The proposed reforms are, prima facie, a business-friendly upgrade by the government. But do they stand up to a closer cross-examination from experts in the field?
The prudent stewardship of personal data can be a delicate and onerous task for British businesses, but less red tape and greater flexibility in managing this material could soon be within their sight.
Freed from the EU’s shackles, the Department for Digital, Culture, Media and Sport (DCMS) is seeking to modernise the UK’s bureaucratic data protection regime by creating a “bold” new system, all in the name of aiding economic growth. And, at first glance, the wide-ranging proposals published in its September 2021 consultation document, Data: a new direction, seem distinctly pro-business, signalling a shift from hidebound processes to greater accountability.
It’s hard to imagine how the government’s commitment towards “unleashing data’s power… for the benefit of British businesses” could simultaneously enhance consumers’ rights. It is often said that privacy is a right, not a privilege, but there is a balance to be struck.
The DCMS is proposing to move from the current prescriptive approach to what it calls an “outcomes-focused” system. If that sounds vague, it’s because it is.
“It’s difficult to say whether this represents a genuine change in favour of business or not, since the devil will be in the detail,” says James Castro-Edwards, data protection specialist at Arnold & Porter. He adds that Westminster’s intention to create a pro-growth and pro-innovation data regime is “hard to interpret as anything other than a relaxation of the rules”.
It’s been almost four years since the introduction of the Data Protection Act 2018, which is a very long time in technology. Whether this legislation remains fit for purpose is debatable. But it is clear that, if businesses are to have enough flexibility to use big data effectively, regulatory changes are needed.
The DCMS proposals are underpinned by both the online safety bill and the digital regulation plan, published in July 2021, which has innovation at its heart. The government wants to reduce barriers to “responsible innovation” by businesses and lighten their compliance burden. Most notably, the so-called legitimate-interest balancing test for certain activities (such as using personal data for internal R&D) will be disapplied; a new legal basis for research will be introduced (with safeguards); and the legal bases and conditions for processing personal data will be clarified.
“This is about changing the emphasis from restricting data uses to making firms subject to greater accountability, but in a pragmatic and sensible way,” says Eduardo Ustaran, co-head of the global privacy and cybersecurity practice at Hogan Lovells.
Will business see the benefits?
It looks good for businesses at first blush, particularly firms seeking to conduct scientific research but hesitating to do so because of a lack of clarity.
But a shift to an outcomes-focused regime may not be the significant change that some people might be expecting. Jonathan Kirsop, partner in the data protection team at Pinsent Masons, points out that the General Data Protection Regulation (GDPR) is “largely principles-based anyway… The proposed reforms look to remove some of the prescriptive elements of the legislation – for instance, its requirements for data protection officers and privacy impact assessments – but they don’t otherwise depart significantly from this principles-based approach.”
Some lawyers believe that small and medium-sized enterprises would be the main beneficiaries of the planned reforms, given the likely reduction of red tape in certain circumstances. As for big multinational businesses, Kirsop’s view is that any significant easing of the processes they must follow would be less likely, given the scale and geographical spread of their operations.
Consider subject-access requests (SARs) – the bane of many businesses. Organisations can’t refuse an SAR on the grounds that it’s onerous to deal with, but the government has proposed to discard some record-keeping requirements imposed by the GDPR, which would enable firms to respond to SARs more effectively.
But this leaves complex questions unaddressed, according to Katie Hewson, a partner in Stephenson Harwood’s data protection practice. “For example, the extent of the duty to be transparent about, and to give access to, data that is inferred about a subject is likely to become increasingly relevant as companies use automated processes to make assumptions about individuals’ preferences.”
The Information Commissioner’s Office, which receives more complaints from the public about SARs than anything else, also has concerns about this and wants to see appropriate safeguards.
Protecting consumer privacy
A significant worry is that consumers’ privacy rights will be compromised if the DCMS proposals are enacted. The Law Society has warned that any perception of the scales tipping in favour of businesses using personal data for wider reasons at the expense of people’s privacy would jeopardise the UK’s reputation as a global leader in data protection.
Such concerns are valid, but they have been exaggerated, according to Kirsop. His view is that the reforms per se would not push things that far. He believes that the biggest risk concerns EU adequacy – the European Commission’s rating of the effectiveness of a non-member’s data protection measures.
“There is speculation that, if the UK diverges too far from the GDPR norm, that could threaten the UK’s adequacy decision from the European Commission,” Kirsop says.
So it could turn out that the government’s proposed shift to a pro-growth, pro-innovation data regime, while intended as a business-friendly move, “would have the opposite effect if the result were to be a loss of trust in UK businesses”, warns Castro-Edwards.
But, all in all, there is much to be said for simplifying the law and making it easier for businesses to understand what compliance looks like, according to Ustaran. This will benefit both companies and consumers – and it should in turn reduce the risk of litigation for unlawful uses of data, he says.
Ustaran, who is broadly optimistic about the probable effects of the DCMS plan, adds: “Reforms consistent with the direction of travel the UK has maintained in this area – making the law easier for businesses to comply with and for citizens to understand – are compatible with the nation’s status as a global leader in data protection.”