Following the Government’s promise to reform data protection laws in the UK post-Brexit, starting with the DCMS Consultation paper (“Data: a new direction”) in September 2021 (see our blog post on this here) and the announcement of the new Data Reform Bill in the Queen’s Speech in May 2022, the Government has now published its response to the DCMS consultation (see full text here, including a helpful summary of the consultation proposals in the Annex at the bottom), which even in the absence of a draft Parliamentary bill, gives a good indication of what the new UK data protection regime will look like.

In short, while a number of the changes to current data protection laws are not insignificant and will have an impact on both organisations and individual data subjects, the proposed new UK data protection regime is much less of a departure from the current EU GDPR framework than some had anticipated. For a start, the overall legal framework will remain unchanged with the Data Reform Bill serving to amend rather than replace the UK GDPR altogether, and the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (which address compliance in relation to direct electronic marketing and the use of cookies) will continue to supplement the UK GDPR (as amended by the Data Reform Bill) like before.

In addition, a number of controversial proposals mooted in the original DCMS Consultation paper appear to have been watered down (for example, the creation of a list of legitimate interests for businesses to process personal data without needing to apply the balancing test), or dropped altogether (for example, the proposal to raise the threshold for when data breaches are notifiable to the ICO and the proposal to remove Article 22 governing the use of solely automated decision making – although there are plans to clarify its limits and scope).

We set out below a number of the proposals that the Government does intend to proceed with:

  • Removing or changing a number of the “accountability and governance” obligations currently set out in the UK GDPR, including the requirement to appoint a data protection officer (this will be replaced with the requirement to designate a suitable individual to oversee the organisation’s DP compliance), maintain a record of processing activities and to undertake data protection impact assessments. These prescriptive obligations will be replaced by a requirement for organisations to implement a more flexible privacy management programme tailored to the level of the organisation’s processing activities and the volume and sensitivity of personal data handled.
  • Allowing organisations to refuse to respond to “vexatious or excessive” data subject access requests, which will replace the existing “manifestly unfounded or excessive” wording (though the difference between these two constructs is as yet unclear).
  • Removing the requirement for organisations to obtain opt-in consent prior to placing certain types of non-essential cookies on users’ devices, thereby removing the need for website cookie banners.
  • Allowing non-commercial organisations (e.g. charitable organisations and non-profit organisations) to rely on “soft opt in” consent to send direct electronic marketing about their own similar goods and services to existing customers/donors.
  • Increasing fines under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (currently limited to £500,000) to align with those which apply to the UK GDPR (£17.5 million, or 4% of global annual turnover, whichever is higher).

It is worth noting that the proposed changes will only apply to the UK GDPR and organisations that operate across both a UK and EU footprint will need to comply with both the EU GDPR and UK GDPR as amended by the Data Reform Bill. Given that the majority of the proposals that the Government intends to proceed with consist of a slight relaxation of the rules that currently apply under the EU GDPR framework, it is very likely that these multi-jurisdictional organisations will just continue to apply the higher EU “gold standard” across all jurisdictions for consistency.

There is also the question of whether the UK will able to maintain its EU adequacy status in the face of these proposed data protection reforms. Although adequacy does not require a carbon copy replica of the EU GDPR framework and the Government’s latest proposals do not represent as drastic a divergence from the EU GDPR as they could have (perhaps as a result of this consideration), revocation of the UK’s adequacy status is nonetheless a real risk that the Government will need to continue to keep an eye on as the process for implementing the new UK data protection regime continues.

Miriam Everett
Miriam Everett
Partner
+44 20 7466 2378

Duc Tran
Duc Tran
Of Counsel
+44 20 7466 2954