Evolving the UK’s approach to data protection, techUK’s response to the DCMS consultation Data: a new direction

24 Nov 2021 02:42 PM

techUK sets out our response to the DCMS consultation Data: A New Direction

On 10 September 2021 the UK Government announced plans for a consultation on the reform of the UK’s data protection system. The consultation document Data: a new direction is the Government’s attempt to reform the UK version of the General Data Protection Regulation (UK GDPR).

In doing so the Government will retain the core principles of the GDPR such as its data processing principles, its data rights for citizens, and its mechanisms for supervision and enforcement but make some changes to how the broader data protection framework operates.

For example by clarifying the legal bases around how certain kinds of data can be processed, create a more flexible accountability framework for organisations processing data, reform the mechanisms around how data can be transferred in and out of the UK, improve how data is used for the delivery of public services and make changes to structure of the Information Commissioner’s Office (ICO).

techUK believes the consultation sparks a timely conversation preceded by a period of immense technological, business, and social change, not least as a result of the COVID-19 pandemic. These changes have tested the limits of existing data protection frameworks while also revealing opportunities for a pragmatic evolution of the legislation with the aim of delivering benefits for consumers, businesses, and wider society.

These pressures for change are not just found in the UK, they are global and governments around the world will be examining their own reforms to their data protection frameworks. In this situation, the UK has a unique position to lead the global debate. Having left the EU the UK inherits a data protection framework based on the GDPR which has become a globalised standard and whose principles have been widely adopted.

Successfully steering this debate however means being attuned to the trajectory of global data protection policy and seeking to converge on common principles, as the UK sought to do in the recent G7 statement, Roadmap for cooperation on data free flow with trust. It also means protecting key pathways for data flows such as data adequacy with the EU and the interoperability of data transfer tools.

The Government must also ensure that whatever additional flexibilities the UK provides in its own domestic rules, organisations are able to continue using data management policies that are designed to comply with multiple different regimes, as long as these give similarly high levels of protection to personal data as the UK’s domestic laws. This will help prevent increased regulatory burden through double compliance and is a pragmatic step to deal with the extra territorial effects of different modern data protection regimes across the globe.

If the UK can get this right, techUK believes we can not just seize the opportunity to update our data protection system for the 2020s, but create an approach which underpins our wider ambitions for the UK tech sector. For example, by crafting an approach to data governance that helps the UK remain Europe’s most attractive destination to start and scale tech companies, make the UK a hub for data driven research and provide the cornerstone legislation that will be foundational to our ambition to be a world leader in AI powered technologies.

Following extensive engagement with members techUK responded to the consultation supporting three broad principles for reform:

1. Securing Innovation and Growth: techUK is supportive of a number of pragmatic improvements to the data protection system that are raised in the consultation. These changes include; creation of an exhaustive list of processing activities which can be conducted under the legitimate interest basis, the clarification of legal grounds for data processing for research purposes, seek to clarify how organisations can share data with Government agencies where a clear public interest test is met and consulting on key concepts such as AI fairness, outcomes and how data can be used to help develop AI technologies, such as in the prevention of algorithmic bias.

By making these changes while maintaining the core principles of the GDPR and alongside clear guidance from the ICO we believe the Government can update the UK’s legal framework to provide certainty and clarity to organisations as they seek to innovate with data and develop new digital services and AI powered tools.

2. Ensuring the UK’s data protection system is trusted by individuals and organisations: enabling citizens to exercise their data rights as well ensuring that the UK’s data protection system is seen globally as providing avenues for redress, backed by an independent regulator, is vital.

High levels of consumer confidence in the system, as well as maintaining a reputation as a high standard location for storing and processing personal data is essential for citizens to have confidence in digital services provided in the UK, and for companies to compete for international contracts and investment. In the consultation, the Government has suggested reforms to the accountability framework in the GDPR to create an opportunity for businesses to create more tailored and trusted approaches to managing personal data as well as lessening some of the more prescriptive burdens on smaller firms.

These reforms in principle are welcome but will rely heavily on clear guidance from the ICO to make them operable by businesses and ensure routes for redress for consumers are clearly explained. To do this, the Government will need to ensure that the ICO is well resourced to meet this challenge and its independence remains without question.

To support this aim, techUK therefore believes the Government should not proceed with some of the proposals in this consultation which we believe could have negative impacts on citizens abilities to exercise their rights and undermine the independence of the regulator. For example, the reintroduction of a fee for subject access requests, the suggested proposal to remove Article 22 of the GDPR or some of the changes propsed to the ICO’s Codes of Practice and Guidance.

3. Making the UK a global hub for data: International data flows are the cornerstone of global businesses. Both UK headquartered and international companies operating in the UK regularly engage in data transfers with business partners across the globe.

Flows of data are not just an issue for the tech sector, with the operations and supply chains of virtually every modern business supported by the transferring of personal data. Whether that is detailed data sets for complex digital services, or the financial and logistical information needed for the trade in goods or the provision of services.

Even if all the suggested changes in this consultation were made, the UK will still have a data protection system which is more similar to the EU’s than any other partner it has a data adequacy agreement with. However, given the recent assessment by the European Commission and the extra territorial nature of a number of other countries data protection regimes the UK will need to reassure partners on how any of their citizens data will be handled in the UK to maintain access to global data flows. This will mean ensuring avenues for redress are clear and easy to access and that there are strong safeguards against onward transfers (the moving of personal data on to another country beyond the UK without appropriate safeguards).

You can read our full response here, and see below a summary of some specific suggestions we have made under each chapter of the consultation:

Chapter 1: Reducing barriers to responsible innovation:

Chapter 2: Reducing burdens on businesses and delivering better outcomes for people:

Chapter 3: Boosting trade and reducing barriers to data flows:

Chapter 4: Delivering better public services:

Chapter 5: Reform of the Information Commissioner’s Office: