Consultation on Changing the Data Protection Laws

 

Jane Lambert

In his press release of 26 Aug 2021 which I discussed in Dowden's Data Protection Plans on 27 Aug 2021, Oliver Dowden MP, Secretary of State for Digital, Culture, Media and Sport, announced a consultation on changes to the UK's data protection laws.  That consultation was launched on 10 Sept 2021 with the publication of the consultation document, Data: a New Direction.  Responses must be submitted by 19 Nov 2021.

The consultation document is 146 pages long and is divided into an introduction, 5 chapters. a page on whom the Department for Digital, Culture. Media and Sport ("DCMA")  is seeking to consult, how to respond and what happens next and a privacy notice.  DCMS states that it is keen to hear from "a representative cross section of society, ensuring diversity and inclusion", It believes that the consultation will have particular relevance to 

• Individuals 
• Start-ups and small businesses 
• Technology companies and data-driven or data-rich companies 
• Investors in technology and data-driven or data-rich companies 
• Civil society organisations focused on consumer rights, digital rights, privacy and data protection 
• Academics, and research and policy organisations with a particular interest in the role of data in the economy and society, or as data controllers in their own right 
• Organizations involved in international data standards, regulation, and governance 
• Law firms and other professional business services.

Respondents are urged to use the DCMS's online survey platform but responses can also be submitted by email or post.  The DCMS will publish its response in due course.

The 5 chapters are as follows:

• Chapter 1- Reducing barriers to responsible innovation
• Chapter 2 - Reducing burdens on businesses and delivering better outcomes for people
• Chapter 3 - Boosting trade and reducing barriers to data flows
• Chapter 4 - Delivering better public services, and 
• Chapter 5 - Reform of the Information Commissioner's Office.

The reason for reducing barriers to responsible innovation are set out in para 30:

"The government has heard from stakeholders that elements of the law can create barriers to responsible innovation. Some definitions are unclear and lack explanatory case law or regulatory guidance that could take years to develop; organisations may choose not to use data as fully as they could owing to unfounded concerns about legality. For example, the rules for some organisations to use and to re-use personal data for research are difficult to navigate, despite the public being generally in favour of their personal data being used for scientific research that can deliver real benefits to society.5 The government has also heard evidence that uncertainty about when different lawful grounds for processing personal data should be used has led to an overreliance on seeking consent from individuals. This creates an unnecessary burden for consumers as well as for organisations. Finally, the increasing adoption and potential of new data-driven technologies is dependent on clear and consistent rules about the use of personal data."

The criticism of the present system is contained in para 139:

"The current legislation is based on a model that prescribes a series of activities and controls that organisations must adopt in order to be considered compliant. Although a key goal of the EU's GDPR was to create a regime that focussed on the accountability of organisations, the current model, in practice, tends towards a ‘box-ticking’ compliance regime, rather than one which encourages a proactive and systemic approach, and risks undermining the intentions of the principle of accountability."

One of those burdens is said to be subject access requests.  It is said that organizations have difficulty in processing such requests and with the threshold for making requests.  One of the solutions canvassed by the DCMS is the reintroduction of a fee for subject access requests and that is one of the proposals on which the Department is consulting. 

On "Boosting trade and reducing barriers to data flows" the DCMS explains at 240:

"Recent legal developments, including the Schrems II judgment, have made it more difficult for UK data exporters to transfer personal data overseas (see explanatory box below). The invalidation of the Privacy Shield by this judgment was particularly disruptive given the volume of trade it supported and the very many small and medium-sized businesses that were relying on it. Outside of the European Union, the UK has an opportunity to consider both the impact of this judgment on its transfers regime and how best to support international data flows in the future."

Data protection law became horrendously complex with the adoption of the General Data Protection Regulation and the implementation of the Law Enforcement Directive by the Data Protection Act 2018 on 25 May 2018.  Brexit has greatly exacerbated that complexity.   A snapshot of the current law since the expiry of the transition or implementation period on 31 Dec 2020 is set out in The Data Protection Legislation which I published on 28 Aug 2021.

Anyone wishing to discuss this article or any of its contents can call me on 020 7404 5252 during normal office hours or send me a message through my contact form at other times.

Dowden's Data Protection Plans

Now that we've left the EU we can seize the opportunity to develop a world-leading data regime that will deliver for people across the UK.

Fare all part of our plan.

👉 https://t.co/R5OhCkQzi3 pic.twitter.com/2b3xtUxYXv

— Oliver Dowden (@OliverDowden) August 26, 2021

Jane Lambert

In the last few months, this government has made one ambitious promise after another. In his foreword to Global Britain in a competitive age, the Prime Minister wrote that his government's aim is for the UK to become a science and tech superpower by 2030 (see NIPC Brexit 19 March 2021). In his foreword to the UK Innovation Strategy Leading the future by creating it Kwasi Kwarteng, Secretary of State for Business, said that the UK would in science and technology what it is in finance (see UK Innovation Strategy, NIPC Inventors Club 12 Aug 2021). With similar hyperbole, Oliver Dowden, Secretary of State for Culture, Media and Sport has announced "a world-leading data regime" by "forging new global partnerships and designing our own common sense data laws" (see UK unveils post-Brexit global data plans to boost growth, increase trade and improve healthcare DCMS press release 26 Aug 2021).

The Press Release

Mr Dowden's press release makes three announcements:

• an intention to negotiate "data adequacy partnerships" with Australia, Colombia, the Dubai International Financial Centre, Singapore, South Korea and the USA;
• the appointment of John Edwards, the New Zealand Privacy Commissioner, as the next Information Commissioner; and 
• a consultation on changes to the UK's data protection laws "to break down barriers to innovative and responsible uses of data so it can boost growth, especially for startups and small firms, speed up scientific discoveries and improve public services."
  

Data Protection Legislation 

On 25 May 2018, the General Data Protection Regulation ("GDPR") came into force across the European Union including the UK.  Art 94 of the GDPR repealed Directive 95/46/EC which had been implemented in the UK by the Data Protection Act 1998.  As it was a regulation of the European Council and Parliament, the GDPR took effect automatically.  The UK Parliament enacted the Data Protection Act 2018 which repealed the Data Protection Act 1998, supplemented the GDPR and applied a broadly equivalent regime to certain types of processing to which the GDPR did not apply.  

When the UK left the EU on 31 Jan 2020, the GDPR remained in force in the UK during the transition or implementation period that ended on 31 Dec 2020 pursuant to art 127 of the withdrawal agreement.  At the end of the transition period, the GDPR was incorporated into English, Welsh, Scots and Northern Irish law by s.3 (1) of the European Union  (Withdrawal) Act 2018.  Reg 3 and Sched. 1 of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019 No 418) amended the provisions of the GDPR that have been incorporated into domestic law.   Reg 4 and Sched 2 of those regulations amended the Data Protection Act 2018.  

Transfer of Data Abroad

A fundamental principle of all data protection laws is that personal data should not be transferred abroad without adequate safeguards for its protection.  Art 44 of the GDPR provides:

"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation."

One of the conditions on which personal data may be transferred overseas is set out in art 45 (1):

"A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation."

The decision of whether a third country provides adequate protection depends on a number of elements set out in art 45 (2).   The Commission has already made an adequacy decision in favour of the UK by its Decision of  26 June 2021 which I discussed in Commission Adequacy Decisions on 29 June 2021.  

Amendments to Art 45

Para 38 (2) of  Sched 1 of  The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 changed art 45 (1) of the GDPR to:

"A transfer of personal data to a third country or an international organisation may take place where it is based on adequacy regulations (see section 17A of the 2018 Act) ”. Such a transfer shall not require any specific authorisation."

Para 38 (3) of that Sched deleted most o the rest of the article.  Para 23 of Sched 2 inserted new sections 17A, 17B and 17C into the Data Protection Act 2018.  Those new sections contain new provisions for determining the adequacy of other countries' protection of personal data.  These include the power to make regulations.    

Para 42  of Sched 2 inserted new sections 74A and 74B into the Data Protection Act 2018,   These provide for the transfer abroad of data not covered by the GDPR in accordance with the above-mentioned regulations.   S.74A (4) of the Act is in substantially the same terms as art 45 (2) of the GDPR.

"Adequacy Partnerships"

The pairing of the noun "partnership" with the adjective "adequacy" suggests that adequacy decisions could depend on reciprocity and commercial advantage rather than the criteria in art 45 (1).   The press release reinforces that impression:

"The government believes it can unlock more trade and innovation by reducing unnecessary barriers and burdens on international data transfers, thereby opening up global markets to UK businesses. In turn this will help give UK customers faster, cheaper and more reliable products and services from around the world."

 Those concerns are at least partially allayed by the "Test for Adequacy" section of the guidance note International data transfers: building trust, delivering growth and firing up innovation published on 26 Aug 2021.  On paper, at least, the test for adequacy is objective and not dissimilar to the test in art 45 (2) of the GDPR. 

Risk of Losing the European Commission Adequacy Finding

A problem of seeking adequacy partnerships with countries operating very different regimes for protecting personal data is that the Commission could revoke its decision on the adequacy of protection in the UK under art 3 (4). That paragraph provides:

"Where the Commission has indications that an adequate level of protection is no longer ensured, the Commission shall inform the competent United Kingdom authorities and may suspend, repeal or amend this Decision."

Such a situation could arise if data were to flow without restriction from the EU to the UK and then from the UK to the USA but not directly from the EU to the  USA.   It would be unfortunate if the UK jeopardized its status in the European Economic Area in a quest for more distant and generally smaller markets overseas. 

Consultation

There is as yet no green paper or consultation on changing the law.   The only indication of what the government has in mind at this stage is that it believes improved data sharing could help deliver more agile, effective and efficient public services and help make the UK a science and technology superpower.   

Further Information

Anyone wishing to discuss this article or data protection generally my call me on 020 7404 5252 during office hours or send me a message through my contact form.

Commission Adequacy Decision

European Commission

Author EmDee Licence CC BY-SA 4.0  Source Wikipedia Commons

 

Jane Lambert

The uninterrupted exchange of personal data across borders is vital for the financial and other service industries. As I noted in Another Data Protection Act! "You're joking! Not another one!" - A Short History of Data Protection Legislation in the UK 23 Sept 2017 NIPC Law, it was restrictions on the transfer of personal data from countries that had enacted data protection legislation rather than the Younger and Lindop reports that prompted Parliament to enact the first Data Protection Act in 1984. Until 23:00 on 31 Dec 2020 businesses in the UK could rely on art 1 (3) of the General Data Protection Regulation (Regulation (EU) 2016/679 which provides that the free movement of personal data within the European Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. That was because EU law continued to apply to the UK between 23:00 on 31 Jan and 23:00 on 31 Dec 2020 pursuant to art 127 (1) of the agreement by which the UK withdrew from the EU.

Upon the expiry of that period, the United Kingdom became a "third country" for the purposes of art 44 of the GDPR.  That article provides:

"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined."

Art 45 (1), however, provides:

"A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation."

The rest of that article sets out the criteria by which the Commission can make such a decision and the procedure for reaching it.

By a decision dated 28 June 2021 (Commission Implementing Decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (C(2021) 4800 final)), the Commission has decided that for the purposes of art 45 of the GDPR the UK ensures an adequate level of protection for personal data transferred within the scope of the GDPR from the EU to the UK. The decision consists of 93 pages almost all of which are recitals setting out the Commission's reasons.  The decision on adequacy is contained in art 1 (1).  Art 3 (1) of the Decision requires the Commission to "monitor the application of the legal framework upon which this Decision is based, including the conditions under which onward transfers are carried out, individual rights are exercised and United Kingdom public authorities have access to data transferred on the basis of this Decision, with a view to assessing whether the United Kingdom continues to ensure an adequate level of protection within the meaning of Article 1." The Commission has power under art 3 (4) to suspend, repeal or amend the decision where it has indications that an adequate level of protection is no longer ensured.  It can also suspend, repeal or amend the decision under art 3 (5) if a lack of cooperation of the UK government prevents the Commission from determining whether the finding in art 1 (1) is affected.   The decision shall expire on 27 June 2025, unless extended in accordance with art 93 (2) of the GDPR.

Art 1 (2) of the decision makes clear that it does not cover personal data that is transferred for purposes of UK immigration control or that otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control pursuant to para 4 (1) of Sched. 2 to the Data Protection Act 2018.  Art 2 (2) (d) of the GDPR states that the regulation does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.   Such processing is regulated by the Law Enforcement Directive (Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA). 

Art 35 (1) of the directive imposes the following obligation upon EU member states:

"Member States shall provide for any transfer by competent authorities of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation including for onward transfers to another third country or international organisation to take place, subject to compliance with the national provisions adopted pursuant to other provisions of this Directive, only where the conditions laid down in this Chapter are met, namely:
(a) the transfer is necessary for the purposes set out in Article 1 (1);
(b) the personal data are transferred to a controller in a third country or international organisation that is an authority competent for the purposes referred to in Article 1 (1);
(c) where personal data are transmitted or made available from another Member State, that Member State has given its prior authorisation to the transfer in accordance with its national law;
(d) the Commission has adopted an adequacy decision pursuant to Article 36, or, in the absence of such a decision, appropriate safeguards have been provided or exist pursuant to Article 37, or, in the absence of an adequacy decision pursuant to Article 36 and of appropriate safeguards in accordance with Article 37, derogations for specific situations apply pursuant to Article 38; and
(e)  in the case of an onward transfer to another third country or international organisation, the competent authority that carried out the original transfer or another competent authority of the same Member State authorises the onward transfer, after taking into due account all relevant factors, including the seriousness of the criminal offence, the purpose for which the personal data was originally transferred and the level of personal data protection in the third country or an international organisation to which personal data are onward transferred."

Art 36 of the Law Enforcement Directive is very similar to art 45 of the GDPR.  By Commission Implementing Decision of 28.6.2021 pursuant to Directive (EU), 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (C(2021) 4801 final) the Commission found that the UK ensures an adequate level of protection for personal data transferred from the EU to UK public authorities responsible for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties for the purposes of art 36. The decision requires the Commission to monitor the UK government's compliance with the legal framework and enables the Commission to suspend, repeal or amend the decision in the event of non-compliance or non-cooperation.  Subject to that provision, the decision also remains in force until 27 June 2025.

In an ICO statement in response to the EU Commission’s announcement on the approval of the UK’s adequacy, the Information Commissioner said:

“This is a positive result for UK businesses and organisations.
Approved adequacy means that businesses can continue to receive data from the EU without having to ake any changes to their data protection practices.
Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently.
The result is also a testament to the strength of the UK’s data protection regime.”

Anyone wishing to discuss this article or data protection generally my call me on 020 7404 5252 during office hours or send me a message through my contact form.