Reforming the UK GDPR while preserving adequacy

Executive summary

DIGITALEUROPE welcomes the comprehensive reflection initiated by the UK government around possible future reforms of the UK data protection framework.[1] The consultation document elaborates on many areas that have emerged as central to a successful implementation of the General Data Protection Regulation (GDPR), including its UK version.[2]

Pivotal to any future reforms of the UK framework must be a consideration as to whether the proposed reforms would endanger the continued existence of an adequacy finding from the European Commission.

An adequacy decision does not require a word-by-word replica of EU provisions, the test being instead that of ‘essential equivalence.’ In this context, UK reforms should focus on preserving the central tenets of the GDPR and clarifying those aspects that have proved more difficult in Member States’ implementation as well as in data protection authorities’ interpretation of the text. These areas include central definitions such as research, the applicability of existing legal bases such as legitimate interest and concepts such as anonymisation.

By contrast, we urge great caution on elements where divergence may cause a fundamental reconsideration of the EU’s assessment of the UK system. Any perceived benefits from increased flexibility in these areas would be outweighed by the likely loss of adequacy status, whose preservation is paramount given the UK’s reliance on trade with the EU.

Areas where we urge a reconsideration of the proposals pertain, in particular, to rules that will impact onward transfers, the ICO’s independence and the accountability framework.

Introduction

DIGITALEUROPE represents the digital technology industry in Europe. Our members include some of the world’s largest IT, telecoms and consumer electronics companies and national associations from every part of Europe, including the UK. DIGITALEUROPE wants businesses to benefit fully from digital technologies and from the trusted free flow of data.

The future EU-UK relationship depends greatly on the continued free flow of personal data, for businesses themselves and for the economic benefits these businesses generate. With six in every ten European companies regularly engaged in the transfer of data across the Channel as part of their business operations in a range of sectors, be it finance, manufacturing or retail,[3] the importance of maintaining data adequacy and the free flow of personal data for European and British businesses is well understood by stakeholders on both sides.

Last May, we published our legal analysis[4] in support of an adequacy decision and welcomed its swift approval thanks to the UK’s strong and continued commitment to ensuring high standards of data protection. We gladly note that the proposed reforms remain firmly grounded in this approach.

For any reform of the UK’s data protection regime to be successful, however, it is important to clearly identify what elements of the GDPR can be safely modified and, on the other hand, what proposed modifications may lead to a negative reassessment of the EU’s adequacy decision.

A flexible approach grounded in the GDPR

Building on the recognition that the UK system currently delivers the required level of protection thanks to effective implementation, supervision and enforcement of data protection rights, the UK’s data reform consultation lays out several proposals of areas where the GDPR allows for more flexibility.

These proposed changes could clarify uncertain interpretations of the text and contribute to a more competitive economy that continues to respect the essence of data protection rights. We welcome further flexibility proposed in the review in the following areas:

• Research: We support the aim of further clarifying the conditions around data processing for research purposes. Clearer definitions and guidance as to how data can be used by researchers could significantly increase the attractiveness of conducting research, thus promoting innovation. Of note, the creation of a statutory definition of ‘scientific research’ may lead to greater certainty surrounding which purposes are covered. In this context, a more explicit articulation of the broad interpretation already contained in Recital 159 GDPR, including the role played by industry, would be beneficial.[5] This could be accompanied by a more explicit recognition of appropriate safeguards, including not only security but also contractual measures.
• Legitimate interest: We agree with the suggested approach to providing greater clarity as to what can be considered as a legitimate interest by expanding the list of examples in the text of the law.[6] A list of legitimate interests for which organisations can use personal data without having to apply a balancing test, because such legitimate interest can most logically be presumed, would help clarify the important role that this legal basis plays in ensuring worthy processing operations can take place without undue burden.[7] This can also include sensitive data, subject to appropriate safeguards.
• Anonymous data and anonymisation: Clarification as to the test for when data can be reasonably considered anonymous, and processing therefore does not impact data subject rights, would be hugely beneficial. At the same time, it is important that this test prioritise a flexible definition. We would welcome both clear guidance on how to anonymise data and practical examples of cases when data may be considered anonymous, for instance within health-related datasets.[8]

Areas of concern for maintaining adequacy

Beyond proposals that aim for further flexibility while remaining aligned with the GDPR, we also note areas of concern where a more cautious approach is necessary.

In particular, pursuing the following proposals could go to the core of the EU’s adequacy assessment and cause a negative review of the European Commission’s adequacy decision:

• International transfers: The UK currently holds an internationally recognised high standard for data protection. A robust process for adequacy assessment is key for the UK to maintain its status as a trusted jurisdiction and international partner and as hub for international data flows. The EU has already voiced concerns over the potential of the UK becoming a conduit for the onward transfer of data from the UK to third countries. Proposals aiming to subject onward transfers from the UK to the rest of the world to a considerably lower standard than that mandated under the GDPR can safely be expected to be a central consideration in a possible negative revision of the EU’s adequacy decision.
• The role of the ICO: Requiring the ICO to align its international work to UK government policy will be perceived as negatively affecting the ICO’s independence. The proposed introduction of a statement of ICO priorities by the Secretary of State would compromise the ICO’s independence through what could be perceived as a government mandate. The presence of an independent enforcer is a precondition of effective protection in adequacy determinations.[9] In addition to EU adequacy, this may harm the ICO’s standing as it seeks to take part in global data flows discussions.
• Accountability: Facilitating compliance while reducing obligations on organisations that only serve the purpose of fulfilling a legal obligation, but do not contribute to better protection, is an important objective that we welcome in the review. Despite this, it must be considered that companies have already undergone significant effort in adapting to and complying with data protection requirements, and any major readjustments are likely to incur further cost. Most importantly, the complete removal of central GDPR obligations such as the appointment of data protection officers, data protection impact assessments or breach notification may very negatively impact a future adequacy review. We also note that concerns around facilitating compliance can be addressed by means of adequate ICO guidance[10] and by making better use of instruments such as codes of conduct and certification that are already contained in the GDPR.[11]
• Legitimate interest: While we largely support the proposal to expand on the list of processing purposes that can be presumed as legitimate interest, it is important to ensure alignment with the notion and purpose of this legal basis in the current GDPR text. Any major divergence may negatively impact organisations that already rely on this legal basis under the GDPR. We note that the list of suggested legitimate interests currently adheres to this approach and urge that such alignment should be maintained.
• AI and machine learning: We support the focus given to AI and machine learning in the data protection review, particularly as to how unclarity around the concept of fairness may negatively impact the development of AI systems. However, we urge that the horizontal nature of the GDPR be maintained and that any improvements to the UK framework should be directed at clarifying central aspects around definitions and the applicability of legal bases, as opposed to creating new ad hoc provisions such as specific transparency reporting.[12]

References

[1] https://www.gov.uk/government/consultations/data-a-new-direction

[2] For our comprehensive analysis of some of the criticalities around GDPR implementation, see Two years of GDPR: A report from the digital industry, available at https://www.digitaleurope.org/wp/wp-content/uploads/2020/06/DIGITALEUROPE_Two-years-of-GDPR_A-report-from-the-digital-industry.pdf

[3] See our Schrems II Impact Survey Report, available at  https://www.digitaleurope.org/resources/schrems-ii-impact-survey-report/

[4] EU-UK data transfers – a legal analysis supporting a swift adequacy decision, available at https://www.digitaleurope.org/resources/eu-uk-data-transfers-a-legal-analysis-supporting-a-swift-adequacy-decision/

[5] See our recent paper Making the most of the GDPR to advance health research, available at https://www.digitaleurope.org/wp/wp-content/uploads/2021/06/Making-the-most-of-the-GDPR-to-advance-health-research_DIGITALEUROPE.pdf

[6] Note that examples where legitimate interest can be presumed are already present in Recitals 47-49 GDPR, and an expanded list contained in normative provisions is perfectly in line with the current GDPR approach.

[7] On legitimate interest, see in particular our Response to EDPB consultation on video devices, pp. 4-5, available at https://www.digitaleurope.org/wp/wp-content/uploads/2019/09/DIGITALEUROPE-response-to-EDPB-consultation-on-video-devices.pdf

[8] In addition to our paper mentioned in footnote 3, see our Response to EDPB draft Guidelines on connected vehicles and mobility-related applications, pp. 3-4, available at https://www.digitaleurope.org/wp/wp-content/uploads/2020/05/DIGITALEUROPE-Response-to-EDPB-draft-guidelines-on-connected-vehicles-and-mobility-related-applications-542020.pdf

[9] See notably Recital 104 and Art. 45(2)(b) GDPR.

[10] https://ico.org.uk/for-organisations/accountability-framework/

[11] See our Response to public consultation on draft EDPB Guidelines on codes of conduct and monitoring bodies, available at https://www.digitaleurope.org/wp/wp-content/uploads/2019/04/DIGITALEUROPE-response-to-draft-EDPB-guidelines-on-codes-of-conduct-and-monitoring-bodies.pdf, and DIGITALEUROPE response to EDPB consultation on draft guidelines on certification, available at https://www.digitaleurope.org/wp/wp-content/uploads/2019/01/DIGITALEUROPE%20response%20to%20EDPB%20consultation%20on%20draft%20guidelines%20on%20certification.pdf

[12] As proposed in Section 4.4 of the consultation document