On 10 May 2022, in the Queen’s Speech to mark the state opening of parliament, the UK government confirmed plans to introduce a new Data Reform Bill. The aim of the bill is to ensure that “UK citizens’ personal data is protected to a gold standard”.
This follows a consultation, published in September 2021, in which the government announced its vision to develop a separate data regime from the EU data protection laws, following Brexit. The consultation focused on five objectives:
- Reducing barriers to responsible innovation
- Reducing barriers on business and delivering better outcomes for people
- Boosting trade and reducing barriers to data flows
- Delivering better public services
- Reform of the ICO.
Read our insight into the consultation here.
The consultation closed in November 2021, and as yet there has been no formal response from the government. There has been little further detail given on the content of the forthcoming Data Reform Bill. However, here is what we do know:
Reform or repeal of UK GDPR and Data Protection Act?
The government has described the current legislation as “highly complex and prescriptive”, encouraging “excessive paperwork” and creating “burdens on businesses with little benefit to citizens”. The government aims to “take advantage of Brexit” to create a world-class data rights regime, allowing a new pro-growth and trusted UK data protection framework that reduces the burden on businesses and boosts the economy. An analysis by the Department for Digital, Culture, Media and Sport indicates that reforms will create more than £1bn in business savings over ten years, by reducing burdens on businesses of all sizes.
This suggests the government may be envisaging significant change to the current regime, which is likely to result in reform, or even repeal, of the current UK GDPR and Data Protection Act.
Modernisation of the ICO
The bill will ensure that the Information Commissioner’s Office (ICO) has the capabilities and powers to take stronger action against organisations that breach data rules. It will also include rules that require the ICO to be more accountable to parliament and the public than it currently is under the UK GDPR and Data Protection Act, and give citizens greater clarity on their rights.
Data use and sharing
There is an emphasis on enabling public bodies to share data more efficiently, so that delivery of services can be improved for the public, via a more “effective delivery of public healthcare, security and government services”.
The government also intends to create a “clearer regulatory environment for personal data use that will fuel responsible innovation and drive scientific progress”, as well as simplifying the rules around research to “cement the UK’s position as a science and technology superpower”.
Move away from ‘box ticking’
In introducing the bill, the government has indicated that it sees some of the current legislation as unnecessarily administrative. It has said that the new bill will increase the competitiveness and efficiencies of UK businesses by reducing the burdens they face, “for example by creating a data protection framework that is focused on privacy outcomes rather than box ticking”; and that it will design a more flexible, outcomes-focused approach to data protection that helps “create a culture of data protection, rather than ‘tick-box’ exercises”.
This is the starting point for what may be a fairly lengthy process for the creation of new data protection legislation. We expect to see the Data Reform Bill this year, as well as a formal response from the government to last year’s consultation. The bill will then have to go through the usual parliamentary processes to become law.
The extent to which new legislation departs from the current UK GDPR and Data Protection Act therefore remains to be seen. Any major changes will cause an administrative burden on organisations, although the hope is that policies and procedures put in place to comply with the current regulations will form a substantial basis for new requirements. It should also be noted that organisations may find themselves in the position of having to comply with both the new UK legislation and the EU GDPR.
There is a distinct irony in the promise of a reduction in the current administrative burden, which if anything is likely, on a practical level, to increase given that divergence between EU and UK law will not be easy to navigate.
Contributed by Helen Bourne, partner, Clyde & Co