.svg)
The UK government has unveiled plans to water down the provisions of the UK GDPR, the country's version of the EU General Data Protection Regulation. In doing so, it is raising the possibility that the EU will cease to regard its regime as "adequate", which in turn might interrupt the easy flow of personal data between the UK and the EU.
The UK, for its part, has provisionally recognised the data protection regimes of countries in the European Economic Area (EEA), which includes the EU, as "adequate". Over the coming years it will assess them for "adequacy" fully.
The government's proposals for reform take the form of a consultative exercise. The public can send in replies until November 19.
In the document, Oliver Dowden MP, the secretary of state for digital, culture, media and sport, describes his plans as "bold" and the existing EU-inspired regime as "unnecessarily complex or vague" in parts.
Ouliana Smith, VIXIO's data protection expert, said: "It looks as though this might be influenced by the independent Taskforce on Innovation, Growth and Regulatory Reform report.
"GDPR is centred around the principle of data being owned by citizens requiring organisations generally to obtain a person’s consent to process their data. This hinders competition due to being ‘prescriptive, inflexible and onerous’ for businesses and consumers alike. Reforming GDPR by lifting these compliance requirements, especially for small-to-medium enterprises (SMEs), could accelerate growth in the digital economy.
"The report outlined the view that the regulation is outdated given the current developments in Artificial Intelligence (AI) and data requirements necessary to enable it. Therefore, the UK should use an approach to data based more in common law, so it can be adapted to new and evolving technologies such as AI and blockchain."
The report recommends the removal of Article 22 (which deals with automated individual decision-making, including profiling) from the GDPR. This, indeed, is the government's suggestion in its reform proposal.
A removal of barriers
Chapter 1 of the proposing document envisages the tearing down of various barriers to the use of personal data. The government makes much of ambiguities in the legislative design of the existing regime. The UK GDPR incorporates a large number of recitals that explain its articles. The government proposes to transfer some of them into those articles.
When it comes to scientific or historical or statistical research, the government proposes to make it easier for researchers to re-use personal datasets for different research projects and to retain personal datasets. Article 89(1) of the UK GDPR applies. The government wants to know how best to amend it.
The government proposes to define “scientific research” more clearly and wants to make it explicit that university research projects can claim that they are performing tasks in the public interest (Article 6(1)(e)) as a lawful ground for processing personal data. It also proposes the re-use (further processing) of personal data, i.e. for a separate purpose to that for which it was first collected.
The UK GDPR states that personal data shall be collected for specified purposes and not further processed in a manner that is incompatible with those purposes. It wants to broaden the meaning of “compatibility”, which is mentioned in Article 6(4) of the UK GDPR.
The government has detected three areas of uncertainty here: (a) when somebody might re-use personal data for a new purpose; (b) when a different controller than the original might re-use it; and (c) “when further processing is taking place, and whether the original lawful ground may be relied on, when personal data is re-used”.
It therefore asks: “To what extent do you agree that the government should seek to clarify in the legislative text itself that further processing may be lawful when it is a) compatible or b) incompatible but based on a law that safeguards an important public interest?”
The need for consent
The government believes that firms spend too much time trying to gain consent from data subjects (which they can withdraw at any time) to use their data. Consent, however, is only one of six grounds on which data controllers can use data, another one being their own "legitimate interests". If some organisation wants to rely on this as a lawful ground, the UK GDPR requires it to show that the processing is necessary and to keep evidence that its interests outweigh the rights of data subjects.
When a firm tries to work out whether its interests outweigh the rights of individuals, this is referred to as the balancing test. The government believes that it causes data controllers more uncertainty than anything else.
The government, therefore, proposes to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test, the better to allow them to process more personal data without any unnecessary recourse to consent.
Out of the proposal’s 146 pages, 20 are dedicated to artificial intelligence (AI) and machine learning, a vital area for payment firms in the years ahead.
Better regulatory oversight?
The government is proposing to reform the Information Commissioner’s Office (ICO). It wishes to stop the ICO from having to handle a high volume of low-level complaints and instead "address the most serious threats to public trust and inappropriate barriers to responsible data use".
Cracked crystal gazing
Whatever happens at the European Commission, the government believes that its reforms will, if enacted, earn the UK an extra £1.04bn over ten years. If the EU keeps regarding the UK as "adequate", the government expects this to rise to £1.45bn.
In turn, it is proposing to change the way in which it decides whether other countries regimes are "adequate" for UK purposes.
The government has made some tentative calculations about the costs that these reforms might impose on businesses. These will not fall equally everywhere but it hopes that small businesses "will benefit proportionately".
ATMs – but not as we know them
The "analysis" document makes no mention of payments. Note 68 does say that "any future change to the UK’s adequacy status would directly affect UK organisations transferring personal data from the European Economic Area (EEA), through the potential impact on trade and the cost of using ATMs", but in this case ATMs mean alternative transfer mechanisms.
The document does not explain the term ATM, but it does give examples of ATMs and these are alternatives to the unfettered transfers that require no specific authorisation that take place between the UK and EU today.
Article 45 of the GDPR dictates that personal data transfers from the EEA to the UK will only be permissible through ATMs in the absence of an adequacy decision. These ATMs include standard contractual clauses (SCCs), the most commonly used mechanism for the transfer of personal data in such circumstances. Both parties to a transfer have to sign them.
Then there are ad-hoc contractual clauses, which both countries' data protection authorities have to approve. These are rarely used and unlikely to be used much in an "inadequate" scenario.
There are also approved codes of conduct or approved certification mechanisms. Approved binding corporate rules (BCRs) may be used as well if the transfers are happening between parts of a corporate group. These are costly but they make life simpler if the transfers are continuous, which is why only a small number of large businesses use them.
