UK takes another bite at post-Brexit data protection reform -- with 'new GDPR'
Turns out the UK government, under current prime minister Rishi Sunak, is not replacing the GDPR, as Michelle Donelan, his secretary of state for science, innovation and technology, implied last October -- when as a fresh-in-post digital secretary under a different PM, she paused the flagship data protection reform, saying the government wanted to rethink its approach and inviting businesses to "co-design" the legislation with her.
Instead, the UK's version of the EU's General Data Protection Regulation (GDPR), which governs how Brits' information can be processed, looks set for a rights haircut and a slow drift away from the EU standard under the amended reform the government introduced to Parliament today.
It's describing this new draft as a replacement bill -- literally the "Data Protection and Digital Information (No. 2) Bill" -- which supersedes the one it introduced last July. Although, as far as we can tell, a lot of the prior detail has carried over. But for anyone eager to dive in, the 212 pages of amended (No.2) bill can be found here.
One headline takeaway is the government appears to have retained (at least) the spirit of the GDPR's purpose limitation principle -- with the revised bill allowing for some further processing of people's data but only for nonconsent-based collection, such as public interest–based use cases. While a right to human review of (significant) automated decisions also appears to have survived the latest revisions.
However, in a regressive step, the government has further hacked away at requirements on businesses to keep records and undertake proactive oversight of their data processing activities -- which could have implications for their ability to respond to user requests related to data. (Or, indeed, for U.K. businesses' ability to give comprehensive accounts of what information may have been exposed if they suffer a security breach.)
That said, since the regime will apply in the U.K. only, U.K. businesses that do business in Europe may well opt not to amend their existing approach to data protection -- to ensure they are still compliant with the GDPR, which continues to apply across the EU. (Or, put another way, setting a lower standard than a bloc of 27 countries does not make you a global standard setter even if, drunk on Brexit Kool-Aid, you brand yourself "Global Britain.")
The proposed changes that are likely to be the most well received relate to scientific research -- where the U.K. government has expanded the definition to make it easer for data to be reused for research. Although there may be concerns around the potential for misuse of a freer regime here.
Another concerning aspect of the draft relates to regulatory oversight -- with the government confirming it plans to saddle the existing watchdog, the ICO, with a new board, whose members the secretary of state may appoint (or approve) -- an interference that could risk undermining the office's independence since the board looks to influence the ICO's guidance and priorities. So the direction of travel there looks worrying.
The existence of an independent data protection regulator will be one of the key areas for the EU to scrutinize when it comes to assessing the U.K.'s "essential equivalence" with its data protection rules -- so any moves that could be viewed as undermining the autonomy of the ICO look risky to say the least. Add to that, the ICO hardly has a reputation for being anti-business -- au contraire -- so it's not clear why the government wants to die on this hill. (Beyond, well, its general appetite for passing laws that seek to amass more power for itself.)
“The proposals to broaden the scope of scientific research are positive and seek to address the challenges of current practice in a reasonable and sensible way for UK research. But not all of the changes will be welcomed (or are needed) and interference with the ICO’s independence remains a concern that will hopefully be corrected during the legislative process,” said Edward Machin, an associate at Ropes & Gray's data, privacy & cybersecurity practice in London, giving TechCrunch his first thoughts on the revised bill.
Further amendments to the data reform are still possible, of course, via the usual parliamentary scrutiny process, so nothing is fixed in stone yet. And lobbying is likely to ramp up now the government appears to have settled on its approach.
Some opposition is already organizing. Yesterday, 26 civil society groups wrote an open letter to Donelan, calling on her to dump the latest iteration of the legislation -- warning it contains "many concerning and ill-considered proposals which endanger UK residents and UK data protection."
And in a statement today, one of the signatories, the Open Rights Group, further warned: “The government’s proposals will affect us all but particularly those who are already vulnerable and marginalised. We urge the Secretary of State to listen to the concerns of privacy groups and civil society and go back to the drawing board and put people, at the centre of this legislation.”
On the flip side, in a canned quote accompanying's DSIT press release about a "new UK version of the GDPR," Julian David, CEO of the technology trade association TechUK, offered this fulsome praise:
"TechUK welcomes the new, targeted package of reforms to the UK’s data protection laws, which builds on ambitions to bring organisations clarity and flexibility when using personal data. The changes announced today will give companies greater legal confidence to conduct research, deliver basic business services and develop new technologies such as AI, while retaining levels of data protection in line with the highest global standards, including data adequacy with the EU."
The backstory to the bill is that the government is attempting to walk a line between, on the one hand, claiming it's seizing a Brexit-based deregulatory bonanza, based on ripping up existing (EU-derived) data protection rules and replacing them with a "commonsense" U.K. alternative (now it's no longer an EU member), and, on the other, butting into a hard requirement to maintain the fundamentals of the current framework in order to ensure data keeps flowing from the EU to U.K. businesses and avoid a major economic hit were the U.K. to lose its EU adequacy status (which is up for review in 2025).
Donelan, now working at Sunak's recently rebranded Department for Science, Innovation and Technology (DSIT), told Parliament today that the revised Data Protection and Digital Information Bill (DPDIB) aims to ensure "we are the most innovative economy in the world and that we cement ourselves as a Science and Technology Superpower." While DSIT suggested the bill represents a "common-sense-led UK version of the EU’s GDPR" -- claiming it will "reduce costs and burdens for UK businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online."
Much the same claims were being made by the government for an earlier revision of the data reform last year. Although DSIT is now making the headline claim that fiddling with data protection will save the U.K. economy £4BN+ over the next 10 years (up from a projected £1BN last June) -- by providing businesses with more "flexibility" in how they interpret the rules. (Or just carving out some types of processing from any requirement to subject them to proper record keeping.) But, well, lies, damned lies, and statistics...
Simultaneously, ministers are continuing to claim that the (now) further loosened compliance requirements will still ensure people's privacy and data protection are "securely protected," as DSIT's PR suggests. "The UK is firmly committed to maintaining high data protection standards — now and in the future. Protecting the privacy of individuals will continue to be a national priority," added Donelan in Parliament. So it's the usual Brexit "cakeism" on show.
The devil will obviously be in the details -- and, crucially, in what the EU makes of the fine print a few years' hence (or, indeed, sooner if it decides the risks are great enough to reopen its June 2021 adequacy decision).
Some privacy experts are suggesting the government's changes aren't drastic enough to endanger EU adequacy. But, well, that remains to be seen -- and legal challenges to the U.K.'s post-Brexit data regime may well seek to test the robustness of the thing in court. (So even if the European Commission is happy to let U.K. standards slide, judges in the EU may ultimately disagree.)
My quick immediate (accept with caution) hot assessment is that EU #GDPR adequacy should not be a big problem. I said the same thing at the @royalsociety expert meeting on data protection reform, and I repeat it. https://t.co/gOAEVBFTxC
— Lukasz Olejnik (@LukaszOlejnik@Mastodon.Social) (@lukOlejnik) March 8, 2023
Much remains to be determined in the months and years ahead -- but here's a snap round-up of some notable changes to keep an eye on:
Data processing for tech R&D may be treated as "scientific research"
The bill's definition of scientific research has been updated -- and expanded -- which could potentially make it easier for businesses to claim a commercial use of people's data is okay because they're engaging in research. Although these changes seem likely to win the most plaudits.
Per DSIT: "[C]ommercial organisations will benefit from the same freedoms as academics to carry out innovative scientific research, such as making it easier to reuse data for research purposes.
"This will reduce paperwork and legal costs for researchers, and will encourage more scientific research in the commercial sector. The definition of scientific research in the new Bill is non-exhaustive, in that it remains any processing that ‘could reasonably be described as scientific’ and could include activities such as innovative research into technological development."
Limited expansion of legitimate interest grounds to process people's data
DSIT says: "The new rules will give organisations more clarity about when they can process personal data without needing consent or weighing up their own interests in processing the data against an individual’s rights for certain public interest activities. This could include circumstances where there is a public interest in sharing personal data to prevent crime, safeguard national security or protect vulnerable individuals."
It does not appear the government is going the full hog and letting businesses claim whatever processing they like can be filed under their own legitimate interests (i.e., doing away with the need to ask for people's consent) -- rather, there does need to be some kind of public interest element. (And it's notable that, in an early reaction to the revised draft legislation, the Internet Advertising Bureau is not sounding happy, since it's put out a statement urging lawmakers to extend cookie consent exemptions to advertising measurement and analytics, which implies they don't think they'd currently get this carve-out.)
But it remains to be seen how this might play out in, for example, cookie consent notices -- which is one justification claimed by the government for fiddling with existing rules. Yet even it's not saying cookie consent notices will vanish. A "reduction" in annoying pop-ups is all DSIT suggests the bill will deliver.
Reduced requirements on U.K. businesses to keep records of data processing
DSIT: "Ministers have improved the Bill to further cut down on the amount of paperwork organisations need to complete to show compliance. Now, only organisations whose processing activities are likely to pose high risks to individual’s rights and freedoms will need to keep processing records. This could include, for example, where organisations are processing large volumes of sensitive data about people’s health."
While there may be less paperwork required up front, businesses that avail themselves of this "freedom" may simply be storing up problems for themselves in the future, such as if they need to respond to subject access requests (and find they can't because they don't know what data they have or where they're holding it); or if they suffer a breach and want to know what was lost.
Data protection impact assessments can also be a useful tool for businesses to consider risks ahead of time -- so cutting back this requirement could end up negatively impacting the quality of products brought to market in the U.K.
Ultimately, reductions in these sorts of compliance requirements may even create opportunities for UK businesses to differentiate domestically by saying they're going above and beyond the local law -- by carrying out due diligence it no longer requires them to.
Some types of automated decisions may not carry a right to human review?
DSIT says the bill seeks to clarify existing rules around a right to human review of automated decision-making, saying it will ensure people are made aware of automated decision-making, and can challenge and seek human review, when those decisions may be "inaccurate or harmful."
It also specifies that profiling of individuals is subject to "the same set of robust safeguards for automated decision making when a significant decision is taken about a person with no meaningful human involvement" -- such as if a person is denied a job or a loan because an automated decision has been taken without meaningful human input.
The government says it wants businesses, AI developers and individuals to have greater clarity about when "important safeguards for solely automated decision-making must apply" -- to drive transparency and accountability for decisions made by computer algorithms.
The GDPR clause on automated decisions does have its critics, so it may be there's room for "clarifications" here. But it is also notable the government has shied away from ripping away the right to human review of automated decisions entirely -- as some Brexiter headbangers had been urging in earlier years. So how much of a change is being envisaged versus the status quo remains to be seen.
Greasing international data transfers?
DSIT says the updated bill will allow businesses to use existing international data transfer mechanisms to share personal data overseas "if they are already compliant with current UK data laws," noting: "This will ensure British businesses do not need to pay more costs or complete new checks to show they’re compliant with the updated rules."
While Donelan told Parliament today: "We will strike new agreements that allow for the free and safe exchange of data across borders and continue to engage with the EU and its institutions, with a view to ensuring our existing data adequacy decisions remain in place."
It is not entirely clear where the government is headed here but a concern previously raised by digital rights groups is the U.K. is laying the ground for a "soft-touch" approach to inking its own adequacy agreements with third countries in order to position the UK to act as a data hub -- opening up knock-on risks for U.K. citizens (or indeed others whose data has been passed to the UK) if local data processors end up funneling their information on to risky locations elsewhere.
Questions over the ICO's independence
An area of concern since the data reform was mooted has been whether the government will seek to interfere with the independence of the data protection watchdog, the ICO. DSIT claims the bill will "strengthen the Information Commissioner’s Office (ICO) through the creation of a statutory board with a chair and chief executive, so it can remain a world-leading, independent data regulator and better support organisations to comply with data regulation."
And in a canned (or, well, cowed) comment accompanying the department's PR, John Edwards, the information commissioner, sounds a cautious welcome -- writing: “The Bill will ensure my office can continue to operate as a trusted, fair and independent regulator. We look forward to continuing to work constructively with the Government to monitor how these reforms are expressed in the Bill as it continues its journey through Parliament.”
However, as noted above, the bill specifies that the secretary of state can appoint board members and has a role in recommending the chair -- so concerns about the scope for political inference in the ICO's function by selecting people who will be steering its priorities seems unlikely to die down.
Higher fines for nuisance calls and texts
In a populist measure, fines for nuisance calls and texts are being beefed up -- to either 4% of global turnover or £17.5 million, whichever is greater.
However, an obvious question here is how U.K.-administered fines will be able to tackle a problem that's often perpetrated by scammers based offshore, in countries outside its legal jurisdiction. Ergo, this headline-grabber may not amount to much in the way of positive change either.
The government says the bill will introduce a framework for the use of "trusted and secure digital verification services" -- to allow people to prove their identity digitally "if they choose to do so," using "certified digital identities that make it easier and quicker for people to prove things about themselves."
This might be a U.K. response to the EU's own plan for a digital identity, unveiled back in mid 2021.
Equally, the U.K.'s Online Safety Bill looks set to drive requirements that platforms offer ways for users to verify their IDs, so focusing on this area may be aimed at enabling the wider digital regulations it's cooking.