Data reform in the UK
On 18 July 2022, the UK Government introduced the Data Protection and Digital Information Bill.
What is in the bill?
The new bill contains the Government’s proposals to reform the UK’s data protection regime. It quickly follows the Government’s publication in June of its response to its consultation on the Data Reform Bill carried out in autumn 2021. The publication of the bill in the final week before Parliament’s summer recess reflects the political importance of data reform to this Government.
While the proposals in the bill are not a radical divergence from the existing UK and EU data protection frameworks, they demonstrate the UK Government’s ambition to ease data compliance burdens on businesses and improve data sharing practices.
The bill clarifies that the Government will not be proceeding with all reforms proposed in the consultation. Of the proposed reforms being taken forward, the six notable changes include:
- Definitions. The definition of “personal data” has been refined to reflect a more subjective approach to the question of whether data should be classed as personal data or anonymous, depending on whether the information is identifiable by the controller or processor by reasonable means at the time of processing. This potentially narrows the information to which data protection law applies.
- Accountability. A more flexible approach to accountability and governance has been proposed to allow businesses to demonstrate compliance with UK data protection laws while removing some of the existing burdensome obligations. For example, it is proposed that the current obligations for organisations to have an independent data protection officer, conduct data protection impact assessments and maintain records of processing activities will be replaced with complementary measures under organisations’ own, tailored privacy management programmes.
- Data subject access requests (DSARs). A reform likely to be welcomed by many businesses is the ability for businesses to refuse to comply with DSARs which are deemed “vexatious or excessive”. This replaces the current exception for “manifestly unfounded or excessive” DSARs.
- E-privacy consents. The bill indicates that the UK Government is looking to move to an opt-out model in relation to cookie consent. The changes include allowing businesses to place “non-intrusive” cookies on a user’s device without consent in certain circumstances, such as using web analytics. Importantly, however, it has been proposed that fines for e-privacy breaches will be increased significantly to align with the fining powers available under the UK GDPR.
- International data transfers. There is a focus on the importance of removing unnecessary barriers to data flows, which takes the form of the UK Government following a risk-based approach to future adequacy decisions. The current GDPR adequacy assessment criteria are replaced by a “data protection test”, which requires a standard of “not materially lower than” the standard of protection afforded to a data subject in the UK.
- Legitimate interests. In response to the challenges faced by businesses when conducting legitimate interest assessments (“LIAs”), the bill will introduce an exhaustive list of data processing activities for which businesses can rely on legitimate interests as their legal basis without having to conduct an LIA. The current list mainly focuses on processing activities in the public interest, such as preventing crime and emergencies. For processing activities not listed, businesses will still need to do an LIA.
Implications
The bill’s impact assessment confirms the Government’s view that reform of UK legislation on personal data is “compatible with the EU maintaining free flow of personal data from Europe”; however, the final text will determine whether the UK’s adequacy status will be affected.
A loss of adequacy for the UK would create a significant administrative burden for organisations. The bill’s impact assessment estimates the annual benefit to trade brought about by these amendments would be between £80 million and £160 million – and the estimated impact of adequacy with the EU being discontinued "on top of these measures" as between £190 million and £460 million in one-off costs for the implementation of standard contractual clauses, with an annual cost of between £210 million and £410 million in lost export revenue.
Regulars
Perspectives
Features
Briefings
- Criminal court: Long road against addiction
- Family: CGT reforms in the pipeline
- Employment: Long COVID as a disability
- Human rights: civil rights not engaged by legal aid bid
- Pensions: A neverending story – fraud update
- Scottish Solicitors' Discipline Tribunal: August 2022
- Property: The RoS arrear: any light in the tunnel?
- In-house: As the workplace evolves