BCL partner Julian Hayes and associate Umar Azmeh’s article ‘UK GDPR Reform – buccaneering Britain goads the data protection bear’ has been published by Global Banking and Finance Review.
Here’s an extract from the article:
“It was an open secret that the UK government and GDPR made uneasy bedfellows. Back in 2018, Dominic Cummings, Downing Street’s former chief advisor derided the European data protection paradigm as “horrific”, and looked forward to binning it. In 2020, Boris Johnson voiced his desire for a separate and independent data protection policy, and in May 2021, a deregulation task force commissioned by the Prime Minister called for the replacement of the UK GDPR (which is essentially identical to the EU GDPR) with a framework of British data rights. It, therefore, came as little surprise when, last week, the government issued a wide-ranging consultation on changes to the UK’s data protection regime in a self-proclaimed dash for data-driven economic growth.
As businesses and civil society digest the proposals – which tip the balance from data subjects towards businesses, espouse a pragmatic approach to cross border data transfers, and bind the Information Commissioner (ICO) to the government’s agenda – arguments are being rehearsed for a forthcoming clash with privacy campaigners, whilst the EU is poised to axe the UK’s data adequacy agreement if necessary, just months after granting it.
Same but different
Chafing at what it perceives as vague, bureaucratic data protection rules and complex data-sharing obligations, the government’s proposals have twin themes: maintaining data protection standards by adhering to the headlines of UK GDPR’s framework; and fostering the conditions for economic growth, innovation and competition by removing unnecessary barriers to responsible data use. With SMEs currently constrained by the same rules as better resourced multinational companies, the alleviation of data compliance burdens on businesses is central to the government’s agenda.
Under its reforms, the accountability requirements of the UK GDPR – which oblige data controllers to adopt policies and take appropriate steps to demonstrate data protection compliance – would be replaced with a less onerous privacy management programme tailored to each organisation and overseen by a ‘responsible individual’ who would supplant the organisation’s independent data protection officers.
Transparency obligations would be pared back, with businesses permitted to re-purpose and re-use personal data for research purposes without first informing the data subjects affected if doing so would involve disproportionate effort. Current limitations on using artificial intelligence alone to make significant decisions about individuals could be stripped away, for example by allowing algorithms to be the final arbiter of whether a person is recruited, eligible for a loan, or entitled to state benefits.
Data protection impact assessments (DPIAs), originally conceived as a good practice tool to identify and minimise personal data risks, would be jettisoned. DPIAs are currently required before businesses introduce facial recognition, biometric and other high risk innovative technology. Businesses would no longer be obliged to consult the data regulator before proceeding with projects involving particularly high personal data risk. While the government acknowledges that abolishing DPIAs would reduce current safeguards, it believes that privacy management programmes would ameliorate this threat.
Despite a 2021 National Crime Agency strategic assessment report which identified significant underreporting of data breaches, the government argues data controllers are over-reporting and advocates that, in future, only ‘material’ breaches should be reported. The government accepts that this could reduce reporting of breaches which are likely to risk individuals’ rights and freedoms, but believes it a price worth paying to alleviate the reporting burdens on organisations. In a further change to the breach reporting regime, the government is considering a voluntary undertakings scheme, allowing businesses to avoid regulatory penalties if they demonstrate effective and timely steps to address the causes of a security breach.
Finally, to the dismay of privacy rights advocates, the government is proposing to address a long-held data controller grievance – that some data subjects abuse the right of access – by reintroducing fees for accessing their data (‘DSARs’) and creating an exemption for requests likely to cause a disproportionate or unjustifiable level of distress, disruption or irritation. DSARs do place significant administrative and financial burdens on businesses and other organisations, but allowing data controllers to charge for complying with them would likely have a significant chilling effect on the right of access, effectively limiting it to those sufficiently wealthy to pay.”
This article was published by Global Banking and Finance Review on 29.09.21. You can read the full version on their website here.