In his press release of 26 Aug 2021 which I discussed in Dowden's Data Protection Plans on 27 Aug 2021, Oliver Dowden MP, Secretary of State for Digital, Culture, Media and Sport, announced a consultation on changes to the UK's data protection laws. That consultation was launched on 10 Sept 2021 with the publication of the consultation document, Data: a New Direction. Responses must be submitted by 19 Nov 2021.
The consultation document is 146 pages long and is divided into an introduction, 5 chapters. a page on whom the Department for Digital, Culture. Media and Sport ("DCMA") is seeking to consult, how to respond and what happens next and a privacy notice. DCMS states that it is keen to hear from "a representative cross section of society, ensuring diversity and inclusion", It believes that the consultation will have particular relevance to
- Individuals
- Start-ups and small businesses
- Technology companies and data-driven or data-rich companies
- Investors in technology and data-driven or data-rich companies
- Civil society organisations focused on consumer rights, digital rights, privacy and data protection
- Academics, and research and policy organisations with a particular interest in the role of data in the economy and society, or as data controllers in their own right
- Organizations involved in international data standards, regulation, and governance
- Law firms and other professional business services.
Respondents are urged to use the DCMS's online survey platform but responses can also be submitted by email or post. The DCMS will publish its response in due course.
The 5 chapters are as follows:
- Chapter 1- Reducing barriers to responsible innovation
- Chapter 2 - Reducing burdens on businesses and delivering better outcomes for people
- Chapter 3 - Boosting trade and reducing barriers to data flows
- Chapter 4 - Delivering better public services, and
- Chapter 5 - Reform of the Information Commissioner's Office.
The reason for reducing barriers to responsible innovation are set out in para 30:
The criticism of the present system is contained in para 139:
"The current legislation is based on a model that prescribes a series of activities and controls that organisations must adopt in order to be considered compliant. Although a key goal of the EU's GDPR was to create a regime that focussed on the accountability of organisations, the current model, in practice, tends towards a ‘box-ticking’ compliance regime, rather than one which encourages a proactive and systemic approach, and risks undermining the intentions of the principle of accountability."
One of those burdens is said to be subject access requests. It is said that organizations have difficulty in processing such requests and with the threshold for making requests. One of the solutions canvassed by the DCMS is the reintroduction of a fee for subject access requests and that is one of the proposals on which the Department is consulting.
"The current legislation is based on a model that prescribes a series of activities and controls that organisations must adopt in order to be considered compliant. Although a key goal of the EU's GDPR was to create a regime that focussed on the accountability of organisations, the current model, in practice, tends towards a ‘box-ticking’ compliance regime, rather than one which encourages a proactive and systemic approach, and risks undermining the intentions of the principle of accountability."
One of those burdens is said to be subject access requests. It is said that organizations have difficulty in processing such requests and with the threshold for making requests. One of the solutions canvassed by the DCMS is the reintroduction of a fee for subject access requests and that is one of the proposals on which the Department is consulting.
On "Boosting trade and reducing barriers to data flows" the DCMS explains at 240:
"Recent legal developments, including the Schrems II judgment, have made it more difficult for UK data exporters to transfer personal data overseas (see explanatory box below). The invalidation of the Privacy Shield by this judgment was particularly disruptive given the volume of trade it supported and the very many small and medium-sized businesses that were relying on it. Outside of the European Union, the UK has an opportunity to consider both the impact of this judgment on its transfers regime and how best to support international data flows in the future."
"Recent legal developments, including the Schrems II judgment, have made it more difficult for UK data exporters to transfer personal data overseas (see explanatory box below). The invalidation of the Privacy Shield by this judgment was particularly disruptive given the volume of trade it supported and the very many small and medium-sized businesses that were relying on it. Outside of the European Union, the UK has an opportunity to consider both the impact of this judgment on its transfers regime and how best to support international data flows in the future."
Data protection law became horrendously complex with the adoption of the General Data Protection Regulation and the implementation of the Law Enforcement Directive by the Data Protection Act 2018 on 25 May 2018. Brexit has greatly exacerbated that complexity. A snapshot of the current law since the expiry of the transition or implementation period on 31 Dec 2020 is set out in The Data Protection Legislation which I published on 28 Aug 2021.
Anyone wishing to discuss this article or any of its contents can call me on 020 7404 5252 during normal office hours or send me a message through my contact form at other times.
