Since Brexit was finalised at the start of 2021, the United Kingdom has retained much of the EU General Data Protection Regulation. The government’s plans, if implemented, would see the UK move away from the EU’s approach in several key ways, which may lead to trouble for the continuation of the adequacy decision granted by the EU in June. If terminated, the adequacy decision, currently permitting free flows of personal data between the EU and the UK, could cause increased costs and bureaucracy for businesses on both sides of the Channel to continue their data transfers.
Some of the changes to the UK GDPR proposed in the consultation document are:
- Making the legitimate interests lawful basis easier to use, by publishing a limited, exhaustive list of legitimate interests that organisations can use without having to complete a balancing test.
- Removal of the right to human review of decisions made on the basis of solely automated data processing.
- Introducing a fee for responding to subject access requests and allowing organisations to refuse to comply with requests at a lower threshold than “manifestly unfounded”, as allowed in the current legislation.
The proposals also introduce potential changes to the UK’s Privacy and Electronic Communications Regulations, including:
- Increasing the current maximum penalty of £500,000 for breaches of the direct marketing regulations to the higher of 4% of global turnover or £17.5 million, thereby matching the maximum penalty under UK GDPR.
- Removing the requirement for websites to obtain consent before serving some analytics cookies.
- Extending the “soft opt in” for direct marketing to organisations other than businesses, such as charities and political parties.
First publication: Cyber Law Watch with Noirin McFadden