Our overall view is that the success of the proposed reform to the current regime lies in the UK government’s ability to strike the right balance between a progressive and realistic new framework, and the need for consistency with the global approach to the protection of privacy and personal data. We believe that this objective is possible and that the UK has an influential role to play in this respect.
The key points made in our response are as follows:
- We support the UK government’s efforts to encourage greater innovation, through making specific and targeted changes to data protection law, including with respect to the processing of personal data for scientific research and development purposes.
- The introduction of a set of purposes which are automatically assumed to be within the legitimate interests of a controller has the potential to be helpful. There are a number of additional purposes that we have also suggested as additions to this list.
- While it is important that outcome fairness in an AI context is addressed through regulatory reform, there are a number of drawbacks to relying on the UK GDPR as the basis for introducing these obligations, compared with introducing separate, dedicated legislation.
- The current rules governing solely automated decision-making are too prescriptive and could be reformed by removing certain restrictions on the use of these technologies and requiring better oversight, while protecting the existing rights afforded to data subjects.
- Introducing a statutory definition of ‘anonymisation’ is a sensible proposal and would provide much-needed clarity. Incentives should also be provided for organisations to proactively adopt privacy-enhancing technologies.
- There is a risk that the proposal to replace the existing accountability framework, has the potential to be perceived within the EU’s institutions that the UK is seeking to lower standards. This could be a factor in the European Commission’s determination of whether to renew the UK’s adequacy status in 2025 and the government should take into account this risk.
- In relation to cookies, there is a clear need for the current rules to be reformed so that they are more risk-based, proportionate and incentivise privacy-enhancing solutions, rather than being overly prescriptive consent requirements. However, moving away from a consent-led approach to cookies is inherently complex and needs to be seen as an iterative process, as opposed to a revolution. There are various immediate changes that could be made to help achieve this.
- We agree that the current approach to adequacy assessments for international transfers of personal data can be overly prescriptive and inflexible, and the objective should be to increase the free flow of personal data across borders. Therefore, we encourage the UK government and ICO to work with other countries in developing a more risk-based and outcomes-led approach to adequacy decisions.
- With regard to international data transfer mechanisms, it is paramount that the UK government explores opportunities to collaborate with other governments across the world to develop more consistent global standards for facilitating the free flow of personal data.