CM July and August 2023 digital

OPINION
AUTHOR – Jeanette Burgess
“The Bill increases
the level of fines
for nuisance calls
and texts to up to
four percent of
global turnover or
£17.5m, whichever
is greater.’’
markets, which could lead to smart
data schemes in energy, utilities and
telecommunications. Consumers would
then be able to provide access to their
accounts to authorised third parties
which could result in a number of
benefits for consumers such as reduced
costs and increased competition. Open
banking is the best and only current
example of open data, and the Bill gives
the Government powers to create a
much wider open data economy.
The future of AI
Under the UK GDPR as it currently
stands, solely automated decisions
(including profiling) that produce
'legal or similarly significant' effects on
data subjects may only be carried out
where (a) it's necessary for entering
into or performing a contract between
a controller and a data subject, (b) it's
required or authorised by law or (c)
the data subject has given their explicit
consent.
The Bill amends the UK GDPR so
that automated decision making is not
restricted to these circumstances, which
might make it easier for organisations to
use AI in some situations, for instance,
when screening job applications. Under
the new Bill, a decision is based solely
on automated processing if there is no
meaningful human involvement in the
taking of the decision. When considering
whether there is meaningful human
involvement in the taking of a decision,
the extent to which the decision is
reached by means of profiling must be
considered.
Using employment as the contextual
example, there are risks arising from
the use of AI which the Bill attempts
to address. For example, a 'significant
decision' based entirely or partly on
special category data which covers,
for example, race, religion, sexual
orientation etc., may not be taken based
solely on automated processing unless
certain conditions are met.
Where a significant decision taken by
or on behalf of a controller in relation
to a data subject is (a) based entirely
or partly on personal data, and (b)
based solely on automated processing,
the controller must make sure that
safeguards for the data subject's rights,
freedoms and legitimate interests are
in place. This includes providing the
data subject with information about
the decision taken and enabling them
to: make representations about the
decision; obtain human intervention on
the part of the controller in relation to
the decision; and to contest the decision.
The Government hopes that by
clarifying the circumstances when
robust safeguards apply to automated
decision making, this will increase
public and business confidence in AI
technologies
Data protection trials
One of the biggest data protection bugbears
can be dealing with DSARs.
DSARs can be a significant burden,
and while this data subject right is
maintained under the proposed new
regime, businesses will be entitled
to charge a fee for or refuse to act
on requests considered 'vexatious
or excessive.' Under the UK GDPR,
businesses can only do this where
the request is manifestly vexatious or
excessive. Not only does this change
have the potential to reduce paperwork
and costs, but it can help guard against
disgruntled individuals seeking to
weaponise their data. However, it will
be the data controller's responsibility
to prove that a request is vexatious or
excessive. As the Bill is currently drafted,
it is anticipated that there will be debate
on a case-by-case basis as to whether the
threshold has been met.
New penalties proposed in the Bill
The Bill increases the level of fines for
nuisance calls and texts to up to four
percent of global turnover or £17.5m,
whichever is greater. Presently the
maximum fine is £500,000. How effective
these much higher penalties will be as a
deterrent depends on how stringent the
level of enforcement is in practice.
The Information Commissioner’s
Office (ICO) explained, in November
2022, its new strategic approach to
regulatory action where fines are just
one of the enforcement tools available
to it on a spectrum. The ICO has been
active in issuing monetary penalties for
breaches of the Privacy and Electronic
Communications (EC Directive)
Regulations 2003 (PECR).
The Bill proposes certain changes
concerning the Information
Commissioner's role. For example,
a Statement of Strategic Priorities is
proposed to set out the Government’s
data protection priorities to which the
Commissioner must have regard. It
remains to be seen whether this will
have any effect on the type and level of
enforcement imposed, under the PECR
or otherwise. Many still expect to see
the Information Commissioner taking
a proportionate approach, reserving the
highest penalties for the most severe
incidents of non-compliance.
Other changes
There are two other changes worth
highlighting.
The rules around cookies are to be
relaxed. As part of the drive to cut ‘red
tape’, the Bill relaxes the currently strict
rules around website cookies. A website
operator would be able to place certain
types of cookies, including statistical
and location cookies without the need
for obtaining the current ‘pop-up’
consents.
And lastly, the Bill reforms the UK
Information Commissioner’s Office
(ICO). Among other changes introduced,
the Bill abolishes the UK Information
Commissioner’s Office in its current
form and creates a new Information
Commission in its place to assume the
responsibilities of the current regulatory
body.
Summary
The Bill is not in finalised form yet,
however, it shines light on the main
areas of reform introduced by the
Government. The changes introduced
by the Bill are not radical, however
data protection is a serious matter and
organisations should ensure they fully
understand the implications of the
current law and the proposed changes.
Jeanette Burgess is Head of Regulatory
& Compliance at Walker Morris.
Brave | Curious | Resilient / www.cicm.com / July & August 2023 / PAGE 22