The UK Government has signalled its intention to diverge from the EU's approach to data protection as embodied in the General Data Protection Regulation (GDPR), and reduce the compliance burden on businesses.
In its 17 June response to its consultation on privacy and data protection reforms and its proposed upcoming Data Reform Bill (the Response), the Government indicated it would look to adopt a more outcomes-driven approach to data protection than that embodied in the principles-based (and arguably more complex) EU GDPR and UK GDPR.
Data critical in the digital economy
The Government's Response emphasises how critically important data is to consumers and businesses: particularly for the latter in how they can use data to improve their operations and services. The Response identifies that data-driven trade generated nearly three quarters of the UK's total services exports and generated an estimated £234 billion for the UK economy in 2019.
Beyond box-ticking to a more flexible approach
The Response contends that the lack of clarity in the GDPR has led to an over-reliance by businesses on "box ticking" to seek consent from individuals to process their personal information to avoid non-compliance. It argues that the largely one-size-fits-all approach regardless of the relative risk of an organisation's data processing activities places a disproportionate burden on small businesses, including start-ups and scale-ups.
The proposed Data Reform Bill, if made law, will remove the UK GDPR's prescriptive requirements (such as the need for small businesses to have a Data Protection Officer and to undertake impact assessments) and will give organisations greater flexibility in how they manage data risks.
However, the Response reiterates that organisations will still be required to have a privacy management program and to ensure that they are accountable for how they process personal information.
Sensitive data processing for monitoring and correcting bias in AI systems
During the consultation process, the UK Government sought views on whether processing personal information for the purpose of mitigating bias in AI systems should be included in the list of legitimate interests that organisations can rely on to carry out data processing, without imposing what is known as the "balancing test". That test requires an organisation to take into account the interests or fundamental rights and freedoms of the data subject, and confirm that these interests do not override the organisation's interests in processing that personal information.
The Response concludes (based on the outcome of the consultation process) that additional legal clarity on this point is required. On that basis, the Government plans to introduce a new condition to Schedule 1 of the UK's Data Protection Act 2018 to enable the processing of sensitive personal information for the purpose of monitoring and correcting bias in AI systems. The Response notes that the new condition will be subject to appropriate safeguards, such as limitations on re-use and the implementation of security and privacy preserving measures when processing for this purpose.
Bye, bye cookie consents
The Response also flags that the UK's Privacy and Electronic Communications Regulations will be updated to cut down on cookie consent pop-ups and banners. The proposed new opt-out model seeks to reduce the need for users to click through consent pop-ups and banners on every website, and instead elect for a uniform approach to how their data is collected and used online, such as through their internet browser settings. Time will tell if this will be readily available from a technical perspective.
Australia gets a mention
The announcement accompanying the Response sets out the UK Government's ambitions to strike new data partnerships with economies it considers significant, and to improve international data transfers. It specifically calls out its work on striking data adequacy deals with priority countries including Australia and the US.