News focus: Data protection reform - a bonfire, or building back better?

Expert view
Government plans to streamline the data protection regime aim to foster innovation in the sector, but have also reignited concerns about automated data processing and the erosion of rights

As usual with government statements, the controversial bits appear well down the page. The initial announcement of plans to reform the UK’s data protection regime stressed evolution rather than revolution. The reforms ‘deliberately build on the key elements of the current UK General Data Protection Regulation…’, the statement claimed. As such, it is ‘perfectly possible and reasonable’ for the UK to retain its newly won data protection ‘adequacy’ status with the EU.

On closer inspection, the proposals presented for consultation last week appear bolder than that implies. Specific proposals in the consultation, entitled ‘Unleashing data’s power’, include:

  • Removing requirements for organisations to designate a data protection officer.
  • Changes to the threshold for reporting a data breach to the Information Commissioner’s Office.
  • Removing the requirement for prior consent for all types of web cookies.
  • Creating a new, separate lawful ground for the lawful use of personal data in research.
  • Drawing up a ‘limited, exhaustive’ list of legitimate interests for which organisations can use personal data without applying a public interest balancing test.

However, the proposal likely to attract the most controversy is that of removing Article 22 of the UK GDPR, the article stating that a data subject ‘shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her’. Concerns about automated data processing were highlighted in the Law Society’s 2019 report on the use of algorithms in the criminal justice sector.

Alexandra Mizzi, legal director at international firm Howard Kennedy, said the reform plan ‘makes for eye-opening reading’. The focus is overwhelmingly on liberalisation, she said. ‘While there might be a case for that, many will feel that the consultation proposals tip the balance too far against individuals, as well as setting up conflicts with the EU.’

However Bojana Bellamy, president of the Centre for Information Policy Leadership, set up by international firm Hunton Andrews Kurth, described the reform proposals as a ‘positive development’.

The plans should be welcomed in both the UK and in the EU, she said. ‘This is not about lowering the level of data protection or getting rid of GDPR, it is about making the law actually work in practice, more effectively and in a way that creates benefits for all – organisations using data, individuals, regulators and the UK society and economy.

‘There is no doubt that some aspects of the GDPR do not work well, and some areas are unhelpfully obscure,’ Bellamy observed, citing the ‘cumbersome’ rules for data use in scientific and industrial research and innovation, and the difficulty of using personal data for training AI algorithms to avoid bias.

‘The UK government’s bold vision to simplify the current data protection regime, reduce red tape, put more onus on organisations to manage and use data responsibly, and to reinforce the pivotal role of the UK privacy regulator is the right way forward. It achieves both effective protection for individuals and their data and enables data-driven innovation, growth and societal benefits,’ she said.

Meanwhile, Elizabeth Denham, the information commissioner, said her office ‘will provide constructive input and feedback’ on the proposals.

However the job of policing the new regime will fall to her successor, New Zealand data lawyer John Edwards, whose appointment was approved by the House of Commons Digital, Culture, Media and Sport Select Committee last week. He told the committee that there is plenty of scope for departures from the EU data regime. He noted that New Zealand has EU adequacy status despite its law not being identical with the EU GDPR.

Edwards is due to take up his role next month. While the Information Commissioner’s Office is independent of government, his appointment coincides with an overhaul of the office to boost its role in driving ‘greater innovation and growth’.

However experience suggests that relaxing controls on the re-use of data could be a hard sell to a public wearied of cold calls from claims managers and increasingly sceptical about industry access to NHS data. The government can expect a lively debate around its GDPR bonfire.