The Government has now responded to the consultation that took place in 2021 and have released their plans on which proposals are going ahead.
The current data protection regime in the UK consists of the General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act 2018 (DPA). This consultation aimed to elevate the current regime in the UK whilst staying committed to a high standard of data protection. It had a heavy focus on the most important privacy outcomes and how to keep legislation in line with technological growth.
The Consultation for “Data: A New Direction” began in September 2021 where proposals to reform the UK’s data protection laws were discussed, hoping to secure a pro-growth data regime that was trusted by its users. They claimed that the reforms that were to be taken forward would help the UK benefit from personal data use and remove a lot of the processes that have become a burden to businesses. This consultation ran for ten weeks and in that time they had responses from the Information Commissioner’s Office and other organisations, representing a cross-section of the UK economy and overseas organisations.
In Annex A of the Consultation, there is a list of the original proposals along with the next steps. Some of the most important areas are discussed below.
Creating a limited list of legitimate interests for businesses to process personal data without applying the balancing test
Legitimate interests are the basis that a person has a legal right to process personal data. It does not have to be processing that an individual has consented to, so long as it is lawful. There is a very large range of what could be considered a legitimate interest and the current UK GDPR does not have a strict set of factors to consider when deciding if the purpose satisfies the criteria. There is a recommended three-part test to determine whether any exist:
- Purpose test – is there a legitimate interest behind the processing?
- Necessity test – is the processing necessary for that purpose?
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
The government plans to proceed with the proposal to create a list but for a narrower range of situations than set out in the original consultation paper. Some of the legitimate interests that are included are if the activity is in the public interest (such as crime prevention) and if non-public bodies are delivering statutory public communications/health and safety messages. However, the government has recognised the importance of safeguarding children’s data and therefore discussions surrounding additional measures for this have been included.
For any activities that are not included on the list, the balancing test will remain a requirement.
Whilst this change will assist in ensuring legitimate interests exist, it is still important to include details of these in your privacy information and consider individual’s interests. It will remain the case that if the user may not expect you to use their data in the way in which you plan to or it could cause harm to them, their interest will take priority.
Removing the requirement for data protection impact assessments
A data protection impact assessment (DPIA) is in place to help identify any data protection risks of a project and also help to reduce the likelihood of these risks. Currently, a DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
In the consultation, the majority of those involved agreed that these assessments are helpful in mitigating risk. However, although the positives were clear, many said that they would welcome a new approach that allowed for more flexibility as well as the potential to tailor them to meet the needs of the organisation.
Under this new programme, organisations will be able to have this desired flexibility by the removal of the DPIA requirement. Organisations will have to ensure they are still assessing the risks and how sensitive the data is, but it will be down to them to decide how to go about this. It is expected that some may still use the DPIA as it will remain valid.
Various proposals in relation to cookies, including removing the requirement for prior consent for all types of cookies (once automated technology is available on websites to help users manage their preferences) and removing the consent requirement for analytics cookies and similar technologies.
The Privacy and Electronic Communications Regulations 2003 (PECR) relates to confidentiality of terminal equipment, direct marketing communications and security. Under the current law, cookies (and similar) have to have the consent of the user in order to be placed on the device. There are currently only two limited exceptions for gaining consent, which are:
- For purposes that are essential to provide the online service
- For purposes where they are needed to transmit a communication over a network
Consent is usually obtained through a pop-up which the user agrees to when visiting a site. This consent allows sites to access information such as which pages the user is looking at frequently as well as other personal data. The government, through this consultation, have been looking into whether there are any other occasions where cookies should be permitted without explicit consent.
The government intends to remove these pop-ups which have become somewhat of an annoyance for users and will allow cookies to be placed on sites for non-intrusive purposes (however, we are currently unsure of what these will be). These changes will apply to all connected technology but there is an intention to introduce an “opt-out” consent model where consent will automatically be given to cookies, but the site must give users a clear set of information on how to change this. However, like previously mentioned it is likely that there will be extra safeguarding for websites which are accessed mostly by children.
There are many other proposals that the government are planning to proceed with which can be viewed under Annex A of the consultation.
If you would like any assistance in ensuring that your data protection practices are up to date, please contact the commercial & technology team at [email protected]
Article contributor – Louise Tindall, Business Services Team