The UK Government has formally announced its plans to introduce a Data Reform Bill (the Bill) as a means of overhauling the UK's data protection regime following the UK's departure from the EU.
This is being presented as a part of the Government's wider aim of taking advantage of Brexit and to increase the competitiveness of UK businesses and boost the Uk economy.
These are perhaps challenging aims given that any trading within the EEA will still be subject to GDPR but the progress of the Bill and what it will mean practically for businesses and the public sector in the UK will be very interesting.
The existing legislation
Legislation relating to the use of personal data in the UK is an ever-changing landscape. Prior to Brexit, data protection legislation in the UK was based on the Data Protection Act 1998 before moving to the European Union's General Data Protection Regulation (GDPR), the subsequent UK retained version of GDPR (UK GDPR) and the Data Protection Act 2018. In the background notes to the Queen's Speech these existing pieces of legislation are described as "highly complex and prescriptive" with a statement that they "encourage excessive paperwork, and create burdens on businesses with little benefit to citizens".
The announcement of the Bill is not unexpected as the Department for Culture, Media and Sport (DCMS) issued a consultation which closed at the end of 2021 covering the Government's proposed reforms to the UK's existing data protection regime, as a way of shifting data protection legislation away from being prescriptive and to focus more on risk-based outcomes.
Proposed reforms
The Bill will extend and apply across the UK, with some measures applying only to England and Wales only.
The details of the Bill remain to be seen, but the Government has announced that the Bill will simplify data protection legislation by streamlining the existing legislation and cutting red tape in order to reduce the burden on businesses by creating a more flexible, outcomes-focused approach "rather than box-ticking exercises" while also introducing clearer rules around the use of personal data.
GDPR and UK GDPR set out required terms to be included in data processing agreements, and model clauses as a safe method of transferring data abroad. It will be interesting to see whether the new legislation will seek to move away from this prescriptive approach and what this will actually entail. There is in our view something to be said for the safety of a set of standard provisions as a basis for data processing agreements rather than a judgement call being taken whenever data is processed or shared – this judgement call and assessment of risks and outcomes could result in a greater burden on businesses.
It is expected that the outcome of the DCMS consultation will be published over the next few weeks, with the Bill being published later this year.
The key features which are expected to be covered in the Bill include:
- Ensuring that UK citizens' personal data is protected to a gold standard
- Enabling public bodies to share data more efficiently to improve the delivery of services
- The modernisation of the Information Commissioner's Office
- Simplifying the rules around research to cement the UK's position as a science and technology superpower
- The removal of web cookie consent banners
- The introduction of Smart Data Schemes to enable small businesses and individuals to better control their personal data.
Commentary
While the Government has made it clear that the reforms are intended to protect UK citizens' personal data to a gold standard, it is important that any divergence from the existing legislation does not result in a weakening of these rights or the loss of the UK's EU data adequacy status which would have the opposite effect of cutting red tape and would result in businesses facing additional burdens when transferring to or receiving personal data from other countries.
It is unclear how SMEs in particular will cope with having to undertake an outcomes based approach rather than being able to put in place or sign up to standard processing terms. Any reform will doubtless entail both businesses and public sector entities having to review their data policies, systems and contracts.
Our data protection specialists regularly advise upon compliance with the current legislation and will be closely watching the progress of the Bill.
