Last month, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the UK Department for Digital, Culture, Media & Sport (“DCMS”) on its Consultation on Reforms to the Data Protection Regime (the “Response”). The Response also reflects views gathered from CIPL members during two industry roundtables organized in collaboration with DCMS to obtain feedback on the reform proposals. Key takeaways from the Response include the following:
Chapter 1: Reduce Barriers to Responsible Innovation
With respect to DCMS’ proposals to reduce existing barriers to responsible innovation, CIPL:
- supports the consolidation of provisions related to processing for research purposes into a clear definition and believes this definition should be framed flexibly as research is dynamic by nature and increasingly relies on the use of AI;
- advocates for the creation of a separate lawful ground for research without prejudicing certainty and consistency for organizations (especially cross-border research efforts);
- requests that DCMS clarify the interplay between Article 6 & 9 of the UK General Data Protection Regulations (“GDPR”) when special category data is processed, and clarify whether both articles apply cumulatively or can be assessed separately (the latter being preferred);
- supports providing more clarity regarding when the legitimate interest ground for processing may be relied upon by organizations (see the categories of common processing activities based on legitimate interests in CIPL’s recent white paper on legitimate interest) and enabling the UK Information Commissioner’s Office (“ICO”) to establish a list of low-risk processing activities that meet the legitimate interest ground, including in the context of B2B relationships;
- agrees that DCMS should clarify that processing personal data to prevent, detect and remediate bias in AI systems constitutes a legitimate interest of a data controller;
- encourages DCMS to clarify the current approach to automated decision-making and, in particular, the meaning of a legal or similarly significant effect under Article 22 of the UK GDPR; and
- supports DCMS’ proposal to incorporate a test based on the U.S. Federal Trade Commission model for anonymized data into an updated UK data protection regime, rather than rely on Recital 26 of the UK GDPR (e.g., a practical rather than theoretical approach).
Chapter 2: Reducing Burdens on Business and Delivering Better Outcomes for People
With respect to DCMS’ proposals to reduce burdens on businesses and deliver better outcomes for people, CIPL:
- welcomes enabling flexibility for organizations in implementing accountable privacy management programs that reflect, and are suited to, a wide range of business structures and operations. Any changes to the current rules, however, should be clearly explained and the requisite standard for compliance delineated to (1) prevent stakeholders from viewing any changes as a dilution or an abandonment of EU-specific data protection concepts introduced by the GDPR and (2) avoid a situation where flexibility for organizations results in a lack of clarity regarding which actions to take to enable accountability;
- supports the proposal to raise the threshold for breach reporting;
- supports the introduction of a new voluntary process enabling organizations with demonstrable accountability practices to implement a specific remediation plan to address any infringement of the law in lieu of enforcement action by the regulator;
- agrees that it would be helpful to streamline the rules governing the use of cookies and to enable the use of analytics cookies without obtaining user consent when collecting general information about how many people visit a website, how they interact with it and what pages are most visited; and
- supports any reform enabling organizations to store information on, or collect information from, a user’s device without their consent for limited and legitimate purposes, subject to transparency and additional safeguards or limitations.
Chapter 3: Boosting Trade and Reducing Barriers to Data Flows
With respect to DCMS’ proposals to boost trade and reduce barriers to data flows, CIPL:
- supports DCMS’ proposal to approach adequacy assessments with a focus on risk-based decision-making and outcomes, while being mindful of the benefits of maintaining appropriate consistency with the current understanding of “essential equivalence” under the EU GDPR;
- supports the creation of a new power for the Secretary of State to create new UK mechanisms for transferring data overseas or to recognize in UK law other international data transfer mechanisms, if they achieve the outcomes required by UK law, such as the APEC CBPR and PRP systems developed by the APEC forum; and
- supports the proposal to exempt reverse transfers from the UK’s international transfer regime.
Chapter 5: Reform of the ICO
With respect to DCMS’ proposals for reforms to the ICO, CIPL:
- cautions DCMS against introducing powers that would allow the UK government to set the strategic direction of the ICO out of concern for preserving the ICO’s independence. Setting such strategic priorities should be left to the regulator without government interference;
- emphasizes the risk with the requirement that the ICO seek approval from the Secretary of State for new codes of practice or regulatory guidance, which is inconsistent with the ICO’s status as an independent data protection authority, both domestically and globally;
- supports introducing a duty for the ICO to cooperate and consult with other DPAs and sectoral regulators both in the UK and around the world; and,
- supports introducing a requirement that organizations be the first contact to resolve consumer complaints before they are escalated to the ICO.
To read about these recommendations in more detail, please see the full Response.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code