UK confirms data protection and ‘cookie law’ reform plans

Out-Law News | 17 Jun 2022 | 4:12 pm | 5 min. read

Organisations that have already invested significant time and resources into EU data protection law compliance will not be required to make substantial changes to comply with a new, UK-specific regime, the government has suggested.

However, the long-awaited response by the Department for Digital, Culture, Media and Sport (DCMS) to last year’s consultation on data protection law reform indicates that some change is likely to be required, according to data protection law experts at Pinsent Masons.

The government announced within last month’s Queen’s Speech that it intends to introduce a Data Reform Bill before the UK parliament over the next year reflecting the outcome of last year’s consultation – a consultation Pinsent Masons fed into. The DCMS response provides businesses with an insight into the likely provisions of the forthcoming Bill.

According to the response, businesses that invested in people, systems and processes to comply with the General Data Protection Regulation as it forms part of UK law (UK GDPR) and the 2018 Data Protection Act face having to make changes to implement ‘privacy management’ programmes to comply with new UK data protection laws.

Rosie Nance of Pinsent Masons said: “DCMS acknowledged that organisations have invested time and resources in putting in place their UK GDPR compliance framework and has said that ‘organisations that are currently compliant with the UK GDPR would not need to significantly change their approach’. Presumably this means that some changes to organisations’ approach will be required, however.”

Maintaining UK adequacy

In its response, DCMS reiterated the government’s belief that it is “perfectly possible and reasonable” to expect the UK to maintain ‘adequacy’ with the EU GDPR as it designs a future regime. “The UK is firmly committed to maintaining high data protection standards - now and in the future,” it said in the document.

Kirsop Jonathan

Jonathan Kirsop

Partner, Head of Information Law

Many of these proposed reforms will be welcomed by businesses – notably, changes around subject access requests and potentially allowing for a more risk based approach regarding international transfers

Jonathan Kirsop of Pinsent Masons said: “While many of these proposed reforms will be welcomed by businesses – notably, changes around subject access requests and potentially allowing for a more risk based approach regarding international transfers – a common theme during the consultation was any benefits in streamlining data protection law in the UK would be outweighed by the cost of losing the UK’s adequacy with the EU”. 

“While these reforms will not automatically lead to this – indeed, the reformed UK law would still be significantly closer to the GDPR than in many other adequate jurisdictions – many businesses will be watching the reaction of the EU closely and be keen to ensure this status is maintained.”

Speaking in Brussels last month, UK information commissioner John Edwards said that the government decision makers were “well aware” of the value to the UK of an EU adequacy determination, as well as the costs of losing it. Where the EU has issued an adequacy determination in respect of a specific non-EU country or territory, organisations are free to transfer personal data between the EU and that jurisdiction without having to apply other legal tools for data transfers.

Accountability changes

Major proposed changes to accountability requirements form only part of the plans for reform. DCMS has also set out its intention to remove some administrative processes from legislation, make further changes to the law to support data-related innovation, and to substantially update ‘cookie law’ in the UK, among other things.

On accountability requirements, the government has said it will remove the requirements on organisations around conducting data protection impact assessments and end the requirement for organisations to maintain records of processing activities (ROPAS) too. It will also amend the requirement some organisations face to appoint a data protection officer.

The government’s plans were not favoured by the majority of respondents to its consultation, who said the existing provisions were “sufficiently flexible and risk-based already”. However, the government said its plans to encourage businesses to adopt ‘privacy management’ programmes instead “will enable organisations to take a more proportionate approach in meeting the requirements of the UK’s regime” and “reduce the prescriptive regulatory burdens faced by smaller organisations”.

As part of their privacy management’ programmes, organisations will be required to designate a suitable senior individual to oversee the company’s data protection compliance, ensure there are risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation. They will also need to maintain personal data inventories, in place of ROPAS, which describe what and where personal data is held, why it has been collected and how sensitive it is as part of their privacy management programme, according to the government’s proposals.

Administrative requirements streamlined

While the government has said it will not proceed with some of the proposals it consulted on, such as around changing the legal thresholds for notifying data breaches, it has confirmed plans to remove some administrative requirements from UK data protection law – including the need for businesses to consult the UK’s data protection authority, the Information Commissioner’s Office (ICO) in relation to planned high-risk data processing.

The law on handling ‘subject access requests’ (SARs) is also to be updated, the government confirmed, as it acknowledged the resources UK businesses have had to use to comply with often complex and burdensome requests for copies of personal data from individuals.

Though the government has said it will not reintroduce a nominal fee to process routine SARs, it does plan to change the existing threshold in which organisations can refuse to respond to SARs or charge a reasonable cost to process them. Organisations can currently do this where the request is “manifestly unfounded or excessive”. The government wants to change this to when the request is “vexatious or excessive” instead.

Stephanie Lees of Pinsent Masons said: “Organisations would benefit from greater guidance on, or definition of, what is considered ‘vexatious or excessive’ to assist businesses applying this test in practice”.

Rosie Nance said further changes would be welcome on what is considered “reasonable and proportionate” in responding to SARs, to alleviate some of the burden complex SARs cause to some sectors.

“For example, the financial services sector is disproportionately affected by bulk requests from claims management companies,” she said. “Restricting the circumstances where claims management companies can make bulk requests, and extending the time limit for controllers to respond to bulk requests where these are allowed, would be welcome changes.”

Research, AI and innovation

The government’s data protection reform plans also include proposals designed to reduce the legal complexities associated with re-using personal data in a research context.

Rosie Nance

Practice Development Lawyer, Pinsent Masons

Awarding unqualified adequacy status to the US would make doing business with the US simpler, but could jeopardise the UK’s adequacy status with the EU

While DCMS said it will not take forward proposals to establish a new lawful basis for processing personal data research purposes, it confirmed that it does intend to simplify the law around further re-use of personal data after it has been collected, after concerns were raised that a lack of clarity was impinging research and innovation.

Other plans to change the transparency obligations on organisations by adding the “disproportionate effort” exemption in cases where researchers collect personal data directly from data subjects were outlined. Lees said this may assist researchers in cases where the data processing is complex involving various datasets of different entities, or where the project develops over time.

The government also addressed the issue of AI-powered automated decision-making in its response paper. It said it is considering plans to existing rules in relation to automated decision-making and profiling under UK data protection law and that it wants to “align proposals” with measures expected to be set out in an upcoming white paper on AI governance it intends to publish. It said it sees reforms enabling the deployment of AI-powered automated decision-making but with “appropriate safeguards in place”.

International data transfers

The government said that it will “clarify the legislation” to reinforce the importance of proportionality when assessing the risks for alternative mechanisms of data transfer.

“Currently organisations subject to the UK GDPR need to carry out a transfer impact assessment for every transfer for personal data to a country without adequacy status where they rely on transfer tools like standard contractual clauses,” Rosie Nance said. “This obligation continues to apply while we await further detail on DCMS’s proposals. Some UK organisations will also need to continue to comply with EU requirements as they have obligations under the EU GDPR.”

The government said it will also take forward reforms “that better enable the UK to approach adequacy assessments with a focus on risk-based decision-making and outcomes, and continuing to support the UK’s commitments relating to data flows”.

Nance said: “No further detail has been provided on adequacy decisions. The government has said they are pursuing adequacy decisions with priority jurisdictions, including the US.”

“This is one area where the balance between promoting the opportunities free flows of data can bring, and maintaining the UK’s adequacy status with the EU, could be tricky. Awarding unqualified adequacy status to the US would make doing business with the US simpler, but could jeopardise the UK’s adequacy status with the EU, which would mean a lot of extra complexity for international organisations with a presence in the EU and UK, as well as for UK organisations doing business with the EU,” she said.

Cookie law reform and other PECR changes planned

In its consultation paper last year, the government said it was considering withdrawing the requirement for consent to cookies from UK law. DCMS has not confirmed that the government will press ahead with that plan.

Cookies are small text files that record internet users' online activity. They are vital to the operation of websites and to the digital advertising ecosystem.

However, current rules, set out in the Privacy and Electronic Communications Regulations (PECR) in the UK, prohibit the storing and accessing of information on users' computers unless those users have given their consent on the basis that they have had access to clear and comprehensive information about the purposes of the processing. An exception to the consent requirements exists where the cookie is "strictly necessary" for the provision of a service explicitly requested by the user.

In the immediate term, the government plans to allow cookies to be placed without the user’s consent for a small number of purposes, which have not yet been set out in full. Nance said: “It is unclear at this stage how much impact this change will have for UK users, as international organisations tend to take a regional approach to compliance, so might continue follow EU requirements in the UK.”

In the future, the government intends to legislate to remove the need for websites to display cookie banners to UK residents, as well as moving to an opt-out model of consent. Lees said: “There is to be a shift to an ‘opt out’ model, similar to the current ‘soft opt-in’ exemption to marketing currently under PECR. The government will work with the industry to develop browser-based solutions to manage a person’s consent preferences, to support the model.”

Nance said: “The proposal to allow users to manage consent preferences in the browser has the potential to really change user experience. DCMS is looking to lead on an initiative to find a user-friendly, privacy-friendly solution.”

Other changes to the PECR regime include stiffening the penalties that the ICO can impose to tackle nuisance marketing. The level of maximum fines that can be imposed under PECR are therefore to be increased to align with what the ICO can already impose against organisations that breach UK data protection law, where fines of up to £17.5m or 4% of a business’ annual global turnover, whichever is highest, can be levied.

Rewiring financial services
Digital transformation is accelerating in the financial services sector, particularly in the wake of the global pandemic. We investigate the legal and regulatory landscape in financial services technology and highlight the opportunities for change.
Rewiring financial services