GDPR: The Brexit Bonfire of the Regulations Begins?

Brexit has long been framed as an opportunity for the UK government to commence a “bonfire of the regulations” that would enhance its ability to pursue its own interests free from the EU orbit. Lighting the touchpaper in spectacular style are recently announced plans to completely overhaul UK data protection law. 

Data protection practitioners will still be wading through the weighty tome that was the 146-page consultation document published on 10 September, but one thing is abundantly clear: if even a fraction of the reforms proposed come to pass, the new regime will represent a chasm opening up between the UK and the EU on data protection principles and practices. 

The government believes that the reforms will result in a net direct monetised benefit to the UK of £1 billion over 10 years through unlocking research and innovation, and lightening the compliance load currently borne by businesses – a figure it says takes account of any changes to its EU adequacy status which may result. Given the uncertainty surrounding the UK obtaining post-Brexit adequacy in the first place, and the rhetoric coming out of Brussels, a continuation of the status quo ante seems optimistic indeed. This, however, is just one facet to the seismic changes to the UK regime that are now under consultation until November 19 2021.

The mood music of the reforms seems to be very much a pivot towards the interests of business (and government, law enforcement, research organisation and more) and away from the primacy of the individual to control how their personal data is used. And, while many of the changes are touted as being for the oblique benefit of consumers (such as tackling “consent fatigue”), there is plenty to alarm privacy advocates if the more extreme changes are enacted. These are, however, just proposals at present. 

Here are some of the most eye-catching:

Tipping the balance on legitimate interests: this most nebulous of legal bases for processing could be in for a real shake-up on a number of fronts, with the government considering a list of legitimate interests that organisations could rely on without having to undertake a balancing test (in the style of Singapore’s regime). These could include analytics cookies and processing used for eradicating bias in AI systems.

Far-reaching research liberalisation: data protection in the research context is a notorious minefield, particularly because the purpose of research can often become apparent only after data has been collected. Here, the proposals include loosening further processing rules and allowing broad-based consent from data subjects, but also a clearer definition of what constitutes “scientific research” which may be painful for those which have been relying on this rather tenuously hitherto.

An AI greenlight: Article 22 GDPR currently gives data subjects the right not to be subjected to solely automated processing with legal or similarly significant effects on them. That right might be swept away when public or legitimate interests are seen to take precedence over those of the individual. Closely related are proposals that controllers should be able to use AI and machine learning “more freely” for testing and training purposes, with the level of regard for “fairness” dialled down.

An end to agonising over anonymity: much ink has been split over when data becomes truly anonymous and is thus taken out of GDPR scope, and a niche industry has sprung up to help organisations tackle this technologically. This agonising might be coming to an end if, as proposed, the anonymity test becomes a question of whether the data controller themselves can re-identify data.

More free passes on data breaches: in what would likely be a real boon to the overburdened Information Commissioner’s Office as well as businesses, the government suggests raising the bar for data breaches so that only “material” risks to individuals warrants notification.

Doing away with DPOs and DPIAs: a dearth of expertise (and high remuneration) has meant that organisations have struggled to recruit Data Protection Officers. Instead, the government is considering individuals or groups taking responsibility for “privacy management programmes” that are more risk based. To reduce the burden on business, Data Protection Impact Assessments may also be on the chopping block – a move which the government concedes would reduce current safeguards but believes privacy management programmes could compensate for.

Denial of DSARs: it is proposed that the UK revert to its pre-GDPR regime and allow for fees to be charged for Data Subject Access Requests to be carried out. While organisations rightly complain that DSARs are a significant burden and no doubt vexatious requests do occur, this change really would shift the balance of power away from the individual and – quite disturbingly – make control of one’s personal data the preserve of those who can pay. 

Where next?

The prospect of a data protection regime change has been welcomed vociferously in the corridors of power as an opportunity for the UK to seize data-driven economic growth. However, the government faces a mountain of legislation to make over and a doubtlessly a monumental amount of pushback from privacy rights advocacy groups, concerned consumers and, naturally, the EU (although a cynic might say that the Bloc would delight in revoking the UK’s adequacy statement less than a year after it was granted). The only certainty is that there are some very choppy data protection waters to navigate ahead, particularly for organisations which also have to comply with less accommodative regimes.

It is easy to understand the government’s reasoning on this matter, but it is also easy to see how these regulatory pyrotechnics could spectacularly backfire. It is not often that data protection makes front page news currently, but that could all be about to change.