Last month, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the UK Department for Digital, Culture, Media & Sport (“DCMS”) on its Consultation on Reforms to the Data Protection Regime (the “Response”). The Response also reflects views gathered from CIPL members during two industry roundtables organized in collaboration with DCMS to obtain feedback on the reform proposals. Key takeaways from the Response include the following:
Chapter 1: Reduce Barriers to Responsible Innovation
With respect to DCMS’ proposals to reduce existing barriers to responsible innovation, CIPL:
- supports the consolidation of provisions related to processing for research purposes into a clear definition and believes this definition should be framed flexibly as research is dynamic by nature and increasingly relies on the use of AI;
- advocates for the creation of a separate lawful ground for research without prejudicing certainty and consistency for organizations (especially cross-border research efforts);
- requests that DCMS clarify the interplay between Article 6 & 9 of the UK General Data Protection Regulations (“GDPR”) when special category data is processed, and clarify whether both articles apply cumulatively or can be assessed separately (the latter being preferred);
- supports providing more clarity regarding when the legitimate interest ground for processing may be relied upon by organizations (see the categories of common processing activities based on legitimate interests in CIPL’s recent white paper on legitimate interest) and enabling the UK Information Commissioner’s Office (“ICO”) to establish a list of low-risk processing activities that meet the legitimate interest ground, including in the context of B2B relationships;
- agrees that DCMS should clarify that processing personal data to prevent, detect and remediate bias in AI systems constitutes a legitimate interest of a data controller;
- encourages DCMS to clarify the current approach to automated decision-making and, in particular, the meaning of a legal or similarly significant effect under Article 22 of the UK GDPR; and
- supports DCMS’ proposal to incorporate a test based on the U.S. Federal Trade Commission model for anonymized data into an updated UK data protection regime, rather than rely on Recital 26 of the UK GDPR (e.g., a practical rather than theoretical approach).
Chapter 2: Reducing Burdens on Business and Delivering Better Outcomes for People
With respect to DCMS’ proposals to reduce burdens on businesses and deliver better outcomes for people, CIPL:
- welcomes enabling flexibility for organizations in implementing accountable privacy management programs that reflect, and are suited to, a wide range of business structures and operations. Any changes to the current rules, however, should be clearly explained and the requisite standard for compliance delineated to (1) prevent stakeholders from viewing any changes as a dilution or an abandonment of EU-specific data protection concepts introduced by the GDPR and (2) avoid a situation where flexibility for organizations results in a lack of clarity regarding which actions to take to enable accountability;
- supports the proposal to raise the threshold for breach reporting;
- supports the introduction of a new voluntary process enabling organizations with demonstrable accountability practices to implement a specific remediation plan to address any infringement of the law in lieu of enforcement action by the regulator;
- supports any reform enabling organizations to store information on, or collect information from, a user’s device without their consent for limited and legitimate purposes, subject to transparency and additional safeguards or limitations.
Chapter 3: Boosting Trade and Reducing Barriers to Data Flows
With respect to DCMS’ proposals to boost trade and reduce barriers to data flows, CIPL:
- supports DCMS’ proposal to approach adequacy assessments with a focus on risk-based decision-making and outcomes, while being mindful of the benefits of maintaining appropriate consistency with the current understanding of “essential equivalence” under the EU GDPR;
- supports the creation of a new power for the Secretary of State to create new UK mechanisms for transferring data overseas or to recognize in UK law other international data transfer mechanisms, if they achieve the outcomes required by UK law, such as the APEC CBPR and PRP systems developed by the APEC forum; and
- supports the proposal to exempt reverse transfers from the UK’s international transfer regime.
Chapter 5: Reform of the ICO
With respect to DCMS’ proposals for reforms to the ICO, CIPL:
- cautions DCMS against introducing powers that would allow the UK government to set the strategic direction of the ICO out of concern for preserving the ICO’s independence. Setting such strategic priorities should be left to the regulator without government interference;
- emphasizes the risk with the requirement that the ICO seek approval from the Secretary of State for new codes of practice or regulatory guidance, which is inconsistent with the ICO’s status as an independent data protection authority, both domestically and globally;
- supports introducing a duty for the ICO to cooperate and consult with other DPAs and sectoral regulators both in the UK and around the world; and,
- supports introducing a requirement that organizations be the first contact to resolve consumer complaints before they are escalated to the ICO.
To read about these recommendations in more detail, please see the full Response.