The DMA has backed the UK’s plans for data protection reform – revealed this morning – including bigger fines for rogue marketers, a soft-opt in for charity emails, relaxing the online cookies law and a shake-up of the Information Commissioner’s Office, although one privacy group has branded the plans “irresponsible”.
The Department for Digital, Culture, Media & Sport (DCMS) has finally published its response to the consultation, “Data: A new direction”, which was launched last September and closed in November.
Most of the original proposals are still there, although there have been slight tweaks including the right for customers to seek a human review of an automated decision that creates a ‘legal’ effect.
It sets out how the Data Reform Bill announced in this year’s Queen’s Speech will strengthen the UK’s high data protection standards while reducing burdens on businesses to deliver what ministers claim will be around £1bn in cost savings that firms can use to grow their business.
According to the Government, since GDPR was implemented in the UK four years ago, many organisations have been held back from using data as dynamically as they could.
Ministers claim a lack of clarity in the legislation has led to an overreliance on ‘box-ticking’ to seek consent from individuals to process their personal data to avoid non-compliance, and maintains GDPR’s largely one-size-fits-all approach, regardless of the relative risk of an individual organisation’s data processing activities, puts disproportionate burdens on small businesses including startups and scaleups.
This Bill therefore sets out to remove the UK GDPR’s “prescriptive” requirements giving organisations little flexibility about how they manage data risks – including the need for certain organisations, such as small businesses, to have a data protection officer and to undertake lengthy impact assessments.
Provided small firms can manage risks effectively themselves, they will not have to fill out unnecessary forms where the risk is low, the Government insists.
Organisations will still be required to have a privacy management programme to ensure they are accountable for how they process personal data. The same data protection standards will remain but organisations will have more flexibility to determine how they meet these standards.
The new Bill will increase fines for nuisance calls and texts and other serious data breaches under the UK’s existing Privacy & Electronic Communications Regulations (PECR), which aim to prevent companies contacting people for marketing purposes without consent.
The fines will increase from the current maximum of £500,000 and be brought in line with current UK GDPR penalties which are up to four per cent global turnover or £17.5m, whichever is greater.
Whether they will have better luck recovering these fines, of course, is another matter.
PECR rules will also be updated to cut down on ‘user consent’ pop-ups and banners when browsing the Internet.
Currently, users have to give their consent for cookies to be collected. To do so users have to opt in to cookie collection every time they visit a new site.
The Government’s new opt-out model will heavily reduce the need for users to click through consent banners on every website they visit – meaning that people will see far fewer of the boxes.
Under the new rules Internet users will be better enabled to set an overall approach to how their data is collected and used online – for example via their Internet browser settings – although the Government admits it has yet to determine how.
Before the changes are commenced, the Government says it will work with the industry and the regulator to ensure technology is effective and readily available so people can set their online cookie preferences to opt out via automated means.
Meanwhile, the ICO will be modernised to have a chair, chief executive and a board in line with other UK regulators. Ministers claim the shake-up will give the ICO new objectives allowing Parliament and the public better ability to hold the regulator to account.
Strategic objectives will be set out in the Bill. They will underline the importance of the regulator continuing to uphold data rights and encouraging the responsible use of personal data, but will have greater emphasis on taking into account growth, innovation and competition, DCMS states.
The reforms will introduce a new way for how the ICO develops statutory codes and guidance, which share best practices for organisations using, sharing or storing personal data in specific instances, such as protecting children’s data online.
The ICO will be required to set up a panel of experts in relevant fields when developing each piece of statutory guidance. Contentiously, the Secretary of State will also need to approve ICO statutory codes and guidance before they are presented to Parliament.
The data reforms will also support the Government’s plans to strike new data partnerships with countries outside of the EU, allowing international data transfers which a number of technologies rely on, such as GPS navigation, smart home technology and content streaming services.
The Government’s International Data Transfer Expert Council, made up of experts on data, will play a major role helping the UK unlock the benefits of free and secure cross-border data flows, ministers claim.
The group, which combines academics, organisations such as the World Economic Forum and the Future of Privacy Forum, alongside digital industry figures including Google, Mastercard and Microsoft, “will be empowered to remove barriers to data flows and ensure services from smart devices to online banking can be provided more reliably, cheaply and securely”.
Information Commissioner John Edwards said: “I share and support the ambition of these reforms.I am pleased to see the Government has taken our concerns about independence on board. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society.
“The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.”
The DMA said it also supports many of the proposed legislative amendments, insisting they will establish a better balance between data-driven innovation, economic growth, and privacy protections across the UK.
DMA chief executive Chris Combemale commented: “A number of issues that the DMA community highlighted in our consultation response have been addressed by the government, which will enable further innovation in customer engagement, especially for charity fundraising.
“However, not every recommendation made by our member organisations has been adopted, so we will continue to seek greater clarity in the final legislative texts around the use of legitimate interests, particularly by giving legal certainty to Recital 47 (legitimate interests).”
Even so, Mariano delli Santi, data protection campaigner at Open Rights Group, called the proposals “irresponsible”. He told IT Pro: “They risk leading to a massive and expensive rupture with the EU, making data transfers costly for UK businesses, costing jobs during an economic downturn.”
Related stories
‘In limbo’ industry demands full details of data reforms
Edwards brands ‘bonfire of data rights’ claims ‘bullshit’
Govt warned over plans to scrap human review of AI
Data reforms could lead to Govt meddling, ICO warns
Privacy group slams ‘bonfire of rights’ in data reforms
Will tougher fines bring victory in nuisance call war?
How will UK data reforms hit the marketing industry?
Govt reforms to axe Information Commissioner’s role
Critics round on overhaul of data law; Daily Mail rejoices