A government Bill has laid out a new UK data protection regime (which diverges from EU regulations), which the government says will ease the burden of compliance on businesses.
The government says that the ‘Data Reform Bill’, announced in this year’s Queen’s Speech, and outlined as part of London Tech Week, has been designed to:
– Strengthen the UK’s data protection standards while replacing ‘unnecessary’ paperwork to deliver around £1 billion in business savings.
– Modernise the Information Commissioner’s Office (the data regulator) to help better businesses comply with the law.
– Give more authoritarian powers to crack down on nuisance calls.
– Minimise the number of annoying cookie pop-ups people see on the web.
– Give researchers more flexibility to conduct life-saving scientific research.
– Empower the UK to strike new data partnerships.
– Fuel the responsible usage of data for innovation by providing clearer definitions about how consent is obtained for research.
Following Brexit, the UK introduced its version of GDPR (UK GDPR), which mirrored the EU’s GDPR. The EU recognised Britain’s standards in a process called adequacy, which enables the seamless flow of data to continue.
In August 2021, the UK signified its intentions to diverge from the EU’s data protection model by saying that it would reform the data rules it agreed upon as an EU member by adopting a “common sense” approach. This approach included trying to secure data partnerships with the United States and other nations.
This led to the EU Commission saying that it would closely monitor any developments to the UK’s rules in case the level of data protection became inadequate, and the adequacy decision needed to be “suspended, terminated or amended”.
The UK government has blamed its need to seek a change to its data regulations on a “lack of clarity” in the EU’s data regulation standards leading to “an over-reliance on ‘box-ticking’ to seek consent from individuals to process their personal data to avoid non-compliance”, resulting in a “one-size-fits-all approach”.
The UK has also now appointed a new Information Commissioner who is reporting that he shares the support and ambition of the reforms.
Although the UK government is pitching the Bill to reduce costs and beaurocracy for businesses, it has nevertheless received some criticism. For example:
– The Law Society have said that: “The fundamental right to protection of an individual’s privacy is underpinned by broad international consensus that personal data belongs to the individual, not to businesses. Any perception that the scales may start to tip in favour of businesses being allowed to use personal data for wider reasons at the cost of respect for (and effective measures to preserve) that privacy runs the risk of the UK no longer being seen as a global leader in data protection”.
– Criticisms from the ICO challenged the idea that data privacy laws stifled innovation, saying: “We must continue to see the opportunities of digital innovation and the maintaining of high data protection standards as joint drivers of economic growth. Innovation is enabled, not threatened, by high data protection standards.”
– Some commentators noted that no longer requiring businesses to appoint a data protection officer (DPO) or conduct data protection impact assessments (DPIA) when developing new tools or services appears to be a less stringent and more laissez-faire approach.
– The Open Rights Group said that the Bill is “a natural product of poor proposals being discussed in a rigged consultation process” and that “the Government are boldly taking the side of the abusers and the law-breakers: the UK Data Reform Bill will make it the default setting to spy on us, and your burden to opt-out of something you never wanted in the first place”. Also, Mariano Delli Santi, a data protection campaigner at Open Rights Group, said the proposals would “risk leading to a massive and expensive rupture with the EU, making data transfers costly for UK businesses, costing jobs during an economic downturn”.
It was inevitable that Brexit would result in more changes to UK data regulations as time progressed. The government is keen to emphasise savings in costs and ‘red tape’ to businesses that the new Bill could bring and how, as Digital Secretary Nadine Dorries says, it could “make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society.” Critics, however, are uneasy about the consultation process for the Bill, a possible weakening of data protection standards, giving businesses the scope to use our personal data for their wider usage and, as the Open Rights Group says, making a default setting “to spy on us” and shifting the burden of responsibility to users to “opt-out of something” they didn’t opt-into in the first place. So it remains to be seen how the Bill progresses through the following stages.