevant provisions and how they relate to each other.”
- Incorporating a clearer definition of “scientific research” into the legislation.
- Clarifying in legislation how university research projects can rely on tasks in the public interest (Article 6(1)(e) of the UK GDPR) as a lawful ground for personal data processing.
- Creating a new, separate lawful ground for research, subject to suitable safeguards.
- Clarifying in legislation that data subjects should be allowed to give their consent to broader areas of scientific research when it is not possible to fully identify the purpose of personal data processing at the time of data collection.
- Stating explicitly that the further use of data for research purposes is both always compatible with the original purpose and lawful under Article 6(1) of the UK GDPR.
- Replicating the Article 14(5)(b) exemption (disproportionate effort) in Article 13 (privacy notice), limited only to controllers processing personal data for research purposes.
- Amending the law to facilitate innovative re-use of data for different purposes and by different data controllers.
- Creating a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test “in order to give them more confidence to process personal data without unnecessary recourse to consent.”
AI, Machine Learning and Automated Decision Making
- Stipulating that processing personal data for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems constitutes a legitimate interest in the terms of Article 6(1)(f) for which the balancing test is not required.
- Enabling organisations to use personal data and sensitive personal data for the purpose of managing the risk of bias in their AI systems by amending/clarifying the legitimate interests ground under Art 6 and clarifying/amending schedule 1 of the DPA 2018 (Special Category Data Processing).
- Removing Article 22 of UK GDPR (the right not to be subject to a decision resulting from solely automated processing if that decision has significant effects on the individual) and permitting solely automated decision making subject to compliance with the rest of the data protection legislation.
- Allowing data controllers to implementing a more flexible and risk-based accountability framework, which is based on privacy management programmes, that reflects the volume and sensitivity of the personal information they handle, and the type(s) of data processing they carry out.
- To support the implementation of the new accountability framework the government intends to remove the requirement to:
- Designate a data protection officer
- The requirement to undertake a data protection impact assessment
- Consult the ICO in relation to high-risk personal data processing that cannot be mitigated (Article 36)
- The record keeping requirements under Article 30
- The need to report a data breach where the risk to individuals is “not material”
- Introducing a new voluntary undertakings process.
- Adding more countries to the adequate list by “progressing an ambitious programme of adequacy assessments.”
- Adding easier and more international transfer mechanisms.
- Allowing repetitive use of Article 49 derogations.
PECR and Marketing
- Permitting organisations to use analytics cookies and similar technologies without the users’ consent.
- Permitting organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes.
- Extending “the soft opt-in” to electronic communications from organisations other than businesses where they have previously formed a relationship with the person, perhaps as a result of membership or subscription.
- Making it easier for political parties to use data for “political engagement”.
- Increasing the fines that can be imposed under PECR to GDPR levels.
- Including “a clear test for determining when data will be regarded as anonymous” within the UK GDPR.
- Introducing a fee regime (similar to that in the Freedom of Information Act 2000) for access to personal data held by all data controllers.
- Requiring the ICO to consider not just data protection but also “growth and innovation” as well as competition.
Businesses may welcome many of these proposals which they might see as limiting the administrative burden of the current data protection regime particularly reporting data breaches and conducting DPIAs. The Government also seems intent on liberalising access to data, to generate a broader market for it, which will suit the commercial interests of big business but at what privacy cost? The consultation runs until 19 November 2021.
What are your thoughts? Let us know in the comment field.
Our GDPR Practitioner Certificate is our most popular certificate course available both online and classroom. We have added more dates.