As mentioned in our previous blog concerning the proposals for a new EU Data Act, during the Queen’s Speech on 10 May 2022, it was announced that the UK Government would be introducing a new Data Reform Bill (the “Bill”).
Subsequently the government has published a response to its consultation “Data: a new direction”, which was launched on 10 September 2021 as part of the UK’s National Data Strategy. The consultation contained proposals designed to build on the UK’s current data protection regime in areas such as data rights for individuals, the supervision and enforcement of the data privacy regime and the data processing principles.
The government therefore hopes that the changes that are to be implemented by the Bill will be welcomed by organisations, as they remove much of the lengthy and burdensome obligations placed upon them, and by individuals who are able to engage with the process more readily. An analysis by the Department for Digital, Culture, Media and Sport has suggested that the proposed reforms will create over £1 billion in business savings over ten years, simply by reducing burdens on businesses of all sizes.
The Lobby Pack accompanying the Queen’s Speech, explains that the aim of the Bill is to reform the existing UK data protection regime, consisting of both UK legislation deriving from the Data Protection Act 2018 (“DPA”) and that which has been inherited from Brexit, in the form of the General Data Protection Regulation (“GDPR”). For the most part, the Bill will apply across the whole of the UK, however, some measures will only apply to England and Wales.
The overriding objectives of the Bill are:
- to ensure UK citizens’ data is protected to the highest standard, whilst simultaneously enabling public bodies to share data to improve the delivery of services;
- to use data and regulations to improve the everyday lives of UK citizens; and
- to design a more flexible, outcome focused approach to data protection.
The UK government has stated that it intends to “take advantage of the benefits of Brexit to create a world class data rights regime…that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK”. The government hopes that, in doing so, it will also increase industry participation in Smart Data Schemes, providing members of the public and small businesses with more control of their data.
The Bill will modernise the Information Commissioner’s Office to ensure it has the powers required to take action against those who breach data rules, whilst simultaneously ensuring it becomes more accountable to both Parliament and members of the public, in the hope that this provides a level of security to both the public and large organisations.
The recent publication of a response to the government’s “Data: a new direction” consultation provides more insight into the kind of changes that we might expect when the Bill is published. These focus on removing or simplifying some of the areas which are seen to be most burdensome to business such as the need to appoint a Data Protection Officer, to carry out Data Protection Impact Assessments and to maintain a Record of Processing Activities. There are also proposals to simplify the legitimate interests balancing test and to relax the requirement to obtain consent to setting cookies for some non-intrusive purposes.
The government’s introduction of the Bill will hope to increase competitiveness and efficiencies for UK businesses, by reducing much of the burdensome and complex requirement of the existing regime, and create a clearer and simpler regulatory environment for person data.
The GDPR itself of course had to be acceptable to the (then) 28 member states and was therefore always something of a compromise. It does however largely achieve its objective of protecting the fundamental rights and freedoms of individuals and in particular their right to the protection of personal data. As such it was a big step forward as a piece of data privacy legislation and has very much become the gold standard around the world with many countries having subsequently adopted, or being in the process of adopting, something similar. It does however undoubtedly also increase the burden on business and largely makes no differentiation between the size of business meaning that it applies equally to businesses of all sizes. Whether the UK can do better very much remains to be seen.
The UK also needs to be very careful to ensure that it continues to provide an adequate level of protection for personal data. At the moment the UK enjoys an adequacy decision from the EU meaning that data can be transferred from the EU to the UK relatively freely. A wholesale change in the UK’s data privacy regime is likely to cause the EU to revisit that decision which in itself would create significant uncertainty for UK businesses.
At the time of writing this article, the draft Bill has not yet been published. We will write a further update on this once the Bill has been published.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.