The UK Government today confirmed that it will bring forward a Data Reform Bill to reform data protection law in the UK. The Bill follows a consultation carried out last autumn, the results of which are yet to be published.
The announcement, as part of today's Queen's Speech, is light on detail. The Government's Queen's Speech Lobby Pack briefing does not provide much in the way of specific proposals, so we will need to wait until the Government publishes its response to last year's consultation on data reform and the draft Bill to see what is actually proposed.
What will the Data Reform Bill do?
Interestingly, the briefing makes no mention of changes to the rules around AI or abolishing cookie banners on websites, which had previously been touted as key areas for reform in media briefings.
Instead, the briefing says the main elements of the Bill are:
- Ensuring that UK citizens’ personal data is protected to a gold standard while enabling public bodies to share data to improve the delivery of services.
- Using data and reforming regulations to improve the everyday lives of people in the UK, for example, by enabling data to be shared more efficiently between public bodies, so that delivery of services can be improved for people.
- Designing a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than “tick box” exercises
Eagle-eyed readers will spot that enabling public bodies to share data to improve the delivery of services is mentioned twice in the three bullet point summary.
What does this mean in practice? As ever the devil will be in the detail, but query whether a less prescriptive, outcomes-focussed, approach helps SMEs and others work out what they need to do to comply, or just create more uncertainty and lead to additional cost for specialist advice. While the briefing makes reference to excessive paperwork and burdens on businesses with "little benefit to citizens" obligations in relation to DPOs, Article 30 registers and carrying out DPIAs are already subject to exceptions or tests based on the type of personal data being processed or the level of risk.
Larger organisations that already have detailed compliance frameworks will be reluctant to make changes to those, particularly if they are part of a multinational organisation and looking to apply a consistent approach across the UK and EU/EEA. UK organisations that trade with consumers in the EU/EEA will in many cases continue to be subject to (EU) GDPR.
There is also the apparent prospect of some divergence between England and Wales and Scotland and Northern Ireland, as the briefing states that some measures will extend and apply to England and Wales only. Given that data protection is a reserved matter, and outside the competence of the devolved administrations, it's unclear what the practical impact of these differences will be.
More information
You can read the Government's summary of the proposed Bill in the Queen's Speech Lobby Pack (PDF) (see pages 57 and 58). We anticipate that the Government will provide more details on its proposals in the coming week. We'll provide further updates when those proposals are published.
Our Spring 2022 Data Protection Update webinar will take place on 23 June, where we will unpack the Government's proposals and (hopefully) discuss the now long overdue finalised guidance from the Information Commissioner's Office on international data transfer and transfer risk assessments. If you've not already registered then sign up on our website.
In the meantime, if you have any questions, please contact Martin Sloan or Grant Campbell.
Contributors
Partner
Partner