Lawyers back UK data protection law voluntary undertakings process

Out-Law News | 14 Dec 2021 | 2:44 pm | 4 min. read

Businesses should be given an opportunity to avoid enforcement action for breaches of UK data protection law by proactively outlining the remedial actions they are taking to address those breaches when reporting them to the UK Information Commissioner’s Office (ICO), an expert has said.

Kathryn Wynn of Pinsent Masons said the introduction of a new voluntary undertakings process into UK data protection law would be welcome and reflect existing business best practice.

Wynn was commenting after Pinsent Masons submitted (21-page / 229KB PDF) its response to the UK government’s consultation on proposed reforms to data protection law (146-page / 1.32MB PDF).

In its paper, the Department for Digital, Culture, Media and Sport (DCMS) said it is “considering whether to introduce a new voluntary undertakings process”.

“Only organisations that are able to demonstrate they have embraced a proactive approach to accountability (for example, an organisation has evidence of engagement or prior consultation with the ICO ahead of high risk processing) would be able to provide the ICO with a remedial action plan, upon discovering an infringement, which could be accepted as part of the voluntary undertakings process,” the government said in its paper. “Provided that the plan then meets certain criteria – for example, it identifies the likely cause(s) of the incident, and proposes effective and timely steps to address the cause(s) – the ICO may authorise the plan without taking any further action.”

Wynn said Pinsent Masons is behind the proposal.

Wynn said: “We always encourage our clients to provide information on how they intend to remediate a breach when making a notification to the ICO, to assist the ICO in its investigation. We believe this proposal is a natural extension of what we consider to be best practice.”

DCMS said the prospective voluntary undertakings process would operate in a similar way to Singapore’s ‘active enforcement’ regime.

Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture between MPillay and Pinsent Masons, said: “Singapore’s voluntary statutory undertakings process is about remediation more than reprimand. It allows for businesses and the regulator, the Personal Data Protection Commission (PDPC), to work together to achieve compliance without the need for enforcement action. While businesses can submit remediation plans when notifying the PDPC of a breach, the regulator can ask companies to improve those plans before it accepts them. It will only accept remediation plans 'if it assesses that a voluntary undertaking achieves a similar or better enforcement outcome more effectively and efficiently than a full investigation'.”

“The process is still relatively young, as the first voluntary undertaking was only accepted by the PDPC in September 2020 – though the decision to accept the undertakings was subsequently repealed in that case. A further 13 organisations have gone through the process since then. The published undertakings provide important insights to others about the kind of action they might be expected to take to, in the eyes of the regulator, satisfactorily address a data protection breach,” he said.

In its consultation paper, the government said that it would only introduce a new voluntary undertakings process as part of a wider revamp of the accountability framework built into existing data protection law. The government is proposing an accountability framework built around “privacy management programmes” in its place.

Wynn warned, though, that the government must be mindful of how changes in UK law could impact the compliance burdens falling on multinational businesses.

“The introduction of parallel but different accountability obligations in the UK risks being extremely costly and burdensome for organisations that continue to have compliance obligations under the EU General Data Protection Regulation, as it risks doubling their compliance burden, rather than reducing it,” Wynn said. “Given the option, for some of the measures discussed as part of the government’s proposal for privacy management programmes, our clients would be unlikely to change their practices, as their European compliance programmes require a particular approach for EU GDPR compliance.”

In its response paper, Pinsent Masons called on the UK government to carefully assess how reforms to UK data protection laws might impact the UK’s ‘adequacy’ status, which it has been designated by the European Commission and which is pivotal to the continued free flow of personal data – and the trade and inward investment it underpins – from the EU to the UK.

Pinsent Masons welcomed government plans to address the burdens entailed in handling subject access requests. Among its own recommendations for how to achieve this, Pinsent Masons said new restrictions could be placed on claims management companies submitting subject access requests in bulk. It also said controllers could be given greater scope “to refuse to respond to a subject access request where litigation may be contemplated or ongoing and the request would require the controller to disclose information that would not otherwise be disclosed under the Civil Procedure Rules”.

Pinsent Masons also welcomed the proposals outlined by the government to tackle “over-reporting” of personal data breaches, through increasing the threshold for notifying the ICO of such incidents. It also identified an opportunity to clarify how the law on automated decision making involving the use of personal data applies to artificial intelligence systems, though it said this could be achieved through regulatory guidance rather than legislative reform, and further cautioned against changing the law to remove the need for human oversight.

Plans to enable the activities of responsible data intermediaries were also backed by Pinsent Masons, though it suggested that this should be pursued without changing data protection law at this stage.

“It would be more valuable for organisations to be given a greater understanding of what is possible under the current legislative framework, namely statutory tools such as codes of practice and accreditation schemes which could be used to govern different flavours of innovative data sharing solutions in quite a specific way,” Wynn said.

The DCMS consultation closed to feedback on 19 November 2021. Publication of the government’s response to the feedback received is not anticipated until into the new year.