The government recently outlined a set of proposals for the Data Reform Bill in a shake-up of the UK’s data protection laws as part of the UK’s post Brexit national data strategy. Current legislation comes from the UK Data Protection Act 2018 and the retained EU GDPR which is referred to as the UK GDPR.
The Data Reform Bill aims to reduce the burden of data protection compliance – moving away from the prescriptive current legislation to a more outcome focused regime providing businesses with more flexibility in managing data protection risks. For example, reform will strip away the requirement in some circumstances for organisations to have a mandatory Data Protection Officer (DPO) or to carry out data protection impact assessments. Releasing small businesses of these time-consuming duties should allow them to better unlock the power of data for economic growth.
Organisations will be required to have a ‘privacy management programme’. Although reform will strip away some regulatory burdens the accountability principle of the UK GDPR will remain true to the heart of UK reform. From a data protection law perspective what may appear as lax reform could be seen a political point aimed to get positive publicity.
One favorable takeaway of the reform (which will benefit individuals and businesses) is that PECR rules (rules surrounding electronic communications) will be overhauled and the requirement to gain user consent will be dampened down. Moving to an opt-out model for cookies should make it easier for websites to provide a better experience and remove the need for annoying pop-ups when browsing through multiple websites.
The UK received an adequacy decision in June last year which allows the free flow of personal data between the UK and the European Economic Area. Data protection experts, including myself, are concerned that any divergence away from the EU GDPR to a more flexible and less burdensome regulatory regime may put any future adequacy decision at risk.
The European Commission included a ‘sunset clause’ in the UK’s adequacy decision, limiting the duration of the decision to four years, and will only be renewed if the UK continues to ensure an adequate level of data protection. The aim is to protect the EU against future divergence by the UK from GDPR, and the European Commission has been clear that it will monitor UK compliance during this period and could intervene at any point.
It will be interesting to see whether the proposed data reforms will result in intervention by the Commission and how the UK government might react. A loss of adequacy could make transferring personal data outside the UK very complex and burdensome, and any immediate cost of adjustment would hit UK businesses hard.
Perhaps more fundamentally, could it be that the UK’s need to open data protection reform and to spearhead innovation is seen as a contradiction to the essence of data protection laws which is to protect the fundamental rights and freedom of individuals. By loosening the current regulatory regime will individuals have less privacy. This remains to be seen.