Data: A New Direction consultation - Which? response

Summary

Which? welcomes the opportunity to respond to the government's proposals for change to the UK’s data protection regime, and to contribute the view of consumers on some of the critical areas that will impact them if changes to the UK's data protection and privacy laws are made.

Overall Which? continues to fully support the basic principles of the UK GDPR. However, we acknowledge that there is room for improvement to any regulation which needs to grow and adapt with societal and technological changes. Our view is that the UK GDPR provides a solid foundation on which to build. This is an opportunity to strengthen the existing regulation, develop it further, for example by enacting Article 80(2) and more broadly ensure greater clarity for business and data subjects alike.

Innovation and growth in the digital age relies on data. Consumers' data is at the heart of many commercial business models. It is vital therefore that consumers (as data subjects) are put front and centre of any data protection regime. It is also vital that future adaptation of a regime sets out to actively create a trusted environment in which the rights and protections for both data subjects and business are equal.

Which? welcomes the concept of a data protection regime being ‘adaptable and dynamic’, however we are concerned that the proposals in this strategy are so light touch and err so strongly towards deregulation that consumers will face reduced protection, a lack of control, a lack of clarity, and a lack of transparency about how personal and sensitive data is being used.

Similarly, our concern for business and organisations if the light touch approach were to been forced, is that they will find defining their own more 'flexible' approach more burdensome and unclear than the current, more tightly defined requirements of the existing UK GDPR. Business and consumers alike want a clear and consistent framework: consumers want a clear understanding of their rights and to know what businesses are doing, and businesses want to know they are doing the right thing without ambiguity.

We are well aware that there has been limited enforcement activity undertaken by the ICO since the regulation came into force. These proposals set out a more ‘permissive’ approach as do other recent government proposals, including the consultation on the Better Regulation Framework and the broader National Data Strategy. We are sceptical that moving to a more permissive approach is in the best interests of consumers.

It would be extremely disruptive for consumers and businesses if the UK’s adequacy status were called into question. The adequacy decision is not only strictly limited by a ‘sunset’ clause that automatically expires in less than four years, but the EU Commission has said that the decision is subject to ‘continual monitoring’ and could be revoked at any time. We are concerned therefore about the impact of the proposed substantial legal changes on the UK being able to continue to rely on the current EU Adequacy Decision.

Our response to this consultation is focused on representing the best interests and rights of consumers as data subjects. We have used direct engagement with consumers to inform our response, and direct experience from Which? as a business implementing UK GDPR. Finally, we wish to emphasise that we have responded only to the questions that currently appear most relevant to consumers in relation to the specific proposals and where we have enough information to provide a robust response. As things develop we will look at suggested proposals as a whole and respond accordingly.