UK Intends to Reform Data Protection
On 10 May 2022, the UK government announced its intention to introduce a Data Reform Bill (the “Bill”). The announcement was made as part of the Queen’s Speech and did not come as a great surprise given changes to data protection in the UK had been rumoured for some time post-Brexit. The UK government summarises the purposes of the Bill, what it perceives to be its benefits and, amongst other things, the main elements of the proposed legislation, in its background notes for the Queen’s Speech.
By way of the Bill, the UK government intends to “create a world class data rights regime that will allow…[it] to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK”, whilst also modernising the ICO and ensuring it has the powers it requires to enforce data protection, increasing participation in Smart Data Schemes and improving access to health and social data to help those in need of medical care.
In doing so, it believes it will increase the competitiveness and efficiencies for businesses with the reforms anticipated to generate more than £1 billion in business savings over 10 years (according to an analysis by the Department for Digital, Culture, Media and Sport). Amongst other benefits, the Bill will allow data to be used in a way that can empower citizens and improve their lives with regards healthcare, security and government services.
Echoing an opinion which is likely fairly widespread by experts and practitioners, the UK government also expressed its opinion on the GDPR and Data Protection Act 2018 stating that they are “highly complex and prescriptive pieces of legislation…that encourage excessive paperwork, and create burdens for businesses with little benefit to citizens.” In this respect, the UK government notes several times that it wants to remove “tick box exercises”.Whilst the views of UK government and the goals of the Bill may resonate with, and be supported by, many working within data protection, this all suggests that fairly radical changes will be made to the current regime in the UK. Of particular note is that the Bill comes shortly after the UK being granted its adequacy decision from the European Commission, something the UK government has been keen to retain. Will the Bill may jeopardise this decision and have an adverse effect on organisations, specifically those operating in both the UK and EU? Only time will tell. A more flexible and efficient regime may in fact entice organisations to bring more business to the UK which, as the background notes suggest, is a key driver for the UK government to make these changes. We now await the UK government releasing a draft of the new Bill and, importantly, the reaction of the EU Commission and EU regulators.