Review of the Department for Digital, Culture, Media & Sport consultation
On 10 September 2021 the Department of Digital, Cultural, Media and Sport (DCMS) published a consultation titled ‘Data: a new direction’ (Consultation). The Consultation is part of the UK governments wider national data strategy to unlock the power of data across the UK economy and secure a ‘pro-growth and trusted data regime’. The Consultation closes on 19 November 2021 and recommends a number of fundamental changes to the current data protection regime in the UK. We have considered 5 key proposals that will have a direct impact on how businesses can use data going forward if the changes are adopted.
Key proposed reforms
The underlying intention of the Consultation is to: i) reduce barriers to innovation (particularly in spaces such as AI and machine learning development); ii) decrease the burden on businesses and a move away from ‘box ticking’ compliance; and iii) boost trade by reducing barriers to international data flows. These core goals are considered and addressed by the following recommendations.
Research and science purposes
DCMS proposes further clarity on the existing protections for the use of personal data for science and research to ensure innovative businesses can fully realise the benefit of the current regulations. This clarity could be achieved through the consolidation of current provisions, further guidance on interpretation and possibly through a new lawful basis for processing. This reform would give research and development organisations much needed certainty in respect of their data processing activities.
Lawful basis for processing
The Consultation identifies an ‘over-reliance on consent’ which has resulted in ‘consent fatigue’ among individuals which in turn reduces consent and impedes responsible data use. A driving factor of the over reliance on consent is the uncertainty surrounding reliance on legitimate interest and the complexity of the legitimate interest balancing test. The Consultation proposes to publish an exhaustive list of legitimate interests for which an organisation can rely without having to perform the balancing test.
Legitimate interest is often viewed as a more uncertain lawful basis on which to rely but with an exhaustive list of authorised purposes organisations may be more willing to move away from reliance on consent. Although, to ensure it can withstand the test of time, the list will likely be generic which may still cause interpretation challenges for businesses looking to rely on the list. The language of the listed legitimate interests will be vital to see the benefit of this proposed reform.
Focus on innovation and AI
DCMS recognises the increased role artificial intelligence (AI) and machine learning will play in future health, social and economic innovation. There is a recognition that the technology neutral nature of the UK GDPR is important to ensure its effective application, while at the same time guidance is needed on how principles such as “fairness” can be addressed in the context of machine learning. Currently, for solely automated decision making consent is required to process personal data. DCMS is proposing that as part of the exhaustive list of legitimate interests (as explained above), the government will include circumstances where legitimate interest can be relied on in relation to AI systems for the purposes of monitoring, detecting and correcting bias. There is an emphasis on facilitating data use in AI and machine learning within the wider context of regulatory movement in this space.
Adequacy and international data transfers
According to the UK Government’s press release unveiling the UK’s post-Brexit global data plans, there is an estimated £11 billion worth of trade going unrealised around the world due to barriers associated with data transfers. Recognising this barrier, DCMS notes that the UK government will be adopting an ambitious programme of adequacy assessments to add countries to its adequacy list and increase unrestricted data flows. Adequacy will be assessed on a risk based analysis to create a scalable, flexible adequacy regime in the UK. The Consultation proposes to shift the focus of international data transfers mechanisms to ensure they are necessary and proportionate, using a risk based metric that the current transfer mechanisms do not take into account.
DCMS recognises the current challenges faced by organisations looking to classify data as pseudonymised or anonymised. As such, DCMS proposes new tests for establishing anonymisation which , in theory, should provide organisations with clarity on using techniques such as pseudonymisation or anonymity for security and data minimisation. However, in a particularly interesting consideration, the Consultation proposes introducing legislation confirming that anonymisation will be “relative to the means available to the data controller to re-identify”. It is not clear whether the relative test would replace the motivated intruder test or whether the motivated intruder test would still play a role in establishing what means are available to the data controller in order to re-identify.
The Consultation identifies key pain points for businesses and endeavours to resolve them by taking a risk-based, proportionate approach to regulation. The UK GDPR is a principles based legislation and DCMS recognises the benefits and flexibility of this approach. However, the DCMS also recognises that there is a need to clarify the application of current data protection laws to facilitate the secure use of data. While the changes, if implemented, will come as a welcome relief for SME businesses a question arises as to the security of the UK’s adequacy decision from the European Commission if the UK were to implement such widespread data reform. The UK’s adequacy decision from the EU includes a sunset clause which means the decision will automatically expire at the end of 4 years unless renewed. If the UK adopts the proposed reforms in the Consultation there is a chance UK data protection law will diverge from EU law to such an extent that it may put the UK’s adequacy decision at risk.
The Consultation is still in its consultation phase and the recommendations being made are just suggestions at this stage. The implementation of any of the suggestions may take time and input from numerous stakeholders. This consultation is the first step in the process of reforming the UK’s regime for the protection of personal data and foreshadows possible changes to come.
To flex or not to flex: comparing traditional offices with flexible office space
Is Buy Now, Pay Later creating a new debt crisis?
BNPL providers are quick to claim that their services are offered with “no interest and no fees”, but is this really the case?
Social Tokens: What are the regulatory challenges in the UK?
Social tokens are one of the latest innovations in the crypto space and have grown significantly in recent years.
PRA to further scrutinise cloud computing in 2022
National Security and Investment Act comes into force
The Act has established a new regime for the review of mergers, acquisitions and transactions that could threaten national security.
Richard Davies and Rahim Hirji write for the American Bar Association on tattoos, athletes and image rights
LeBron James. Zlatan Ibrahimović. Mike Tyson. What is the common factor?
Sarah Rowley appears in the Apollo and Charles Russell Speechlys’ art law series on the future of museum governance
Are the responsibilities and duties of museum boards in the UK the same as they were, say, 20 years ago?
Sports Business: Five Current Themes
Nick White goes early with his thoughts on this year's Sports Business themes.
Charles Russell Speechlys advises Puma Private Equity on their investment into Everpress
Puma Private Equity offers a wide range of award-winning investments that help to support investors.
Lloyd v Google – Supreme Court to deliver judgment tomorrow (on 10 November 2021) – a reminder of the issues at stake
Fairhurst v Woodard: Property audio and video surveillance system breached GDPR
A recent judgment from Oxford County Court raises significant questions about the increasing use of smart doorbells and cameras.
Top 5 Data Protection Tips
Jonathan and Marc-Us explore the top 5 data protection tips
Can machines be inventors?
Will JP Morgan’s digital only Chase launch shake up the UK retail banking sector?
Chase is JP Morgan’s consumer brand and is one of the largest retail banks in the United States with over 4,700 branches.
Who? Where? What on earth is an “NFT”!?
An NFT is a “Non-Replaceable Token” meaning only one of its type can ever be created and recorded on the blockchain it is connected to.
How does the FCA Cryptoasset AML/CTF Regime affect UK cryptoasset businesses?
With the notable exception of security tokens, the majority of cryptoassets remain unregulated in the United Kingdom.
Closing the Cookie Jar
Opportunistic claims for misuse of online tracking cookies are on the rise. Proactively ensuring compliance is key to avoiding claims.
Regulating AI – the impact of two key recent proposals: the UK’s National AI Strategy and the EU’s proposed Artificial Intelligence Regulation
With the hype surrounding artificial intelligence continuing to gather pace, we pause and consider some of the proposed regulatory changes.
China’s Personal Information Protection Law – keeping up with the Joneses or increased cyber-security?
Up until recently, China’s data protection rules could be found through a number of laws and guidelines
Charles Russell Speechlys advises shareholders of eCommonSense on sale to ECI Software Solutions
eCommonSense is a technology solutions provider focused on the construction and building materials supply sectors.