Privacy & Cybersecurity Law Blog

On June 16, 2021, the UK Government’s Taskforce on Innovation, Growth and Regulatory Reform published an independent report containing recommendations to the Prime Minister on how the UK can reshape its approach to regulation in the wake of Brexit (the “Report”). Among wide-ranging proposals across a range of areas, the Report recommends replacing the UK General Data Protection Regulation (“UK GDPR”) with a new UK Framework of Citizen Data Rights. The proposed approach would aim to give individuals greater control over their personal data while also allowing increased data flows and driving growth in the digital economy. The Report will be considered by the Government’s Better Regulation Committee.

In characterizing the UK GDPR as prescriptive and inflexible, the Report states that the existing law “overwhelms people with consent requests and complexity they cannot understand, while unnecessarily restricting the use of data for worthwhile purposes.” It also comments that the UK GDPR is particularly onerous for smaller companies and charities. Accordingly, the Report recommends reforming the law to provide consumers and citizens with stronger rights and powers, as well as freeing up data for innovation and use in the public interest.

In addition, the Report:

• Recommends revising the UK GDPR to update it in light of advances in AI and developments in other growth sectors
• Questions the value of the purpose limitation and data minimization principles under Article 5 of the UK GDPR, stating that these principles prevent the collection of new data before its potential value is understood, and the use of existing data for novel purposes.
• Characterizes Article 22 of the UK GDPR, which provides individuals with the right not to be subject to decisions based solely on automated processing that significantly affects them, as “burdensome, costly and impractical.” It recommends removing Article 22 or amending it to permit automated decision-making, remove human review of algorithmic decisions and permit organizations to provide only basic explanations rather than full details of the system and logic involved in the decision.
• Proposes a “proportionality principle” in any new law, with a focus on outcomes rather than “tick-box compliance.”
• Proposes fewer obligations and lower compliance burdens for charities, SMEs and voluntary organizations.
• Recommends greater emphasis on the legitimacy of data processing and whether or not it benefits the individual, rather than relying on consent.
• Explores the use of “Data Trusts” or “Data Fiduciaries” to whom individuals can delegate decisions around use of their personal data.

Read the full Report.