Since it came into force on 25 May 2018, the General Data Protection Regulation (GDPR) has had a wide-ranging effect on businesses large and small. Amidst heavy fines being levied on businesses and groundbreaking court proceedings attempting to introduce opt-out data privacy class action lawsuits (though not as much progress has been made on either than might be hoped in the UK), there has also been widespread discussion within the EU and in the UK on how GDPR can and should be reformed, progressed or overhauled.
Expanding on recent comments published by Compliance Week on the UK’s plans for data regulation reform and EU data protection authorities adopting GDPR cross-border cooperation criteria, Head of Media Disputes Emily Cox considers the latest developments in data regulation law.
What is the Data Reform Bill?
In June 2022 the UK government announced plans for a Data Reform Bill designed to “boost British business, protect consumers and seize the benefits of Brexit”. Some of the measures proposed in the response to consultation included removing the need for certain businesses to have a dedicated Data Protection Officer (DPO), and introducing an ‘opt-out’ model for cookies so that users need not select their preferences on every website. The declared purpose of these measures is to reduce financial and time burdens on businesses.
The proposals came on the heels of a 2021 consultation on reforming UK data protection laws. Responses to the consultation varied from the positive, with commenters agreeing with proposals including “consent requirements in relation to audience measurement cookies” and “reforming the ICO… emphasis on the importance of maintaining its regulatory independence”. Critics argued against the introduction of a nominal fee for subject access requests and removal of the right to human review of automated decisions.
UK data reform plan – positives and negatives
It is positive that the government has listened to consultation responses and dropped some of its more radical proposals, for example the threshold for reporting breaches to the ICO. The proposals are therefore more evolutionary than revolutionary, which may mean the UK’s data adequacy decision from the EU is not immediately imperilled. The government’s guiding principles of proportionality, reducing burdens for small business and encouraging innovation and growth are relatively uncontroversial.
There are however changes in the “privacy management programmes” that businesses will now adopt including as to the need to appoint a DPO, complete data protection impact assessments (DPIAs), maintain a record of processing and consult on a mandatory basis with the Information Commissioner’s Office (ICO) regarding certain high-risk processing. These dilutions, which carry risks, are unlikely to be adopted by businesses which are also subject to EU law.
The proposed risk-based approach to international transfers, including consideration by the Secretary of State of whether a transfer is “desirable”, is likely the most troubling area from an EU adequacy perspective. Some of the proposed reforms to the ICO role are concerning from an independence perspective, notably the need to obtain government approval in respect of codes of practice and statutory guidance.
What will the Data Reform Bill mean for UK businesses?
The Data Reform Bill will flesh out the proposals further but, at present, the main areas of divergence between the UK and EU look likely to be around:
- International data transfers, and the UK’s desire for ‘pragmatism’ in that regard;
- The diluted requirements of the “privacy management programme”;
- The direction of travel towards an opt-out cookie banners consent model; and
- A lowered bar for refusing to respond to Data Subject Access Requests (DSARs).
Under the current GDPR regime, businesses can opt to refuse a DSAR when they are “manifestly unfounded”. The new measures proposed by the UK government would allow businesses to refuse requests, or charge a fee, if they are “vexatious or excessive”. Examples might include requests intended to cause distress or abuse process.
Until we see the Data Reform Bill, and perhaps even afterwards, companies will be confused about which practices they can tweak, particularly if they also do business in the EU. They may therefore take the prudent view to the EU’s more onerous rules.
EU cross-border cooperation on GDPR
The EU’s decentralised GDPR regulator, the European Data Protection Board (EDPB), announced in April 2022 that members “had agreed to further enhance cooperation on strategic cases, and to diversify the range of cooperation methods used.” The EDPB has since published criteria establishing when a cross-border matter might qualify for such measures.
This welcome move by the EDPB could help to speed up the most significant investigations into Big Tech, by prioritising them and lending EDPB support to the relevant supervisory authority. But it will not be the magic bullet for all investigations, only those which the EDPB members have agreed are of strategic importance at a European level, including cases involving many affected data subjects or the intersection of data protection and other fields such as consumer or competition law.
Participation in the process is voluntary, so a common desire to make progress is going to be critical. Progress on the EDPB’s three pilot cases will demonstrate how effective this commitment is going to be in the long run.
This should come as welcome news for national data regulators, providing the means to carry out their investigations more easily. This move could help the Irish Data Protection Commission, for example, to make speedier progress with investigations against Big Tech, given the prioritisation and extra resources afforded – to the extent that the slow pace of previous investigations has been down to a lack of resources.
However, Chapter 7 of the GDPR has always allowed cooperation between the lead supervisory authority and other supervisory authorities, in terms of mutual assistance (Article 61) and joint operations (Article 62). Some national supervisory authorities have not used these mechanisms as they might, perhaps due to lack of political will.
The latest changes introduced by the EDPB helpfully put matters on a clear trajectory.
You can find further information regarding our expertise, experience and team on our Media Disputes page.
Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.