Data Protection Update November 2021
The General Data Protection Regulation (GDPR) (now known as the UK GDPR since January 2021 following the end of the Brexit transition period) has been in effect for over three years. In September, the Government began a public consultation on its proposals to reform data protection legislation following Brexit. The Government had been clear that it intended to look at data protection once a divergence from the EU was permitted and the initiation of the consultation was the first clear step in this regard. The consultation closes on 19 November 2021.
Whilst the Consultation document itself runs to almost 150 pages, the essence of what the Government seeks to assess is how the data protection regime can be adapted to allow a greater and more flexible use of personal data, at the same time as trying to make it more future proof and be more responsive. The consultation states that it intends to build on the key elements of the UK GDPR and make improvements within the current framework rather than departing entirely from the principles of the UK GDPR (allowing everyone who has worked so hard to implement the UK GDPR to breathe a sigh of relief that their work was hopefully not in vain). All this comes off the back of Brexit, with a visible emphasis by the Government in building deeper relationships with nations outside the EU; key candidates being, among others, the USA, Australia and Singapore.
A number of concerns and themes can be identified from the consultation and have been noted by the ICO and commentators alike. We note three issues in particular:
- The potential undermining of ICO independence through Government involvement;
- The risk to the UKs recently awarded “approved” status from the EU; and
- Changes to the legal basis for data processing and an emphasis on Artificial Intelligence (AI).
The Information Commissioner’s Office, the ICO, has published its response to this consultation. Elizabeth Denham, the current Information Commissioner, has confirmed that the ICO remains committed to supporting the Government to create a data protection regime that “works for everyone, and is fit for both the challenges and opportunities ahead”. What is clear, however, from the response is that the ICO has concerns about the impact of the Government’s proposals on the independence of the ICO (the ICO is currently an independent body).
The ICO highlights the importance of the regulators independence, within a framework of strong accountability to Parliament, in so far as it allows for the making of impartial decisions without “fear or favour”, ensuring regulatory efficiency and building public confidence within the UK data regulation framework.
Under Chapter 5 of the current Government proposals, the Secretary of State would have the power to approve or reject ICO codes of practice and guidance. The ICO response challenges the proposal of this power as an infringement on their independence while at the same time arguing that such a change would undermine the Government’s ability to effectively hold the ICO to account by positioning them as a final approver rather than external critic. The ICO concludes by stressing its belief that, as a result, it should be able to issue its own guidance without Government intervention.
It is clear that with the change to the UK’s international focus following Brexit, there would be advantages of a new governmental role within the ICO in order to shape the direction of UK regulation towards this focus. However, as the role of data and the risk it represents continues to increase, the importance of a robust and independent regulator that can impartially hold businesses to account without being subject to the Government’s political agenda will only increase if consumers and businesses are to be allowed to confidently interact.
UK’s “Adequate” Status
Following the UK’s exit from the EU its status changed from EU member state to a third party country under the EU GDPR. As such, transfers of personal data from the UK to the EU are only permitted where the UK data protection framework is deemed to afford an equivalent level of protection to that of the EU.
On the 28th of June 2021 the EU Commission confirmed the adequacy of the UKs data protection framework, paving the way for personal data transfers between the UK and EU in a post-Brexit world. However, this recently awarded status is potentially threatened by the Government’s proposed changes to the GDPR, with Brussels remarking that they will be keeping a close eye on the UK’s situation and will, if necessary, be prepared to revoke the UKs adequacy status.
The Government’s consultation is clearly mindful of this risk in regards to its relationship with its “European friends and partners”, but insists that it is possible for the UK to implement reforms which are unique and specifically suited to the UK’s value and circumstances whilst maintaining the high standards that facilitate for the transfer of personal data between the UK and EU, pointing to countries “such as Israel” as inspiration. Indeed, the Government points to a potential benefit of over £1 billion over a ten year period for the UK, even when factoring in costs from a potential change to the EU’s adequacy decision.
The importance of the EU to UK business as its biggest trading partner cannot be denied. Any impediment to business with the EU, such as restriction on the transferring of personal data, could have significant adverse effects on the UK economy. However, the Government may be prepared to risk the UK’s adequacy status to further pursue its post Brexit philosophy of an independent, flexible and international UK built on relationships and markets outside of the EU.
Legal Basis for Processing
Under the current GDPR, any data processing requires a legal basis under Article 6, and this can range from, among other things, data subject’s consent to the broader option of legitimate business interest. The core of the Government’s proposals for the legal basis’ focuses upon their clarification in order to provide better certainty for organisations seeking to process personal data.
However, for the legitimate interest basis under Article 6(1)(f) the Government is proposing to remove the currently required balancing test (between the organisation's and the subject's interests) for certain specific activities. The aim of this decision can be seen, in part, as a way of promoting the Government’s goals of encouraging innovation, with the use of personal data for internal research and development being one of the proposed exception activities.
Detecting or correcting bias in AI systems is another proposed exception for the balancing test where organisations seek to process personal data in order to combat biases in an AI system similar to the historic biases and discriminatory tendencies of humans. Such a consideration clearly highlights the Government's mindfulness of the future role of AI in society as it attempts to better position UK Data Protection Regulations for future advances and developments in AI.
The removal of the balancing test for legitimate interest in certain situations may facilitate a quicker and simpler process to allow organisations to process personal data. This could be viewed as desirable in so far as it would allow for organisations to process data with greater ease. However, it also represents a potential erosion to the protection and privacy of individuals in regard to their personal data. As such, these exceptions will have to be carefully considered in order to protect individuals from the potentially overly intrusive and undesired processing of personal data by organisations.
If you have any questions relating to any of the above, please do not hesitate to contact Emma Loveday-Hill, a Senior Associate in our Data Protection team on 01473 298266 or email@example.com.