Data: A New Direction or Misdirection? ICO Responds to UK Government Consultation on Its Proposed New Data Protection Regime

On 7 October 2021, the Information Commissioner’s Office (“ICO”), published its response to the UK government’s consultation entitled “Data: A new direction”. The consultation which sets out the proposals of the Department for Digital, Culture Media & Sport (“DCMS”) promised far-reaching reforms to the UK data protection regime with an emphasis on capturing the power of data to drive economic growth and innovation. The DCMS’s proposals posed a significant moment for UK data protection law and as such Sidley was pleased to host a Chatham House Rule discussion about this important consultation on 15 September 2021 with Joe Jones, Deputy Director, International Data Transfers at the DCMS. We hope that interested readers may have attended our discussion with Deputy Director Jones.

The ICO’s response to the UK government’s proposals further presents another pivotal moment for UK data protection law. Being the UK’s lead regulator, the ICO’s response is significant and the UK government will need to take into account its responses before draft legislation takes shape. Importantly, the ICO supported the consultation in principle, acknowledging that data protection laws cannot remain “static”. Yet the ICO did not endorse every consultation proposal, making clear that some measures needed more thought. This article thus considers the original consultation and the ICO’s response, commenting on key points from both.

Scientific research: A significant proposal that the ICO endorsed was of making it easier to use, share and re-purpose data for research. The government is keen for the UK to lead the way on using data for research purposes, underlining the UK’s position as ranking second in the world for science and research. The consultation includes a proposal for new separate legal bases for data processing for research purposes, and explicitly says the further use of the same data set for “scientific research purposes” (a term which the legislation will define), will always be both (i) compatible with the original purpose; and (ii) lawful under Article 6(1) of the UK GDPR. The explicit statement that data can be reused for research and the other proposed reforms to make scientific research easier if adopted will be welcomed by many in the scientific research community. Similarly, life sciences stakeholders will be pleased to learn that Article 14(5)(b) of the UK GDPR would be replicated for research purposes. This provision exempts data controllers who process data collected indirectly from providing information to data subjects where there would be disproportionate effort to do so. However, as the ICO noted, these research purposes will still require safeguards on top of those already present in Article 89(1) of the UK GDPR to prevent a data subject’s personal data being used in unexpected ways.

Wider mandate: Another proposal the ICO broadly supported, was the widening of the ICO’s mandate. The proposals involve making economic growth and competition, principles that the ICO would have regard for under statute. The ICO agreed with this idea saying it would help it deliver economic benefits for the UK. This can be seen as regulatory support for the UK government’s overall intent to move towards a “pro-growth” and “pro-innovation” regime, though the ICO emphasised that the UK government must consider rights alongside innovation.

Cookies: The ICO encouraged the UK government to “go further” in its proposed reforms to cookies. The UK government is proposing that organisations should be able to use data analytics without user consent through cookie pop-ups, or allow collection of information from cookies for other limited purposes (which are yet to be specified) without consent. The ICO agreed that people’s consent via cookie pop-ups is currently not meaningful and expressed support for alternative design-based solutions where people can set their cookie preferences across all websites they visit. However, they disagreed with proposals to remove consent for all types of cookies, cautioning that ease of use should not come at the expense of user preference.

Anonymous data: The government clarified the meaning of “anonymised” and “pseudonymised” data in this consultation. The distinction between the two concepts is important as only pseudonymised data falls within the scope of the GDPR. Pseudonymised data is personal data which has been processed such that it cannot be used to identify an individual without additional information; anonymous data is where a person is no longer identifiable at all. The line between pseudonymised and anonymised data is a fine one, and so the UK government’s proposal to clarify this is welcome. The UK government will either place text from recital 26 of the UK GDPR into legislation or adopt a statutory test based on the explanatory report accompanying the Council of Europe’s modernised Convention 108. The ICO prefers recital 26, as it is linked to existing legislation and so is a more pragmatic option.

The ICO: The ICO was sceptical about the proposed reforms to its structure and governance. The UK government proposals include turning the ICO, which is run as a “corporation sole” into a governance board. An independent board would be appointed by UK government recommendation, and empowered to initiate an independent review of the ICO’s activities, and to determine the Information Commissioner’s salary. The ICO expressed concern about the perception of the ICO’s independence, especially regarding the proposals for the Secretary of State to approve ICO guidance and to appoint the CEO.

Legitimate interests: Similarly, the ICO was unconvinced by proposals to remove the so-called “balancing test”. Currently, the UK requires data controllers to identify a lawful ground under the UK GDPR before processing personal data. These grounds include processing that is necessary for the legitimate interest of a data controller (Article 6(1)(f) UK GDPR). However, this can only be relied on to the extent the organisation’s interests are not outweighed by the interests of the individual (the “balancing test”). It is the UK government’s contention that applying the balancing test is too complex and forces organisations to inappropriately rely on another lawful ground: consent. The government seeks to address this by removing the balancing test for a limited list of legitimate interests to be specified by the UK in any future draft legislation. Arguably, it would be beneficial to see a processing activity on a list and know that no further action need be taken to lawfully process that data. Indeed, the ICO recognised greater clarity on legitimate interests would be beneficial. However, the proposal also acknowledges that any list of legitimate interests would need to be “sufficiently generic”. The ICO noted that such a list, therefore may be over-broad. Indeed, in our experience, it is the specific subtleties in fact patterns that cause confusion. For example, the proposal suggests reporting of criminal acts would be a potential processing activity covered under this reform. But what about anti-money laundering checks? Or employee qualification checks? Would these constitute a type of processing necessary for reporting of criminal acts? As the ICO says, more detail is needed, especially as many have already invested in applying the balancing test, given the GDPR has been in effect for three years.

Artificial Intelligence (“AI”): The ICO acknowledged that the UK government’s consultation represents a timely discussion on AI given the European Commission’s publication of the world’s first draft regulation on AI on 21 April 2021, as well as the UK government’s launch of its national AI strategy on 22 September 2021. The ICO took issue with details in the proposals, however. For example, the consultation proposal stipulates processing personal data for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems constitutes a legitimate interest within Article 6(1)(f) for which the balancing test is not required. The ICO requested that the government justify this decision and asked for more evidence as to how this processing would always outweigh potential risks to people’s rights.

The ICO also welcomed a review of Article 22 of the GDPR, which prevents decisions based solely on automated processing being made to the extent they could produce legal effects or significantly affect an individual. However, they did not agree that the right to human review should be removed altogether, stating that it could lead to a perception that decisions are made purely by unaccountable algorithms. Instead, the ICO proposed that transparency requirements with AI be strengthened, and also encouraged government to consider extending the right in Article 22 to also cover partly automated decisions. It will be interesting to see if the UK government’s proposals do allow for more AI use in practice.

Data Subject Access Requests (“DSARs”): The UK government believes organisations are now “over-burdened” with “speculative” DSARs and would like to introduce a fee regime similar to in the UK Freedom of Information Act 2000 (“FOI”) and its linking regulations to alleviate this. The FOI imposes a cap on spending for requests, which if extended to the UK data protection regime, would allow organisations to refuse a request if it exceeds a set cost limit. However, the ICO queried whether even a nominal fee might disenfranchise the most vulnerable members of society, which is especially concerning in relation to the right of access which is one of the most valued data subject rights. The ICO also questioned the applicability of the FOI to the DSAR context, given subject access requests relate to especially personal information e.g. health data. It is also queried how far the proposals will actually help overburdened firms as they would still be obliged to answer all DSARs to the extent possible within the cost limit. Thus, the proposal is unlikely to reduce the actual number of requests.

Accountability: The ICO thought that more work was required to demonstrate the additional value in the UK government’s proposals to reform the current accountability framework. The government argued that assessing the level of accountability an organisation has against precise requirements, may generate a “disproportionate administrative burden” and proposed replacing these requirements with a system based on “privacy management programmes” (“PMPs”) which would be overseen by a “responsible individual” as opposed to a data protection officer (“DPO”). The ICO felt that this amounted to a substantial change to the current system which could have the reverse effect of bringing potential disruption and additional burden for organisations who have put significant resources into complying with the current accountability framework. Arguably, PMPs may not even markedly reduce the administrative burden for businesses, as PMPs still include many obligations the previous accountability requirements had: a risk based approach to compliance; and a need to implement policies and procedures, including cumbersome data inventories. Further, the ICO challenged the proposal to remove the requirement to have DPOs and conduct Data Protection Impact Assessments (“DPIAs”) stating that both allow for data protections to be in-built at an organisational level.

Breach reporting: Article 33(1) of the UK GDPR requires an organisation to report a breach unless it is “unlikely” to result in a risk to people’s rights and freedoms. The UK government believes this may impose a disproportionate burden on organisations to report even where there is a “low risk” to people’s rights. The government’s answer to this problem is to introduce a materiality threshold whereby an organisation need not report a breach that is “not material”. The ICO stated that greater clarity on the threshold would be helpful. For example, as the commissioner Elizabeth Denham said in Sidley’s recent fireside discussion with Claudia Berg of the ICO on 21 September 2021 entitled “Governance of Data Innovation: Risks and Rewards for Business”, fewer minor data breach reports would free up resources to investigate serious cyberbreaches. The ICO has commented on the lack of detail offered in the paper on this possible reform. The UK government has not defined the term “non-material” risk and instead encouraged the ICO to produce guidance on this. If the guidance is not clear enough, the proposal may have the effect of creating more uncertainty as to when to report.

International transfers: The mutual recognition of UK/EU data laws as “adequate” means data can continue to flow freely between the UK and the EU post-Brexit. However, the UK government wants to add more countries to the list of nations they consider to be “adequate”. To decide who is next on the list, the UK government is proposing a risk-based assessment system, with four stages to a UK adequacy decision, making it a multi-layered process. The ICO endorsed this in principle, but requested details of how the system will work in practice, especially where word-for-word assimilation to UK and EU data laws is missing.

There is also a proposal for organisations to “create or identify their own alternative transfer mechanisms in addition to those listed in Article 46 of the UK GDPR” which would give more flexibility beyond standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”). However, the main example of such a mechanism in the paper is a “bespoke contract without ICO approval”. How this is much different to tailored SCCs is unclear.

It is also positive that the UK government intends to make “explicit that repetitive use of derogation[s] is permitted”. Derogations under Article 49 of the UK GDPR are exceptions from the rule that a transfer of personal data from the UK is not allowed unless covered either by a UK adequacy decision, or appropriate safeguards. The ICO was circumspect in its response, encouraging the UK government to consider whether further safeguards could be introduced where derogations are used.

Conclusion: The new consultation confirms the UK government’s desire to walk its own path when it comes to data protection law and is a highly significant development for both the UK and how governments and regulators more generally may view data regulation going forward in trying to balance the desire for innovation and growth with privacy rights and concerns. While the ICO is broadly supportive of many of the proposals in the consultation, it makes it clear that in its view the  proposals will require more thought. The ICO and UK government will need to engage with one another, such as through the DCMS’s efforts to create a strategic priorities paper to be submitted to the ICO. Another factor in any future legislation is that any deviations by the UK government away from the GDPR may endanger the decision by the EU in June 2021 to consider the UK data protection laws as adequate, a decision which will be reviewed by the European Commission in four years, or earlier if needed. Businesses should note that the consultation is open till 19 November 2021, and watch this space for any draft legislation that is put forward in the coming months.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.