UK GDPR Reform – Julian Hayes and Umar Azmeh write for Global Banking and Finance Review

UK GDPR Reform – Julian Hayes and Umar Azmeh write for Global Banking and Finance Review

BCL partner Julian Hayes and associate Umar Azmeh’s article ‘UK GDPR Reform – buccaneering Britain goads the data protection bear’ has been published by Global Banking and Finance Review.

Here’s an extract from the article:

“It was an open secret that the UK government and GDPR made uneasy bedfellows. Back in 2018, Dominic Cummings, Downing Street’s former chief advisor derided the European data protection paradigm as “horrific”, and looked forward to binning it. In 2020, Boris Johnson voiced his desire for a separate and independent data protection policy, and in May 2021, a deregulation task force commissioned by the Prime Minister called for the replacement of the UK GDPR (which is essentially identical to the EU GDPR) with a framework of British data rights. It, therefore, came as little surprise when, last week, the government issued a wide-ranging consultation on changes to the UK’s data protection regime in a self-proclaimed dash for data-driven economic growth.

As businesses and civil society digest the proposals – which tip the balance from data subjects towards businesses, espouse a pragmatic approach to cross border data transfers, and bind the Information Commissioner (ICO) to the government’s agenda – arguments are being rehearsed for a forthcoming clash with privacy campaigners, whilst the EU is poised to axe the UK’s data adequacy agreement if necessary, just months after granting it.

Same but different

Chafing at what it perceives as vague, bureaucratic data protection rules and complex data-sharing obligations, the government’s proposals have twin themes: maintaining data protection standards by adhering to the headlines of UK GDPR’s framework; and fostering the conditions for economic growth, innovation and competition by removing unnecessary barriers to responsible data use. With SMEs currently constrained by the same rules as better resourced multinational companies, the alleviation of data compliance burdens on businesses is central to the government’s agenda.

Under its reforms, the accountability requirements of the UK GDPR – which oblige data controllers to adopt policies and take appropriate steps to demonstrate data protection compliance – would be replaced with a less onerous privacy management programme tailored to each organisation and overseen by a ‘responsible individual’ who would supplant the organisation’s independent data protection officers.

Transparency obligations would be pared back, with businesses permitted to re-purpose and re-use personal data for research purposes without first informing the data subjects affected if doing so would involve disproportionate effort. Current limitations on using artificial intelligence alone to make significant decisions about individuals could be stripped away, for example by allowing algorithms to be the final arbiter of whether a person is recruited, eligible for a loan, or entitled to state benefits.

Data protection impact assessments (DPIAs), originally conceived as a good practice tool to identify and minimise personal data risks, would be jettisoned. DPIAs are currently required before businesses introduce facial recognition, biometric and other high risk innovative technology. Businesses would no longer be obliged to consult the data regulator before proceeding with projects involving particularly high personal data risk. While the government acknowledges that abolishing DPIAs would reduce current safeguards, it believes that privacy management programmes would ameliorate this threat.

Despite a 2021 National Crime Agency strategic assessment report which identified significant underreporting of data breaches, the government argues data controllers are over-reporting and advocates that, in future, only ‘material’ breaches should be reported. The government accepts that this could reduce reporting of breaches which are likely to risk individuals’ rights and freedoms, but believes it a price worth paying to alleviate the reporting burdens on organisations. In a further change to the breach reporting regime, the government is considering a voluntary undertakings scheme, allowing businesses to avoid regulatory penalties if they demonstrate effective and timely steps to address the causes of a security breach.

Finally, to the dismay of privacy rights advocates, the government is proposing to address a long-held data controller grievance – that some data subjects abuse the right of access – by reintroducing fees for accessing their data (‘DSARs’) and creating an exemption for requests likely to cause a disproportionate or unjustifiable level of distress, disruption or irritation. DSARs do place significant administrative and financial burdens on businesses and other organisations, but allowing data controllers to charge for complying with them would likely have a significant chilling effect on the right of access, effectively limiting it to those sufficiently wealthy to pay.”

This article was published by Global Banking and Finance Review on 29.09.21. You can read the full version on their website here.

Julian Hayes advises companies and individuals in the rapidly developing field of data protection, especially in the context of data breaches and law enforcement investigations, where necessary litigating to ensure that the actions of state authorities are properly constrained. A partner at BCL for four years, he has vast experience of all types of criminal inquiries, including the unlawful obtaining of data and computer misuse offences. He is well-known and highly regarded commentator on cybersecurity and privacy issues. He advises telecommunications operators on their obligations under UK investigatory powers legislation and provides practical guidance on how to handle demands placed upon them, including in establishing systems that work to ensure legal compliance and protection for the operator. He has advised in relation to US-UK Bilateral Data Sharing Agreement and forthcoming UK online harms legislation.

Umar Azmeh is a solicitor at BCL, specialising in business crime, financial crime, and regulatory investigations. He has significant experience of criminal investigations involving money laundering and bribery, and has worked with clients on sanctions, tax, and proceeds of crime issues. He has expertise in commercial litigation, including civil fraud with an international dimension, and particularly where there is a criminal aspect. He has also advised both corporations and individuals on potential liability under the Proceeds of Crime Act 2002, the Fraud Act 2006, and the Bribery Act 2010, which includes drafting relevant policies for corporate clients

Related articles