In his press release of 26 Aug 2021 which I discussed in Dowden's Data Protection Plans on 27 Aug 2021, Oliver Dowden MP, Secretary of State for Digital, Culture, Media and Sport, announced a consultation on changes to the UK's data protection laws. That consultation was launched on 10 Sept 2021 with the publication of the consultation document, Data: a New Direction. Responses must be submitted by 19 Nov 2021.
The consultation document is 146 pages long and is divided into an introduction, 5 chapters. a page on whom the Department for Digital, Culture. Media and Sport ("DCMA") is seeking to consult, how to respond and what happens next and a privacy notice. DCMS states that it is keen to hear from "a representative cross section of society, ensuring diversity and inclusion", It believes that the consultation will have particular relevance to
- Start-ups and small businesses
- Technology companies and data-driven or data-rich companies
- Investors in technology and data-driven or data-rich companies
- Civil society organisations focused on consumer rights, digital rights, privacy and data protection
- Academics, and research and policy organisations with a particular interest in the role of data in the economy and society, or as data controllers in their own right
- Organizations involved in international data standards, regulation, and governance
- Law firms and other professional business services.
- Chapter 1- Reducing barriers to responsible innovation
- Chapter 2 - Reducing burdens on businesses and delivering better outcomes for people
- Chapter 3 - Boosting trade and reducing barriers to data flows
- Chapter 4 - Delivering better public services, and
- Chapter 5 - Reform of the Information Commissioner's Office.
"The current legislation is based on a model that prescribes a series of activities and controls that organisations must adopt in order to be considered compliant. Although a key goal of the EU's GDPR was to create a regime that focussed on the accountability of organisations, the current model, in practice, tends towards a ‘box-ticking’ compliance regime, rather than one which encourages a proactive and systemic approach, and risks undermining the intentions of the principle of accountability."
One of those burdens is said to be subject access requests. It is said that organizations have difficulty in processing such requests and with the threshold for making requests. One of the solutions canvassed by the DCMS is the reintroduction of a fee for subject access requests and that is one of the proposals on which the Department is consulting.
"Recent legal developments, including the Schrems II judgment, have made it more difficult for UK data exporters to transfer personal data overseas (see explanatory box below). The invalidation of the Privacy Shield by this judgment was particularly disruptive given the volume of trade it supported and the very many small and medium-sized businesses that were relying on it. Outside of the European Union, the UK has an opportunity to consider both the impact of this judgment on its transfers regime and how best to support international data flows in the future."