The final response to the data reform consultation was published by the UK government.
It appears that it has stepped away from some of the more extreme reforms it had been tossing around, such as removing the right for human review of automated/AI decisions.
There are a lot of potentially wide-ranging amendments being announced in this package, such as a switch to an opt-out model for most online tracking, which the government is spinning as an end to cookie consent pop-ups.
The Online Safety Bill is currently making its way through parliament and is set to dramatically ramp up compliance demands for all sorts of businesses. It pays to keep the bigger picture in mind as the government tries to convince the public that the new data laws will give British businesses a boost.
There is a lot of British red tape coming for your digital operations.
The upcoming Data Reform Bill will include amendments to rules around data use for scientific research, which will simplify the legal requirements for this type of processing. There is a machine learning medical research project that has been undertaken under existing UK data rules.
According to the Department for Digital, Media, Culture and Sport, the Data Reform Bill will give scientists clarity about when they can get user consent to collect or use data for broad research purposes. They don't have to finish their research project before collecting data. Scientists will be able to rely on the consent a person gives for their data to be used for cancer research as opposed to a particular cancer study.
Changes will be made to how businesses can use personal data, including removing the need for smaller entities to have a data protection officer, as well as undertaking data impact assessments to evaluate risks to potential uses for personal data.
Deregulatory changes to the UK's data protection regime are projected to save businesses more than $1 billion over the next decade.
The current EU framework is hamstrung by being "largely one-size-fits-all", which it suggests is disadvantageous for malls. The reform talks about moving to an outcomes based compliance regime.
The DCMS says that the new data protection rules will be focused on outcomes.
Organisations will still have to have a privacy management programme to make sure they are accountable for how they process personal data The same high data protection standards will still be in place, but there will be more flexibility in how they are met.
The devil will be in the details of what these reforms look like. We don't have full detail as that would require sight of the planned legislation which is pending the government publishing a draft bill. The data reform bill will be introduced in the current parliament.
The proposed changes to consent for cookies, which target the universally hated cookie pop-up plague, are the subject of a consultation.
The government plans to use an opt-out model of consent for cookies in the future. The website must give clear information about how to opt out if cookies can be set without consent. The government's ambition to improve the user experience and remove the need for cookie consent banners would be made possible by this. The opt-out model doesn't apply to websites that are likely to be accessed by kids.
The government wants web browsers and websites to make a do-not-track signal.
Users value privacy and want control over how their data is used, according to responses to the government. The government will work with industry and the regulators on browser-based solutions that will help people manage their cookie and opt-out preferences. The government will take forward proposals that require websites to respect automated signals emitted by these technologies, and will move to an opt out model of consent for cookies only when the government assesses these solutions are widely available for use.
Legislation to switch the UK to an opt-out for online tracking won't take place until the necessary browser-based technology is available so people can set their online cookie preferences to opt out via automated means, according to DCMS.
The original 'Do Not Track' proposal, to offer a convenient, browser-based opt-out from online tracking, dates back to 2009, but still hasn't been delivered on.
British exceptionalism can make it happen for the small island internet. Full marks for enthusiasm, that's all.
The Information Commission's Office is the UK's data protection regulators.
The press release couches the plan as a "modernization" of the Office to make sure it remains an internationally renowned Regulator.
The Secretary of State will be required to approve the statutory codes and guidance before they are presented to parliament.
The first big test for the UK's data reform package probably won't be public opinion, given that data processing is an inherently complicated and abstract topic, and the government is front-loading its PR around the bill with populist talk of killing cookie pop-ups and
What the EU will do in response will be the biggest test. As it allows the smooth in-flow of personal data from the bloc, the UK's precariousadequacy status will be at risk if the government is not careful. If the UK were to leave the EU, it would cost businesses more than $1 billion.
The DCMS has attached to the reforms all the red tape savings they can get from a loss of EU adequacy.
The reform talks about "empowering international trade" by striking new "data partnerships" with priority countries including the United States, Australia, the Republic of Korea and Singapore.
It writes that the data reforms will support the UK government's ambitions to strike new data partnerships with important economies and improve international data transfers.
The group will be able to remove barriers to data flows and ensure services from smart devices to online banking can be provided more reliably.
The government plans to clarify rules on police use ofbiometrics in order to promote high standards and best practice in the responsible and effective use of new technologies.
Despite the majority of responses to the government consultation backing a proposal to introduce compulsory transparency reporting on the use of algorithms in decision-making for public sector bodies, it has decided not to move forward at this time.
The government isn't doing anything on this issue. DCMS believes that transparency standard work is too early to legislate. It claims that it will explore policy enforcement options in the future and that it will continue pilots of the standard.
Nadine Dorries is the digital secretary.
“Today is an important step in cementing post-Brexit Britain’s position as a science and tech superpower. Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection.
Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation.”
The UK's information commissioner gave a cautious assessment of what the reforms would mean in practice.
“I share and support the ambition of these reforms. I am pleased to see the government has taken our concerns about independence on board. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.
“We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the Bill.”
UN warns over human rights impact of a ‘digital welfare state’
UK gets data flows deal from EU — for now