The Latest on the UK Data Reform Bill

On June 17, 2022 a press release from the United Kingdom (UK) Government’s Department for Digital, Culture, Media & Sport (DCMS) and The Rt Hon Nadine Dorries MP announced “New data laws to boost British business, protect consumers and seize the benefits of Brexit”. The release goes on to summarize the aims of the bill as “Tougher fines for firms hounding people with nuisance calls and a clampdown on bureaucracy, red tape and pointless paperwork are part of reforms to transform the UK’s data laws for the digital age and seize the benefits of Brexit.” 

Which sounds all good and well until you remember that there haven’t been many, if any, benefits of Brexit to date. At least none that anyone in the current government can point to … or the previous … or the one before that when this press release came out. 

And before you wonder, yes, there have been three Prime Ministers in the UK since June of this year. 

How did we get here? A quick recap

• The Younger Report on Privacy (1972) established 10 principles for the handling of personal data that were to influence data protection statutes in Europe. 
• The Lindop Report on Data Protection (1978) examined public- and private-sector computer systems, recommending a flexible legislative environment with a set of broad principles guiding a data protection authority in its development of codes of practice aimed at various sectors of the economy. 
• The UK enacted a Data Protection Act (DPA or The Act) in 1984. 
• The Act gave new rights to individuals about whom information was recorded on computers; individuals could find out information about themselves, challenge it if appropriate, and claim compensation in certain circumstances.
• The Act was superseded by the DPA of 1998 which built on a number of provisions set out by the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.
• The DPA of 1998 was then superseded by the DPA of 2018, which enshrined the principles of the EU’s General Data Protection Regulation (GDPR) in UK law.
• That was then amended on January 1, 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU and created the UK GDPR.

Recapping the recap

The EU GDPR sets out core definitions and fundamental data protection principles relating to data processing, the lawful grounds for processing data, as well as certain accountability duties and obligations which apply to both organizations and individuals which are processing personal data. The UK GDPR was intended to do the same. The UK GDPR has applied in since January 1, 2021. 

The Act (DPA) complements and supplements the legislation set out in the UK GDPR and contains the enforcement powers of the Information Commissioner’s Office (ICO). 

The ICO is the UK’s independent body set up to uphold information rights and investigate breaches of the law as they pertain to the previously mentioned legislation.

At the time of writing, the EU GDPR and the UK GDPR are broadly similar and have parallel bodies enforcing the legislation, which have not yet diverged significantly. 

Why the change?

Not really sure that it can be summed up better than this from the June press release: “Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection. Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation.” You see the UK government party line, as far as anything EU goes, is that it’s unnecessary. Their take is the UK can do better on its own, and the resulting changes bring only benefits, no downsides. 

What does the UK Data Reform bill change? 

What we know is based on the most recent draft (which is likely to change as a result of the new consultation process that is going to be undertaken)—here are some highlights:

• Defining how personal data can be re-used 
• Creating exemptions for legitimate interests 
• Reversing the prohibition of automated decision making and creating a right to safeguards
• Removal of mandatory Data Protection Officer (DPO) requirements—organizations will need to appoint the responsibilities to someone 
• Removal of mandatory Data Protection Impact Assessments (DPIA) requirements—organizations will still be required to identify and manage risks
• Setting a threshold for organizations to refuse to respond to a Data Subject Access Requests (DSAR) 
• Permitting cookies (and similar technologies) placed on user devices for “non-intrusive” purposes
• Moving to an opt-out model for cookie consent
• Removing cookie banner requirements for UK residents
• Allow the Secretary of State to approve ICO codes of practice and statutory guidance 
• Provide the Secretary of State with the power to create new UK mechanisms for transferring data overseas
• Provide discretion for the ICO in terms of investigation of complaints, including refusal of “vexatious” complaints or complaints where the data subject has not first attempted to resolve the issue directly with the data controller

What’s the mood on the ground?

Members of European Parliament (MEPs) are also not particularly impressed after a series of meetings with UK government officials on the changes. Here’s a selection of their quotes:  

• “It was appalling, it was all about growth and innovation and nothing about human rights” (describing the meetings)
• “didn’t seem to know anything about data protection” (describing an ICO official)
• “giving in on privacy in exchange for business gain.”
• “In Europe, the protection of the individual prevails; in the U.K. the protection of the economy,”

The Open Right Group view of the changes paints an even worse picture, if you can believe it. Their view cites general watering down of existing legislation (and thereby citizen’s rights) along with the removal of the ICO’s independence by giving sweeping oversight of the organization to the Secretary of State stating: “the UK Government are on a collision course with their international obligations under the ECHR and the CoE convention 108+ on personal data protection—both fundamental elements of the UK adequacy determination, and whose rupture would spell troubles for the UK digital sector.” 

A two-year old study put the cost to UK businesses of losing the adequacy decision for data transfers between the EU and UK at around £1-£1.6 billion. The loss would effectively put the UK in the same position as the United States is currently, where transferring data from the EU to the United States is illegal. The United States recognizes the value of that transfer and is doing what they can to get a new data sharing agreement agreed to, while the UK government seems to be making a concerted effort to lose theirs.

So what could happen?

They’ve finished playing musical chairs in Westminster, for the moment, which means the bill that has been in limbo since the June press release is back on the agenda at the DCMS. “We are genuinely interested in continuing to engage with the whole range of stakeholders. Different business sectors as well as privacy and consumer groups,” Deputy Director Owen Rowland said. “We’ll be providing details in the next couple of weeks in terms of the opportunities that we are going to particularly set up.”

Update: July 2023

• November 2022: The UK government (under Lizz Truss) has reintroduced the Data Protection and Digital Information (DPDI) Bill, which was originally proposed in July 2022 but was put on pause in September 2022.
• February 2023: UK Prime Minister Rishi Sunak (Truss’s successor) announced the creation of four new government departments, including a dedicated Department for Science, Innovation and Technology (DSIT) which would focus on “technical innovations” and take over digital and data policy responsibility from the Department for Culture, Media and Sport (DCMS).
• The UK is expected to adopt the new data protection bill this fall.
• In an open letter to the EU Commission on the DPDI states: “The DPDI Bill flies in the face of the 2021 adequacy decision. If passed, the Bill would mean a wholesale deregulation of the UK data protection framework, allowing private companies to seek shelter in the UK to circumvent European data protection standards, and turning the UK into a “test lab” for experimental and abusive uses of data. Likewise, the UK Government would be given the power to legalize invasive surveillance programmes and other measures that trump the right to data protection of European citizens.”
• The adequacy decision is based on the UK offering data protection that’s equivalent to the EU’s GDPR. 
• Groups, including Amnesty International, Open Rights Group, Privacy International, and many others, contend that DPDI will be significantly less protective.
• The DPDI, they claim, would give the UK government new powers to override data protection principles by changing the law after it becomes an Act of Parliament.
• It would authorize the UK government to issue political directions to the UK data protection body, the Information Commissioner’s Office (ICO); these groups say it would undermine its independence as a regulator.
• The UK data adequacy decision has a sunset clause of four years which means it’s up for review in 2025.
• The European Commission also emphasized that the adequacy decision does guarantee four years of data transfers saying it will “continue to monitor the legal situation in the UK and could intervene at any point if the UK deviates from the level of protection currently in place.”

So what happens next?

To make their way into law, the bill itself will need to be enacted—and there is little to show that this will happen, either under the current government or a future one, at least in its current guise. And, there are more important things to resolve under the shadow of an impending general election that is likely to see a change of government—as in change of ruling party not just a shuffling of the same old tired faces in to new positions for more of the same as has been the way of things for the last 12-18 months. I wouldn’t expect there to be too much more progress on this through the remainder of the year.

What does this mean for you/r business?

Not much at the moment beyond wait and see with a strong recommendation to begin considering the technical infrastructure required to be able to adapt to changing legislation quickly, easily, and in a manner that mitigates effects on business continuity. If you’re not sure where to start in creating your privacy strategy, we’re here to talk.