On September 10, 2021, the UK Government Department for Digital, Culture, Media & Sport (“DCMS”) launched a consultation on its proposed reforms to the UK data protection regime. The consultation reflects DCMS’s effort to deliver on Mission 2 of the National Data Strategy, which is “to secure a pro-growth and trusted data regime in the UK.” Organizations are encouraged to provide input on a range of data protection proposals, some of which are outlined below. The consultation will close on November 19, 2021, and the Centre for Information Policy Leadership (“CIPL”) will consult with members to prepare a formal response to the consultation.
Following its departure from the European Union, the UK is no longer bound by EU law and may adapt its existing data protection regime, which is currently based on the EU General Data Protection Regulation (“GDPR”). The GDPR was incorporated into UK domestic law prior to the UK’s departure from the EU in the form of the “UK GDPR,” which is supplemented by the Data Protection Act 2018 (“DPA”). Although DCMS has signaled that its proposed amendments will build on and refine the existing UK framework, rather than recast it, the reform could well be extensive.
DCMS stated: “Outside of the EU, the UK can reshape its approach to regulation and seize opportunities with its new regulatory freedoms, helping to drive growth, innovation and competition across the country. The UK needs agile and adaptable data protection laws that enhance its global reputation as a hub for responsible data-driven business that respects high standards of data protection.”
In its press release, DCMS also quoted CIPL’s President Bojana Bellamy, who referred to the UK government’s plan for reform as “bold and much needed in the modern digital and data driven age.”
Bellamy added: “It could be a win-win for all – organizations, individuals, and society. It enables organizations to leverage data responsibly, for economic and societal benefits and to build their brand as trusted data stewards. It gives individuals assurances and more effective protection from genuine harms. [An] accountability, risk- and outcome-based approach will be welcomed by all – these are the founding blocks of modern regulation and a modern regulator. I hope other countries follow the UK’s lead.”
Any departure from the existing data protection regime will be scrutinized by the European Commission as part of its review of the UK’s adequacy decision, due in four years’ time. DCMS notes in the consultation that: “European data adequacy does not mean verbatim equivalence of laws, and a shared commitment to high standards of data protection is more important than a word-for-word replication of EU law.”
Topics on which DCMS seeks input from respondents include:
- whether provisions on use of personal data for research purposes, which are currently layered throughout the UK GDPR and DPA, should be consolidated to provide greater clarity on the range of relevant provisions and how they relate to each other;
- an appropriate definition of “scientific research” under data protection legislation;
- the appropriate lawful basis for scientific research, and whether it should be possible for data subjects to provide a broad consent when it is not possible to fully identify the purposes of processing at the point of data collection, as well as the compatibility of further processing for research purposes;
- the creation of a limited, exhaustive list of legitimate interests for which organizations can use personal data without applying the balancing test;
- whether the processing of personal data to monitor, detect and correct bias in AI systems should be included in any such list;
- additional clarity on the application of legal obligations with regards to fairness when developing or deploying AI, and the possibility for the government to provide permission to use personal data more freely for the responsible training and testing of AI;
- issues generally encountered when developing AI under the current data protection regime, e.g., with respect to limitations on data re-use;
- clarifications and loosening of the limitations on automated decision-making;
- the test to be used for determining whether or not data is anonymous;
- the role of data intermediaries;
- the move towards more flexible and risk-based privacy management programs, rather than prescriptive legal requirements;
- whether the requirement to appoint a Data Protection Officer (“DPO”) should be updated;
- the helpfulness of Data Protection Impact Assessments (“DPIAs”);
- removal of record-keeping requirements under Article 30 of the UK GDPR;
- adjustment of the threshold for notification of a data breach to the ICO under Article 33 of the UK GDPR;
- the current impact of subject access requests, particularly with respect to whether organizations find them time-consuming or costly to process;
- the categorization of cookies and similar technologies and potential legal bases for their use;
- whether the “soft opt-in” for direct marketing available under the Privacy and Electronic Communications Regulations (“PECR”) should be extended to cover non-commercial organizations;
- introduction of a “duty to report” on communication service providers with respect to suspicious traffic on their networks;
- whether fines available under PECR should reflect those available under the UK GDPR, e.g., up to £17.5 million or 4% global turnover, whichever is higher;
- whether future UK adequacy decisions should be risk-based and focused on outcomes;
- strengthening of ongoing monitoring of adequacy regulations and relaxation of the requirement to review adequacy regulations every four years;
- the extent to which redress requirements for international data transfers may be satisfied by either administrative or judicial redress mechanisms, provided such mechanisms are effective;
- the importance of proportionality when assessing risks for transfer mechanisms such as Standard Contractual Clauses (“SCCs”);
- an exemption from the UK GDPR’s transfer restrictions with respect to data originating from outside the UK (e.g., “reverse transfers”);
- the ability for organizations to create their own alternative transfer mechanisms;
- the ability for organizations to rely on derogations under Article 49 of the UK GDPR for repetitive transfers;
- the introduction of a duty for the ICO to have regard to economic growth and innovation, competition, and public safety when discharging its functions;
- providing the DCMS Secretary of State with the power to initiate an independent review of the ICO’s activities and performance; and
- introduction of a requirement for a complainant to attempt to resolve a complaint directly with the relevant controller before lodging a complaint with the ICO.
Respondents to the consultation can provide their insight online here, or in written form at DataReformConsultation@dcms.gov.uk or Domestic Data Protection team, DCMS, 100 Parliament Street, London, SW1A 2BQ.
Search
Recent Posts
- Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act
- HHS Announces Additional Settlements Following Ransomware Attacks Including First Enforcement Under Risk Analysis Initiative
- Employee Monitoring: Increased Use Draws Increased Scrutiny from Consumer Financial Protection Bureau
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code