The Queen’s Speech on 10 May 2022 included the Data Reform Bill and the Bill of Rights, two bills that will be passed in the next parliamentary session and affect the UK’s data protection legal framework.
The government says that the purpose of the Data Reform Bill is to take advantage of Brexit to create a data protection framework 'that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK'. The government’s intention is to increase the UK legal environment’s competitiveness globally by removing data compliance burdens. The Bill of Rights aims to 'restore the balance of power between the legislature and the courts' and has the potential to threaten the UK’s adequacy decision.
In practice, international organisations will need to keep an eye on the parallel regimes of the UK and EU from now on. The exact detail of the proposed reforms is not yet clear but is expected in the next few weeks.
This is part of the government’s data strategy and follows on from the Department for Digital, Culture, Media and Sport's (DCMS) consultation that closed in November 2021 (Data: A New Direction).
The bill also intends to modernise the Information Commissioner’s Office (ICO) and introduce new smart data sharing schemes. The accompanying explanatory notes describe the UK’s General Data Protection Regulation (GDPR) and the Data Protection Act 2018 as 'highly complex and prescriptive pieces of legislation' that 'encourage excessive paperwork and create burdens on businesses with little benefit to citizens'. The bill proposes 'a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection rather than 'tick box' exercises'.
The DCMS’s proposal is a good indicator of the direction of travel but, despite the consultation’s close, the government has not published a response.
While the reforms aim to reduce the burdens faced by UK businesses, this may not be the case for all organisations. In particular, organisations that operate in both the UK and EU will still be subject to the EU GDPR so the benefit of any de-regulation under the UK regime is likely to be minimal. If there is significant divergence from the current legal framework, these organisations will need to keep up-to-date and comply with separate data protection regimes for the UK and EU/EEA.
Any divergence from the current regime may also affect data flows between the UK and the EU/EEA by jeopardising the UK’s adequacy decision from the European Commission which allows the free flow of personal data from the EU/UK without the need for additional safeguards such as standard contractual clauses. The UK’s adequacy decision is contingent on the UK maintaining a level of data protection that is essentially equivalent to the EU’s standard. It automatically expires in 2024 and its renewal will be dependent on the UK continuing to ensure an adequate level of data protection.
This was also announced in the Queen’s Speech and follows from the Ministry of Justice's (MoJ) proposals set out in its consultation that closed in December 2021 (Human Rights Act Reform: A Modern Bill of Rights). Like the Data Reform Bill, neither the outcome of the consultation nor the text of the bill have yet been published to indicate exactly how the measures will be introduced. However, the Bill of Rights also has the potential to have an impact on the UK’s adequacy decision, given the government’s stated intention to establish the primacy of UK human rights law free from the influence of the European Court of Human Rights (ECHR).
As noted by the ICO in its response (ICO response) to the MoJ’s consultation, in order to maintain the UK’s adequacy decisions, the government should ensure that its proposals continue to implement the ECHR in British law. The ICO response refers to a November 2020 report by the New Economics Foundation that estimates the cost to the British economy of not having such adequacy decisions in place could be between £1 billion and £1.6 billion over the next 10 years. This is largely due to the costs associated with putting in place data transfer mechanisms such as standard contractual clauses.
Although the substance of the Data Reform Bill and the Bill of Rights is not yet known, organisations can expect changes to the UK data protection regime soon. The impact of these changes - and the extent to which they will be welcomed by organisations - will depend on the final proposals. If the law can be reformed and burdensome paperwork reduced while still retaining adequacy, this could prove beneficial, particularly for smaller organisations.
However, any reform that results in the UK losing its adequacy decision will result in higher compliance costs for organisations receiving personal data from the EU/EEA. It is too early to conclude what the effect will be on organisations operating across the UK and EU but, when the bills are published in full, the legal position will be clearer.
This article was co-written with Miranda Robertson, knowledge paralegal.