The Government has announced its plans for data protection reform, which began with a consultation exercise last year and which were trailed in this year's Queen Speech. These will result in changes to the laws, although no Parliamentary bill has yet been published. Nonetheless, these are very significant developments, for individuals as well as for businesses (the latter in particular should take note of proposed changes to cookie rules).
We highlight below some of the major points and will provide further commentary as the proposals develop.
- The main framework of laws will not be changed. This means that the UK GDPR will not be repealed, but amended. Similarly there are no plans to repeal the Data Protection Act 2018 or the Privacy and Electronic Communications (EC Directive) Regulations 2003 (which deal with cookies, and electronic marketing).
- Many of the more prescriptive "compliance" tasks and duties in the UK GDPR will be removed or changed. For instance, the requirement to appoint a data protection officer for some organisations will go, as will the requirement to produce a "record of processing activities" and to undertake "data protection impact assessments". However, these will be replaced by a requirement to have a "privacy management programme" to ensure accountability across organisations.
- Despite there being a proposal in the consultation to reintroduce a fee for a data subject access request, this will not be introduced, and nor will a cost ceiling for responding to a request. However, the Government proposes that "vexatious or excessive" requests will be able to be refused. This wording would replace the existing "manifestly unfounded or excessive" wording, although it is not quite clear whether the proposed change will actually make much difference. The Government does recognise the burden subject access requests can place on some organisations, and says it will consider specific sectoral needs, as well as those of small and medium-sized businesses.
- There will be a change to cookie consent rules, with a proposal to allow some non-essential cookies to be placed on a user's device without their consent. The Government believes this will remove the need for cookie banners on websites, although details will be needed to clarify why this is thought to be the case. In the longer term, there is a proposal to move to a general "opt-out" model for cookies, although not for sites likely to be accessed by children. The Government says it will work with industry to develop a browser-setting approach (whereby users will configure their browsers as they wish, and websites will respect those settings). Similar schemes have been tried before, but fell into disuse when most websites didn't comply.
- Non-commercial organisations will be able to use what is known as the "soft opt in" to send direct electronic marketing (emails and SMS) to existing customers, in the same way as commercial organisations currently do. This is potentially of real significance for the charity and non-profit sectors.
- Although the proposals would see a relaxing of cookie and marketing rules, the penalties for serious infringements would increase from the current maximum fine of £500,000 to a maximum in line with UK GDPR's fines (£17.5 million, or 4% of global annual turnover, whichever is higher).
- There are a large number of proposed reforms to the structure and governance of the Information Commissioner's Office (ICO). Most of these are not likely to have any direct impact on individuals or organisations, but the office may get a new name. More generally, it is suggested that some of the statutory guidance produced by the ICO will be subject to pre-approval by Government. This will raise questions about the independence of the office.
A big question for the future of the UK's international trade is whether the proposed changes might be seen by the European Commission as a "step too far" and lead it to review the current "adequacy" framework permitting free transfer of personal data between the EU and the UK. Certainly, when added to the UK's existing plans to confer its own adequacy status in relation to international data transfers to the US (and some other countries), there is a real risk that some EU Member States will push the Commission to revoke the adequacy agreement in favour of the UK.