The UK’s new Data Reform Bill – A Brave New World?

As mentioned in our previous blog concerning the proposals for a new EU Data Act, during the Queen’s Speech on 10 May 2022, it was announced that the UK Government would be introducing a new Data Reform Bill (the “Bill”).

Subsequently the government has published a response to its consultation “Data: a new direction”, which was launched on 10 September 2021 as part of the UK’s National Data Strategy. The consultation contained proposals designed to build on the UK’s current data protection regime in areas such as data rights for individuals, the supervision and enforcement of the data privacy regime and the data processing principles.

The Bill is largely driven by the view that the existing legislation generates excessive paperwork and creates burdens for businesses with little benefit to citizens. This is a view that anyone who has clicked to “consent to cookies” or that they have read and understood the terms of a lengthy privacy policy may well sympathise with.  Consequently, the Bill seeks to amend the complex and prescriptive rules surrounding current data laws, to make them more user friendly and to encourage citizens to engage with the data process. This will be done by, inter alia, the removal of simple “tick-box” exercises.

The government therefore hopes that the changes that are to be implemented by the Bill will be welcomed by organisations, as they remove much of the lengthy and burdensome obligations placed upon them, and by individuals who are able to engage with the process more readily. An analysis by the Department for Digital, Culture, Media and Sport has suggested that the proposed reforms will create over £1 billion in business savings over ten years, simply by reducing burdens on businesses of all sizes.

The Lobby Pack accompanying the Queen’s Speech, explains that the aim of the Bill is to reform the existing UK data protection regime, consisting of both UK legislation deriving from the Data Protection Act 2018 (“DPA”) and that which has been inherited from Brexit, in the form of the General Data Protection Regulation (“GDPR”). For the most part, the Bill will apply across the whole of the UK, however, some measures will only apply to England and Wales.

Main Aims

The overriding objectives of the Bill are:

• to ensure UK citizens’ data is protected to the highest standard, whilst simultaneously enabling public bodies to share data to improve the delivery of services;
• to use data and regulations to improve the everyday lives of UK citizens; and
• to design a more flexible, outcome focused approach to data protection.

The UK government has stated that it intends to “take advantage of the benefits of Brexit to create a world class data rights regime…that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK”. The government hopes that, in doing so, it will also increase industry participation in Smart Data Schemes, providing members of the public and small businesses with more control of their data.

The Bill will modernise the Information Commissioner’s Office to ensure it has the powers required to take action against those who breach data rules, whilst simultaneously ensuring it becomes more accountable to both Parliament and members of the public, in the hope that this provides a level of security to both the public and large organisations.

The consultation

The recent publication of a response to the government’s “Data: a new direction” consultation provides more insight into the kind of changes that we might expect when the Bill is published. These focus on removing or simplifying some of the areas which are seen to be most burdensome to business such as the need to appoint a Data Protection Officer, to carry out Data Protection Impact Assessments and to maintain a Record of Processing Activities. There are also proposals to simplify the legitimate interests balancing test and to relax the requirement to obtain consent to setting cookies for some non-intrusive purposes.

Comment

The government’s introduction of the Bill will hope to increase competitiveness and efficiencies for UK businesses, by reducing much of the burdensome and complex requirement of the existing regime, and create a clearer and simpler regulatory environment for person data.

The GDPR itself of course had to be acceptable to the (then) 28 member states and was therefore always something of a compromise. It does however largely achieve its objective of protecting the fundamental rights and freedoms of individuals and in particular their right to the protection of personal data. As such it was a big step forward as a piece of data privacy legislation and has very much become the gold standard around the world with many countries having subsequently adopted, or being in the process of adopting, something similar.  It does however undoubtedly also increase the burden on business and largely makes no differentiation between the size of business meaning that it applies equally to businesses of all sizes. Whether the UK can do better very much remains to be seen.

The UK also needs to be very careful to ensure that it continues to provide an adequate level of protection for personal data. At the moment the UK enjoys an adequacy decision from the EU meaning that data can be transferred from the EU to the UK relatively freely. A wholesale change in the UK’s data privacy regime is likely to cause the EU to revisit that decision which in itself would create significant uncertainty for UK businesses.

At the time of writing this article, the draft Bill has not yet been published. We will write a further update on this once the Bill has been published.

If you have any questions about this topic or any other Data Protection matter, please contact Nick Phillips or Selina Clifford.

If you aren’t receiving our legal updates directly to your mailbox, please sign up now