Proposed UK data protection reforms aim to reduce compliance burden

Ken Saurajen, Lyndal Sivell
24 Jun 2022
Time to read: 2.5 minutes

The UK Government's proposed reforms to privacy and data protection laws suggest a desire to relax the compliance burden on businesses. However, it is unclear as to whether this will present any tangible benefit for Australian businesses operating across various jurisdictions.

The UK Government has signalled its intention to diverge from the EU's approach to data protection as embodied in the General Data Protection Regulation (GDPR), and reduce the compliance burden on businesses.

In its 17 June response to its consultation on privacy and data protection reforms and its proposed upcoming Data Reform Bill (the Response), the Government indicated it would look to adopt a more outcomes-driven approach to data protection than that embodied in the principles-based (and arguably more complex) EU GDPR and UK GDPR.

Data critical in the digital economy

The Government's Response emphasises how critically important data is to consumers and businesses: particularly for the latter in how they can use data to improve their operations and services. The Response identifies that data-driven trade generated nearly three quarters of the UK's total services exports and generated an estimated £234 billion for the UK economy in 2019.

Beyond box-ticking to a more flexible approach

The Response contends that the lack of clarity in the GDPR has led to an over-reliance by businesses on "box ticking" to seek consent from individuals to process their personal information to avoid non-compliance. It argues that the largely one-size-fits-all approach regardless of the relative risk of an organisation's data processing activities places a disproportionate burden on small businesses, including start-ups and scale-ups.

The proposed Data Reform Bill, if made law, will remove the UK GDPR's prescriptive requirements (such as the need for small businesses to have a Data Protection Officer and to undertake impact assessments) and will give organisations greater flexibility in how they manage data risks.

However, the Response reiterates that organisations will still be required to have a privacy management program and to ensure that they are accountable for how they process personal information.

Sensitive data processing for monitoring and correcting bias in AI systems

During the consultation process, the UK Government sought views on whether processing personal information for the purpose of mitigating bias in AI systems should be included in the list of legitimate interests that organisations can rely on to carry out data processing, without imposing what is known as the "balancing test". That test requires an organisation to take into account the interests or fundamental rights and freedoms of the data subject, and confirm that these interests do not override the organisation's interests in processing that personal information.

The Response concludes (based on the outcome of the consultation process) that additional legal clarity on this point is required. On that basis, the Government plans to introduce a new condition to Schedule 1 of the UK's Data Protection Act 2018 to enable the processing of sensitive personal information for the purpose of monitoring and correcting bias in AI systems. The Response notes that the new condition will be subject to appropriate safeguards, such as limitations on re-use and the implementation of security and privacy preserving measures when processing for this purpose.

Bye, bye cookie consents

The Response also flags that the UK's Privacy and Electronic Communications Regulations will be updated to cut down on cookie consent pop-ups and banners. The proposed new opt-out model seeks to reduce the need for users to click through consent pop-ups and banners on every website, and instead elect for a uniform approach to how their data is collected and used online, such as through their internet browser settings. Time will tell if this will be readily available from a technical perspective.

Australia gets a mention

The announcement accompanying the Response sets out the UK Government's ambitions to strike new data partnerships with economies it considers significant, and to improve international data transfers. It specifically calls out its work on striking data adequacy deals with priority countries including Australia and the US.

The implications for Australia and globally

While many UK businesses will likely be celebrating the proposed reforms, Australian businesses with UK operations or reach will need to give them careful consideration, alongside other privacy and data protection compliance requirements.

In particular, Australian businesses should consider how they can incorporate in their data protection compliance programs the more flexible approach provided for in these reforms, alongside their existing EU GDPR requirements. It may make sense for certain data flows to be adjusted to take advantage of these benefits, or to simply adopt a 'highest standard' across-the-board compliance approach. There will no doubt be some permutations to this, particularly if the UK and Australia reach some sort of consensus on adequacy

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.