Changes to UK data protection laws have been speculated for some time following Brexit, so it was not surprising when it was confirmed in the Queen’s Speech that the UK government intends to introduce a Data Reform Bill (the “Bill”).
The main purpose of the Bill is to:
- create a world class data rights regime;
- establish a new pro-growth and trusted data protection framework;
- reduce burdens on business;
- modernise the Information Commissioner’s Office (“ICO”), including strengthening its enforcement powers and increasing its accountability; and
- drive industry participation in schemes which give citizens and small businesses more control of their data, particularly in relation to health and social care.
While there remains little information on the extent of the reform at this stage, the proposals will be seeking to strike an acceptable balance between reducing some of the administrative burdens associated with the UK GDPR and ensuring that protections for individuals remain sufficient to preserve the UK’s “adequacy” status (allowing data to flow freely between UK and EU).
UK GDPR and the Data Protection Act
The UK government stated that UK GDPR and the Data Protection Act 2018 are “highly complex and prescriptive pieces of legislation… that encourages excessive paperwork and create burdens for businesses with little benefit to citizens”.
As a result, the government has stated its intention to move towards a more flexible “privacy management program” as is favoured by several other non-EU countries.
The potential reforms of the ICO could have significant sway on the future for UK adequacy. Several proposals have been put forward that would make the ICO less independent from the government. Proposals include making ICO guidance and codes of conduct subject to approval by the government and also giving the government the right to appoint the ICO’s Chief Executive.
The UK’s potential Bill of Rights to replace the Human Rights Act may also come into play. The EU has emphasised the importance of the UK continuing to fulfil its obligations under the European Convention on Human Rights, and that it is one of the pillars on which its adequacy decision depends.
Can the UK retain its adequacy status?
The UK may struggle to retain its “adequacy” status with the EU. Whilst the views of the UK government and the goals of the Bill may resonate with many, it does suggest that radical changes will be made to the current regime.
The adequacy decisions in favour of New Zealand, Canada and Argentina are proof that there is room for manoeuvre and that many countries that currently benefit from adequacy decisions are not based on the prescriptive GDPR model and are instead based on the more risk based “privacy management program”.
Only time will tell what effect the Bill will have, but in seeking to ease the administrative burden for businesses the UK could risk losing its adequacy status and thus creating significant and expensive compliance problems. For now all eyes are on the text of the Bill, and how it is received by the UK’s international partners.
If you would like to discuss any of the issues raised in this article, Rebecca Anforth (Legal Director), would be delighted to hear from you. You can reach Rebecca on 07984692100 or you can email her email@example.com.
The information provided in this article is a summary for general information purposes only and does not constitute legal or other professional advice and cannot be relied on as such. Any law quoted in this article is correct as at the above date. Appropriate legal and financial advice should be sought for specific circumstances before any action is taken.