The UK government has published its plans for reforming local data protection law which includes removing the requirement for consent for all website cookies – akin to the situation across much of the US.
Also notable is the removal of the requirement for a Data Protection Impact Assessment, as well as a new political direction over the Information Commissioner’s Office.
However, Nadine Dorries, the minister for the Department of Digital, Media, Culture and Sport, rejected controversial proposals to remove the right to challenge automated decision-making. Privacy campaigners had said the proposals were “irresponsible” and would make it harder for people to “challenge the government or corporations.”
Meanwhile, one legal firm welcomed the response as the “incremental reform of the current framework” — rather than an entirely new approach to data rights.
What exactly is being proposed for cookies?
UK rules on website and app cookie consent are set to change if these proposals move forward. The government plans new laws to remove the need for websites to display cookie banners to UK residents, permitting cookies and similar technologies to be placed on a user’s device without explicit consent.
The proposals — which also apply to apps on smartphones, tablets, smart TVs or other connected devices — advocate “browser-based and similar solutions that will help people manage their cookie and opt out preferences.”
However, websites must give the web user clear information about how to opt out of having cookies set.
“The government will work with the industry and the regulator to ensure technology is effective and readily available so people can set their online cookie preferences to opt-out via automated means,” the proposals said.
How will it protect users from tracking?
Peter Church, counsel in law firm Linklaters’ global data team, said: “The reform of cookie laws is also long overdue given the widespread annoyance caused by cookie pop-ups. However, it’s not clear how the new regime will adequately protect individuals from excessive and intrusive internet tracking.”
Elsewhere, the government has rejected proposals to remove the right for individuals to challenge automated decisions made about them, a right enshrined in the EU GDPR, a piece of legislation the government had promised to move away from after Brexit.
“Our proposals retain human review as currently required under Article 22, but will ensure that a data subject has access to clearer safeguards for any significant decision made without meaningful human involvement, potentially to include a justification of how a decision is reached which may enable a data subject to more easily identify how protected characteristics have been factored into a decision,” the proposals said.
Church welcomed the move. “It appears the government has pushed back on some of the more radical suggestions – such as replacing the GDPR with an entirely new Framework of Citizen Data Rights,” he said.
However, the proposals have alarmed privacy and rights campaigners. Organizations will no longer have to complete data protection impact assessments (DPIAs) before collecting data. Instead, they will have to conduct “risk-based privacy management programme” to “mitigate the potential risk of protected characteristics not being identified.”
Data protection consultant Rowenna Fielding warned that the shift away from broader right to focus only on privacy could be a danger to individuals.
“If government’s talking about replacing [the DPIA] with a privacy management program, that takes away that enormous requirement to consider holistically what rights might be affected and avoid detrimental impact to them and replace it with a very narrow focus on privacy.
“This means that there will no longer be a requirement to consider impacts on say employment rights, consumer rights, contractual rights, citizens’ rights and so on.
“It is actually extremely disturbing because it indicates that either they haven’t understood data protection law at all or they have understood it, and they are derailing the core purpose of data protection which is to protect rights and freedoms.
“They are changing the conversation to reframe it in a very, very narrow sense to be about privacy,” she said.
The government is also proposing changes to the role of the Information Commissioner’s Office, the independent watchdog overseeing data protection in the UK.
Government plans to give itself powers to prepare a statement of strategic priorities (SSP) for the ICO to regard when discharging its data protection functions, despite widespread criticism that this could undermine the independence of the office.
“Given the government’s commitment to ensuring the ICO’s independence, the SSP will sit below the ICO’s primary objective and duties under the UK GDPR and the DPA 2018. While the ICO will be required to respond to the priorities contained in the SSP, the ICO will not be legally bound to act in accordance with the statement. Further, the SSP will be subject to parliamentary approval before it is designated,” the proposals said.
Mariano Delli Santi, legal and policy officer with campaigners the Open Rights Group, said the move could expose the ICO to political direction, corporate capture and corruption.
“Worried about the ICO new guidance or investigation? Giving a substantial donation to the party in government will ensure that the Secretary of State takes care of your concerns,” he said. ®