UK Data Reform Bill

Business Insights

Will new data laws boost business?

In the Queen’s Speech on 10 May 2022 it was announced that a Data Reform Bill is on the horizon. This came about as a result of the UK’s post Brexit national data strategy. The data protection regime is currently legislated by the UK Data Protection Act 2018 and the retained EU GDPR which is referred to as the UK GDPR. What the Data Reform Bill will attempt to do is to reduce the burden of data protection compliance – moving away from the prescriptive current legislation to a more outcome focused regime where businesses will have more flexibility in managing data protection risks. For example, reform will strip away the requirement in some circumstances for organisations to have a mandatory DPO or to carry out data protection impact assessment. For small businesses this will release the regulatory burden of complying with the current prescriptive regulation, leaving businesses to exploit data protection opportunities for growth.

Even though reform will strip away some of the regulatory burdens under the current data protection regime the accountability principle of the UK GDPR will remain true to the heart of UK reform as organisations will be required to adopt a privacy management programme. From a data protection law perspective this element of the reform could therefore be seen a political point aimed to get positive publicity.

One of the favorable takeaways of the reform (which could benefit individuals and businesses) is that PECR rules (rules surrounding electronic communications) will be overhauled and the requirement to gain user consent will be dampened down. The move to an opt-out model for cookies will certainly enhance users experience when manoeuvring through multiple websites.

There was much anticipation for an adequacy decision for the UK post Brexit which was received in June last year. The adequacy decision allows for the free flow of personal data between the UK and the European Economic arena. Data protection experts, including ourselves, are concerned that any divergence away from the EU GDPR to a more flexible and less burdensome regulatory regime may put any future adequacy decision at risk and therefore make transferring personal data outside the UK very complex and burdensome. It is also worth remembering that unusually, the UK adequacy decision contained a “sunset clause” aimed at protecting the EU against future divergence by the UK from GDPR. The clause limits the duration of adequacy to four years, after which adequacy might be renewed, but only if the UK continues to ensure an adequate level of data protection. The European Commission has been clear that it will continue to monitor UK compliance during this period and could intervene at any point. It will be interesting to see whether the proposed data reforms will result in intervention by the Commission and how the UK government might react to the loss of adequacy as the immediate cost of adjustment could hit UK businesses hard.

Perhaps more fundamentally, could it be that the UK’s need to open data protection reform and to spearhead innovation is seen as a contradiction to the essence of data protection laws which is to protect the fundamental rights and freedom of individuals. By loosening the current regulatory regime will individuals have less privacy. This remains to be seen.