Insights Information Commissioner’s Office publishes response to Government consultation on reforms to the UK’s data protection regime: “Data: a new direction”


The ICO stresses the importance of data protection legislation, calling it “vital”. It says that it is looking to Government to ensure that any changes designed to further support economic growth:

  • retain high standards of protection for people’s personal data;
  • make sure people’s data is used in ways that benefit rather than harm them; and
  • make sure people can easily exercise their rights.

Enabling social and economic benefits.

The ICO welcomes the Government’s proposals to:

  • make it easier to use, share and repurpose data for research;
  • introduce a statutory requirement for the ICO to have regard to principles including economic growth and competition; and
  • introduce a statutory requirement for the ICO to have regard to public safety.

Ensuring that the changes deliver for people

The ICO says that it is “critical” that the Government clearly and unambiguously sets out how its proposals would deliver for people, not just businesses and society as a whole. The ICO welcomes those proposals that will enhance protections and control for people, particularly on cookies and nuisance calls. However, it encourages Government to go further.

On removing cookie pop-ups, the ICO agrees with the Government that the current approach does not work. It also agrees with the Government’s proposal to use a browser- and non-browser based solution so that people only have to say once how their data should be used. However, to be effective there would need to be an international mechanism for requiring organisations to respect these preferences, with appropriate sanctions where that is not the case. The ICO also recommends that the Government considers the pros and cons of legislating against the use of cookie walls, where people have to “accept” being tracked as the price they pay for being allowed to access and use an online service.

As for unsolicited direct marketing and fraudulent calls, the ICO is pleased that the National Data Strategy is paving the way for changes to give the ICO more powers to tackle the problem, such as increasing fines and powers to carry out on-site audits. However, the ICO says more can be done and wants discussions with Government about the potential benefits and costs of aligning the whole of the enforcement toolkit under the Privacy and Electronic Communications Regulations 2003 (PECR) with that of the Data Protection Act 2018, which would include issuing fines equivalent to those it can impose under the UK GDPR.

The ICO is less in agreement with the Government on the remainder of the proposals in this area and says that more work needs to be done. In particular, the ICO has concerns over proposals to:

  • remove the requirement to consider whether the legitimate interests being pursued by an organisation or third party when processing data are outweighed by the impact on the fundamental rights and freedoms of individuals;
  • clarify the scope and substance of “fairness” in the data protection regime as applied to the development and deployment of AI systems;
  • remove the right to a human review of automated decision-making;
  • make changes to subject access requests;
  • remove the requirement of prior consultation with the ICO on high-risk data processing by companies; and
  • allow greater re-use or re-purposing of data.

Ensuring organisations are accountable

The ICO welcomes proposals to:

  • explore options that would better support certifications as an alternative transfer mechanism;
  • require an organisation to try and resolve complaints before being referred to the regulator; and
  • introduce a proportionate requirement for organisations to report on the nature and volume of complaints they receive.

However, on the proposal to introduce risk-based privacy management programmes (PMPs), the ICO says that more work is required to demonstrate the additional value that PMPs would deliver.

The ICO does not agree with removing the requirement to appoint a data protection officer (DPO), although it agrees that the current requirements are overly prescriptive. Given that DPOs bring significant experience and professionalism to data protection compliance, the ICO would like to see the role developed and supported.

As for the proposal to remove the requirement to conduct a data protection impact assessment (DPIA), the ICO agrees that there is scope for more flexibility about the form DPIAs take, but stresses that it is important that such action does not result in a reduction in the robustness or quality of the assessments.

The UK’s international role

The ICO says that it is important that the UK’s data protection framework continues to be aligned with the wider international move towards locking in high standards of data protection, such as those set out in Convention 108+.

The ICO says that it is important that any reforms on international data transfers ensure that organisations are able to employ risk-based, practical approaches to balancing the need for real-time data flows with the public’s expectation that their data is protected to a sufficiently high standard.

Maintaining an effective and independent regulator

The ICO welcomes proposals to strengthen its supervision and enforcement powers and it supports clear statutory objectives for the ICO and a clear parliamentary articulation of the ICO’s regulatory framework. However, it thinks that some of the proposals risk undermining its independence, e.g. giving the Secretary of State the power to approve or reject codes of practice and complex or novel guidance, and appointing a Chief Executive, which the ICO says should be done by the ICO Chair and Board, as is the case for other independent UK regulators. To read the ICO’s response in full, click here.