Cookies, transfers and risk assessments subject of UK data reform

The UK has published details of its planned Data Reform Bill, which is set to make changes to the privacy framework contained in the UK’s post-Brexit version of the GDPR.  

The proposals, published on Friday (17 June) in response to a consultation, include plans to restructure the UK’s data protection authority, the Information Commissioner’s Office (ICO), introduce an opt-out model for cookie consent and make it easier for London to initiate new data partnerships with other countries.

The Data Reform Bill was initially announced earlier this year during the Queen’s Speech, the annual laying out of the year’s legislative agenda, and is set to amend the data protection and privacy set-up established in the UK’s 2018 implementation of the GDPR. 

In 2019, the EU found the UK’s data protection regime to be robust enough to allow for the continuation of UK-EU data transfers but included measures to allow for this decision to be reversed if needed, including a “sunset clause” which will require reevaluation and renewal of the decision in 2024. 

UK to reform data protection, throwing EU adequacy ruling into doubt

The UK’s legislative agenda for the next year includes a data reform bill that could cast doubts on the future of the EU’s data adequacy ruling, the decision that continued to facilitate data transfers across the Channel after the UK left the bloc in January 2020.

The ultimate impact of the reforms, however, even if they diverge significantly from EU standards remains to be seen, some observers have noted.

“While many of these reforms seem significant, they might have a limited impact in practice”, Robert Bateman, head of content at GRC World Forums, told EURACTIV. “Many organisations that operate both in the UK and the EU might be unlikely to change much as they’ll still need to comply with the EU’s stricter rules.”

Information Commissioner’s Office 

A key element of the plan is a proposal to “modernise” the ICO, which oversees data protection in the UK. Under the plans, the body’s top official, the Information Commissioner, would be replaced by a chair, chief executive and board, and it would be issued with “new objectives”.

According to the government, these will allow for better parliamentary and public oversight and will place greater focus on growth, innovation and competition. It will also reform the way in which the ICO develops statutory codes and guidance, namely by incorporating a panel of experts and requiring approval from a Secretary of State before any such work can be presented to Parliament. 

The government’s proposals were on Friday welcomed by the UK’s current Information Commissioner, John Edwards.

Data protection administration

Another key aim of the reforms is to allow businesses more flexibility in how they go about meeting data protection standards, in order to reduce what the government says are disproportionate administrative burdens.

The planned reforms in these areas, Bateman said, were some of the more significant proposals and could see many steps that are currently mandatory made voluntary. 

The proposal suggests, for instance, that smaller enterprises will no longer be required to contract a Data Protection Officer (DPO) to conduct a Data Protection Impact Assessment (DPIA) of their risk management approach if they can independently prove that it is adequate. 

“An organisation cannot discipline its DPO merely for carrying out their tasks,” said Bateman. “This means that a DPO can, in theory, defend the rights of data subjects even when this goes against the interests of the organisation.”

Bojana Bellamy, President of the Centre for Information Policy Leadership, however, welcomed a more risk and outcome-based approach to privacy management on the grounds that it would deliver improved and more proportionate protections. 

“It does not mean the end of DPOs and DPIAs at all, as companies will still have to demonstrate how they oversee the program and manage risks”, she told EURACTIV, adding that moves in this direction by other governments point to this being “a global trend”. 

International data transfers

The reforms are also set to boost the UK’s potential to foster data transfer links with international partners. Under the Bill, the International Data Transfer Expert Council, a group of organisations, tech companies and academics, will be afforded the power to remove barriers to data flows. 

London has expressed a desire to establish new data partnerships with countries including the US, Australia, Singapore and the Republic of Korea, triggering concern in Brussels that if EU-UK data flows continue in tandem, EU citizens’ data could be, by extension, transferred to third countries considered to have insufficient privacy standards. 

“The UK government is right to consider evolving data flows rules and mechanisms”, Bellamy said. “This is a huge compliance and legal issue for all companies, big and small. It is not sustainable long term.”

Commission adopts UK data adequacy decision with provisos

The European Commission on Monday (28 June) adopted two adequacy decisions for the UK, including measures that would enable Brussels to revise the decision in case of changes in the UK legal framework.

Cookies, calls and conducting research

The government also plans to introduce fines for unsolicited marketing calls and messages. The bill is set to raise the maximum penalty from £500,000 to £17.5 million or 4% of global turnover if that is a greater figure. 

Existing regulations will also be updated to reduce cookie consent pop-ups by putting in place an opt-out model which will apply to a person’s whole internet browser.  

Researchers will also be handed more flexibility and clarity when it comes to data use. In practice, this could mean that people are asked whether they consent to have their data used for research in a particular field of study, rather than on a specific project within it.

[Edited by Luca Bertuzzi/Nathalie Weatherald]

Read more with EURACTIV

Tech Brief: DSA last frictions, disinfo code 2.0, ENISA’s sovereign requirements