In the wake of Brexit, the Commission has granted the UK an EU adequacy decision regarding the level of data protection. As you perhaps already know, the effect of an adequacy decision is that personal data can flow freely from the EEA to the third country the decision is granted to without any further safeguard being necessary. With that being said, it should be noted that the UK GDPR which is also in place since 1 January 2021, is based on the EU GDPR, and the two sets of legislation are therefore very similar to each other. However, changes to the UK GDPR are approaching.
To round off the London Tech Week of 2022, the UK government announced proposals to reform the UK’s data protection laws – which aims to secure a pro-growth and trusted data regime. The proposals outline the effects that the Data Reform Bill, presented in the Queen’s Speech of 2022 to reform the UK GDPR, is intended to have in regards to the UK’s position as a data marketplace.
These are some interesting takeaways from the proposals that the UK government plans to proceed with:
1. DPO is no more
Instead, the government proposes that a senior responsible individual is appointed to manage compliance and the previous tasks of the DPO. The motives for removing said requirement are to offer more flexibility in terms of managing data protection, especially benefitting smaller businesses, as well as emphasising that data protection is established at a senior level to cement a culture of data protection throughout the organisation. However, there are no obstacles for businesses and organisations to continue to use DPO’s where they see fit.
2. Test for anonymisation
The government proposes to clarify when personal data is to be regarded as anonymous and therefore falls outside the scope of the legislation, as well as when a living individual can be identified and therefore falls within the scope. In addition to this, the government proposes to clarify in legislation that the test for whether anonymous data can be re-identified is a relative one in regards to the means that are available to the data controller at the certain point, and that the test should be based on the explanatory report to the Council of Europe’s Convention 108+.
3. The requirement to seek consent to cookies will be altered
The government intends to remove requirements for websites to display cookie banners for UK residents, and also allow cookies and similar technologies to be placed on a user’s device without their explicit consent but only for a limited amount of non-intrusive purposes. This applies to websites and connected technologies such as smartphones, smart TVs and similar devices, and could include cookies that are placed for the purpose of detecting faults on the website or for audience measurements purposes. Further down the line, the government intends to implement a model where cookies would be set without seeking consent from users on websites (except from sites likely to be accessed by children), but the website is required to give visitors clear information on how to opt-out. Taking into account the privacy of users, this model will not enter into force until browser-based and similar technologies that will help users manage their cookie and opt-out preferences are more widely available for use. The government will then also require websites to respect automated signals emitted by these technologies.
4. Raising the fines under PECR to GDPR levels
The Privacy and Electronic Communications Regulation (PECR) sits alongside the DPA and the UK GDPR, regulating data protection in the UK. The proposal will allow the ICO to raise the fines under PECR up to 17.4m GBP or 4% of a businesses global turnover and aims to boost compliance, raise the profile of PECR among organisations, and harmonise the enforcement provisions with those under the UK GDPR and DPA 2018 to a greater extent.
5. The statutory deadline for the ICO to issue a penalty following a Notice of Intent will be amended
The ICO will be provided with greater flexibility when conducting complex investigations as the government plans to introduce a provision to permit the ICO additional time beyond the current six month deadline under certain circumstances. The government will however not extend the deadline generally across the board.
6. The requirement for Data Protection Impact Assessments (DPIA’s) will be removed
Organisations will no longer be required to undertake DPIA’s as currently prescribed in the UK GDPR, but will still be required to ensure that there are tools for assessing, identifying and mitigating risks in terms of data protection throughout the organization. Amending the requirement aims to grant more flexibility to organisations as to how to meet the requirements of managing and identifying risks.
7. Changed threshold regarding data subject requests
The government plans to change the current threshold for refusing or charging a reasonable fee for an access request from a data subject to ‘vexatious or excessive’ instead of the current ‘manifestly unfounded’ in order to bring the threshold in line with the Freedom of Information regime and to make it easier for businesses and organisations to comply with access requests. It should be noted that there’s no plan to introduce a cost ceiling for the requests.
Even though the government has announced what proposals they plan to proceed with in regards to reforming the UK GDPR, it still remains unclear when the changes in question will be implemented in the legislation. Keep an eye on our blog for new updates on the matter!