techUK sets out our response to the DCMS consultation Data: A New Direction
On 10 September 2021 the UK Government announced plans for a consultation on the reform of the UK's data protection system. The consultation document Data: a new direction is the Government's attempt to reform the UK version of the General Data Protection Regulation (UK GDPR).
In doing so the Government will retain the core principles of the GDPR such as its data processing principles, its data rights for citizens, and its mechanisms for supervision and enforcement but make some changes to how the broader data protection framework operates.
For example by clarifying the legal bases around how certain kinds of data can be processed, create a more flexible accountability framework for organisations processing data, reform the mechanisms around how data can be transferred in and out of the UK, improve how data is used for the delivery of public services and make changes to structure of the Information Commissioner's Office (ICO).
techUK believes the consultation sparks a timely conversation preceded by a period of immense technological, business, and social change, not least as a result of the COVID-19 pandemic. These changes have tested the limits of existing data protection frameworks while also revealing opportunities for a pragmatic evolution of the legislation with the aim of delivering benefits for consumers, businesses, and wider society.
These pressures for change are not just found in the UK, they are global and governments around the world will be examining their own reforms to their data protection frameworks. In this situation, the UK has a unique position to lead the global debate. Having left the EU the UK inherits a data protection framework based on the GDPR which has become a globalised standard and whose principles have been widely adopted.
Successfully steering this debate however means being attuned to the trajectory of global data protection policy and seeking to converge on common principles, as the UK sought to do in the recent G7 statement, Roadmap for cooperation on data free flow with trust. It also means protecting key pathways for data flows such as data adequacy with the EU and the interoperability of data transfer tools.
The Government must also ensure that whatever additional flexibilities the UK provides in its own domestic rules, organisations are able to continue using data management policies that are designed to comply with multiple different regimes, as long as these give similarly high levels of protection to personal data as the UK's domestic laws. This will help prevent increased regulatory burden through double compliance and is a pragmatic step to deal with the extra territorial effects of different modern data protection regimes across the globe.
If the UK can get this right, techUK believes we can not just seize the opportunity to update our data protection system for the 2020s, but create an approach which underpins our wider ambitions for the UK tech sector. For example, by crafting an approach to data governance that helps the UK remain Europe's most attractive destination to start and scale tech companies, make the UK a hub for data driven research and provide the cornerstone legislation that will be foundational to our ambition to be a world leader in AI powered technologies.
Following extensive engagement with members techUK responded to the consultation supporting three broad principles for reform:
1. Securing Innovation and Growth: techUK is supportive of a number of pragmatic improvements to the data protection system that are raised in the consultation. These changes include; creation of an exhaustive list of processing activities which can be conducted under the legitimate interest basis, the clarification of legal grounds for data processing for research purposes, seek to clarify how organisations can share data with Government agencies where a clear public interest test is met and consulting on key concepts such as AI fairness, outcomes and how data can be used to help develop AI technologies, such as in the prevention of algorithmic bias.
By making these changes while maintaining the core principles of the GDPR and alongside clear guidance from the ICO we believe the Government can update the UK's legal framework to provide certainty and clarity to organisations as they seek to innovate with data and develop new digital services and AI powered tools.
2. Ensuring the UK's data protection system is trusted by individuals and organisations: enabling citizens to exercise their data rights as well ensuring that the UK's data protection system is seen globally as providing avenues for redress, backed by an independent regulator, is vital.
High levels of consumer confidence in the system, as well as maintaining a reputation as a high standard location for storing and processing personal data is essential for citizens to have confidence in digital services provided in the UK, and for companies to compete for international contracts and investment. In the consultation, the Government has suggested reforms to the accountability framework in the GDPR to create an opportunity for businesses to create more tailored and trusted approaches to managing personal data as well as lessening some of the more prescriptive burdens on smaller firms.
These reforms in principle are welcome but will rely heavily on clear guidance from the ICO to make them operable by businesses and ensure routes for redress for consumers are clearly explained. To do this, the Government will need to ensure that the ICO is well resourced to meet this challenge and its independence remains without question.
To support this aim, techUK therefore believes the Government should not proceed with some of the proposals in this consultation which we believe could have negative impacts on citizens abilities to exercise their rights and undermine the independence of the regulator. For example, the reintroduction of a fee for subject access requests, the suggested proposal to remove Article 22 of the GDPR or some of the changes propsed to the ICO's Codes of Practice and Guidance.
3. Making the UK a global hub for data: International data flows are the cornerstone of global businesses. Both UK headquartered and international companies operating in the UK regularly engage in data transfers with business partners across the globe.
Flows of data are not just an issue for the tech sector, with the operations and supply chains of virtually every modern business supported by the transferring of personal data. Whether that is detailed data sets for complex digital services, or the financial and logistical information needed for the trade in goods or the provision of services.
Even if all the suggested changes in this consultation were made, the UK will still have a data protection system which is more similar to the EU's than any other partner it has a data adequacy agreement with. However, given the recent assessment by the European Commission and the extra territorial nature of a number of other countries data protection regimes the UK will need to reassure partners on how any of their citizens data will be handled in the UK to maintain access to global data flows. This will mean ensuring avenues for redress are clear and easy to access and that there are strong safeguards against onward transfers (the moving of personal data on to another country beyond the UK without appropriate safeguards).
You can read our full response here, and see below a summary of some specific suggestions we have made under each chapter of the consultation:
Chapter 1: Reducing barriers to responsible innovation:
- Research Purposes: techUK and our members support the Government's plans to provide additional clarity for organisations on where data can be used for research purposes. Alongside providing appropriate safeguards for data subjects, we believe this will help increase the UK's attractiveness as a destination for data driven innovation.
- Legitimate Interest: techUK supports the Government's plans to create an exhaustive list of processing activities where a legitimate interest balancing test is not needed. We would however like to see some additions made to the list such as allowing data to be processed to prevent and detect fraud. However, each of these exhaustive list items will need clear guidance from the ICO to ensure organisations have the confidence to utilise them, and citizens are aware of the limited reasons their data may be processed in this way.
- AI and Machine learning: we welcome the open approach the Government is taking to receive feedback on key concepts such as AI fairness and to clarify the legal bases where data can be processed to prevent algorithmic bias. techUK however does not support the suggestion to remove Article 22 of the GDPR on automated decision making, but wishes to see the threshold around this clarified to apply to decisions with a significant or legal effect, following precedents set in recent court rulings.
Chapter 2: Reducing burdens on businesses and delivering better outcomes for people:
- The accountability framework: we support the Government's intentions here to create more flexible framework for organisations to manage data processing. However, these must be informed by clear guidance by the ICO ensure the core principles of the GDPR are clearly maintained. We do not support the proposal to re-introduce a fee for subject data access requests. Any proposals on the accountability framework must be flexible enough to be interoperable with other high standard approaches to manging data (such as the framework under the EU GDPR) to comply with other global data protection regimes and reduce business burdens when operating in the UK.
- Privacy and electronic communications (cookies): we believe analytics cookies and other similar technologies covered by Regulation 6 of Privacy and Electronic Communication Regulation (PECR) should instead be regulated by the GDPR. Under the GDPR, these use cases would fit under the legitimate interest basis for data processing and would remove the need for cookie banners'.
Chapter 3: Boosting trade and reducing barriers to data flows:
- International data transfer and data adequacy: techUK broadly supports the Government's proposed changes to the UK's international transfers toolkit and process for UK adequacy decisions to create a more outcomes focused and flexible system. However, any changes must seek to include strong protections against onward data transfers to ensure that the UK remains a trusted partner for all other third country partners as well as seeking to maintain data adequacy with the EU.
Chapter 4: Delivering better public services:
- Public interest test: techUK is broadly supportive of the Government's plans to create a definition of substantial public interest'. However, we note that any such decision must involve extensive consultation across a number of stakeholders.
Chapter 5: Reform of the Information Commissioner's Office:
- Strategy, Objectives and Duties: we support the Government's aims to encourage the ICO to give due regard to competition, innovation, and the economic impacts of its decisions. Such additional duties reflect the growing importance of data to the economy and society more broadly. The ICO however should seek to exercise such duties in close co-operation with other regulators via the Digital Regulation Cooperation Forum (DRCF).
- Governance Model and leadership: techUK broadly supports the Government's plans to reform the Governance model and leadership of the ICO bringing it in line with other similar regulators such as Ofcom.
- Codes of Practice and Guidance: we support some of the suggestions made here, such as requiring the ICO to publish impact assessments on new guidance as well as when developing codes of practice, and complex or novel guidance. However, we strongly disagree with the proposals to allow the DCMS Secretary of State to approve codes of practice or complex and novel guidance as we believe this could create a conflict of interest between the Government and the regulator and undermine the ICO's independence.