UK Government publishes proposed data protection reforms

On Friday 17 June 2022, the UK Government published its response to the Data: a new direction consultation. This marks another milepost in the UK’s reform of its data protection rules following its departure from the EU.

AWO have worked with a range of clients to respond to that consultation. The concerns raised by AWO clients during the consultation have been largely side-lined by the UK government in the purported pursuit of “unleashing data’s power”. A consequence of those reforms may be to imperil the adequacy agreement with the European Union. Luminate Strategic Initiatives instructed AWO to commission a legal opinion from Lord Anderson QC and Aarushi Sahore of Brick Court Chambers. A copy of that opinion is published today. That opinion concluded that in no uncertain terms, that the proposed reforms could imperil the UK’s adequacy decision:

To proceed decisively in the direction mapped out in the Consultation would certainly increase the risk (which to some extent already exists) of the Adequacy Decision being struck down by the CJEU. We further conclude that the adoption of these proposals will reduce the chances of obtaining a renewed Adequacy Decision from the Commission in 2025, and may even jeopardise its continuation in advance of that date.

In its response document, the UK government restates its view that the reform of UK legislation on personal data is compatible with adequacy. However, as the government has decided to go ahead with many of its initial proposals (seemingly regardless of the negative feedback it received from stakeholders, including AWO clients), serious concerns regarding adequacy remain.

More on the background to these latest developments, the concerns raised by our clients during the consultation, and how they were dealt with in the government’s response, is below.

Background

In early 2020 Boris Johnson announced that the UK would reform its data protection rules and “diverge” from the EU regime. While such divergence has been long foretold, little was offered by way of detail of what such divergence means in practice.

The government’s concrete plans for a “pro-growth and trusted data regime” that “unleashes data’s power” were revealed in September 2021 when the Department for Digital, Culture, Media, and Sport (‘DCMS’) published its consultation on proposed reforms to the UK’s data protection regime in September 2021. The DCMS sought views on the proposals from businesses, academics, lawyers, and digital rights campaigners until 19 November 2021.

Those proposals included:

• the removal of the requirement for data protection impact assessments (‘DPIAs’), safeguards which are currently mandatory for high-risk data processing
• the removal of the right for individuals under Article 22 UK GDPR not to be subject to solely automated decisions, including profiling, which significantly impact them
• the introduction of a new fee-paying regime for subject access requests (‘SARs’) in contrast to the current free regime to access personal data, as well as enabling organisations to refuse requests where “access to personal data or concerns about its processing are not the purpose of the request.”
• proposals to create wider access to data for researchers and a new UK-specific definition of scientific research
• the creation of a list of “legitimate interests” where processing for those interests would always be presumed lawful and would not, therefore, require a legitimate interests impact assessment (‘LIA’) balancing the interests of the organisation against the rights of the individual in advance of processing data
• reform of the Information Commissioner’s Office (‘ICO’) including proposals to give the Secretary of State approval and veto powers for ICO guidance
• overhaul of the UK’s international transfer regime, including a flexible approach to assessing the adequacy of other countries’ data protection regimes (such as adopting adequacy decision for jurisdictions not currently recognised as providing adequate protection for personal data under the EU GDPR regime)

AWO was instructed by various stakeholders who wanted to respond to the DCMS consultation and acted for a number of its clients across different industries and sectors to make submissions. These included diverse organisations such as Clean-Up Gambling, Reset, and Open Rights Group. AWO scrutinised the reforms proposed by DCMS to advise its clients on their implications and assisted its clients to draft detailed submissions to the DSMS about how those reforms were likely to impact individuals and organisations in the UK. This included the potential impact of the reforms for vulnerable groups, such as people with gambling problems and migrants, but also for business more generally.

AWO’s clients approached the reforms from different angles according to their individual focus areas. Nonetheless, a common thread emerging across all our client’s submissions was the potential for the reforms to erode the transparency, accountability, and important rights for individuals currently enshrined in UK data protection law.

For example, our clients viewed the consequences associated with the removal of the LIA duty as potentially very widespread, including because it could foreseeably legitimise surveillance tracking in the Data Broker industry. AWO has also previously acted for individual clients using the SAR regime, which has helped to shine a light on how problematic the online gambling space is. The new proposals to introduce fees, and to make it easier for controllers to refuse requests depending on their view of the motivations behind an individual’s request, would hinder the ability of individuals to understand how their data is being used (particularly problematic for those most vulnerable) and make it more difficult to hold powerful actors to account for how they handle people’s data.

In addition to scrutinising the proposed reforms, AWO were also instructed to consider the wider impact of these proposed reforms. There is growing concern that these erosions of the British data protection framework are likely to impact the UK’s adequacy decision from the European Commission. That adequacy decision currently facilitates the transfer of data from the EU to the UK on the understanding that the UK regime is trusted to provide adequate protection for personal data. One of AWO’s clients, Luminate Strategic Initiatives, commissioned a legal opinion from Lord Anderson of Ipswich KBE QC, and Aarushi Sahore, of Brick Court Chambers, to consider the potential impact of the reforms for the UK’s adequacy decision. The opinion was included as part of Reset’s submission and is enclosed with this post.

While the proposed overhaul to the mechanisms for international transfers from the UK to other countries was described as the *“most obvious roadblock for the continuation of the Adequacy Decision*”, the opinion also considered how reforms such as removing the requirement to DPIAs and reforming the subject access regime could *“operate cumulatively to dilute the protection of individual data rights vis-à-vis controllers*” and “could help tip the balance against a conclusion that the UK provides essentially equivalent protection”. In addition, the opinion observes that the proposals to reform the ICO “are likely to be significant from the EU’s perspective because the independence of the ICO was a critical safeguard that was taken into account in the Adequacy Decision”. In sum, the opinion concluded that:

To proceed decisively in the direction mapped out in the Consultation would certainly increase the risk (which to some extent already exists) of the Adequacy Decision being struck down by the CJEU. We further conclude that the adoption of these proposals will reduce the chances of obtaining a renewed Adequacy Decision from the Commission in 2025, and may even jeopardise its continuation in advance of that date.

Adequacy is not a political decision, but something that can be legally challenged by, and before, regulators and courts, with the CJEU having taken an active stance where a jurisdiction is not considered to ensure adequate protection for personal data, as occurred with the EU-US Privacy Shield. If the UK loses its adequacy status, it will become a ‘third country’ under the EU data protection regime. This means that data transfers into the UK would only be permitted if additional legal safeguards are put in place by UK organisations, creating legal uncertainty and costing UK-based organisations time and money. While the Government’s projections anticipate a net direct benefit to the economy of £1.04 billion over ten years regardless of the loss of adequacy (and predict those savings to rise to £1.45 billion if adequacy is retained), the sense on the ground from our clients was that short shrift has been given to the economic impact on UK organisations who will face increased regulatory burden. In particular, companies will have to comply with whatever reformed laws are brought in as well as compliance with EU laws. Any business with global aspirations will face having dual-compliance, at an increased cost.

Latest developments

After the consultation, the UK Government’s new Data Reform Bill was announced on 10 May 2022 during the Queen’s Speech at the Opening of Parliament. Details of the Bill’s contents were scant. The publication of the UK Government’s response on 17 June 2022 now puts flesh on the bones of the reformed regime. Preliminary analysis of the government’s response to the consultation suggests that many of our client’s concerns have been overlooked:

Many controversial proposals put forward in the DCMS consultation are retained in the government’s response. This includes removing the requirement for DPIAs in cases of high-risk data processing. This is despite DPIAs being an important accountability tool and one frequently used by our clients to hold irresponsible actors accountable.

In the case of legitimate interests, the response says the “exhaustive list of legitimate interests for which organisations could use personal data without applying the balancing test and without unnecessary or inappropriate recourse to consent” will likely include preventing crime, reporting safeguarding concerns, or other important reasons of public interest – a list which can be updated subject to parliamentary scrutiny.  This is of concern to our clients because public interest provisions risk being abused, as highlighted by the “immigration exemption” provision in the Data Protection Act 2018 which was ruled unlawful in court.

Regarding reform of the ICO, the government intends to proceed with many of the consultation proposals, despite concerns this would seriously undermine the independence of that office. Among other changes, the ICO will have a new governance structure (and a new name) changing the ICO from an office of one individual to a statutory board with a chair and a chief executive. The government also plans to introduce a process for the Secretary of State to approve ICO codes of practice and statutory guidance (with the requirement that the rationale is published) and will empower the Secretary of State to set strategic priorities for the ICO.

On international transfers, the UK government intends to proceed with the flexible approach to assessing the adequacy of other countries, although controversial proposals such as issuing collective adequacy decisions for groups of countries, regions, or multilateral frameworks, and letting organisations create ad-hoc transfer mechanisms, have been abandoned.  No further detail has been provided on adequacy decisions, although the UK government has said it intends to pursue these with priority jurisdictions, including the US.

There are positive aspects to the response, such as the government’s announcement that it will not introduce a fee-paying regime for SARs as it had initially proposed, and the fact the government no longer proposes to remove Article 22 GDPR. However, behind this positive veneer, there still exists significant potential for a dilution of important individual rights. For example, in the case of SARs, the government plans to lower the threshold by which an organisation can refuse to comply with a SAR from where the request is “manifestly unfounded or excessive” to where the request is “vexatious and excessive”. This would mirror the wording in the Freedom of Information Act (FOIA). “Vexatious” in FOIA requests has been interpreted by courts to have a particular meaning, with the starting point being that considering a FOIA request needs an “objective standard” looking for a “reasonable foundation” of “value to the requester” (or the public).  FOIA allows organisations to consider how burdensome the request may be, and to ask the requester why they want the data. This type of value analysis has never been associated with SARs before, most obviously because it would conflict with the right of access and undermine the ability of individuals to effectively exercise this right. Far from being a minor tweak, this change in language could have significant ramifications for the right of access. And, in the case of Article 22, the government intends to recast it as a right to specific safeguards, rather than as a general prohibition on solely automated decision-making, which can be seen as a significant dilution of an important right in what is an increasingly automated society.

Finally, one of the biggest concerns raised by most stakeholders (including our clients) during the consultation was the risk to UK adequacy arising from the proposed changes around international transfers but also from the cumulative effect of the proposed reforms. In the response document, the government restates its view that the reform of UK legislation on personal data is compatible with adequacy. It remains to be seen if the European Union will agree. However, as the UK government intends to go ahead with many of its controversial initial proposals, despite the serious concerns of stakeholders about the serious impact those changes could have, the concerns around adequacy (as encapsulated in the opinion from Lord Anderson QC and Aarushi Sahore) are not assuaged by this latest response document.

Where to next?

The draft Bill is likely to be published in summer 2022 and its text will provide vital insight into how the proposed reforms will ultimately be expressed. AWO will continue to monitor the progress of the proposals and the Data Reform Bill through the legislative process during 2022 and provide regular in-depth updates to our clients.

If you have a data protection matter that would benefit from expert legal advice and experience, please contact Ravi Naik at Ravi@awo.legal.