On June 17, 2022 a press release from the United Kingdom (UK) Government’s Department for Digital, Culture, Media & Sport (DCMS) and The Rt Hon Nadine Dorries MP announced “New data laws to boost British business, protect consumers and seize the benefits of Brexit”. The release goes on to summarize the aims of the bill as “Tougher fines for firms hounding people with nuisance calls and a clampdown on bureaucracy, red tape and pointless paperwork are part of reforms to transform the UK’s data laws for the digital age and seize the benefits of Brexit.”
Which sounds all good and well until you remember that there haven’t been many, if any, benefits of Brexit to date. At least none that anyone in the current government can point to … or the previous … or the one before that when this press release came out.
And before you wonder, yes, there have been three Prime Ministers in the UK since June of this year.
How did we get here? A quick recap
- The Younger Report on Privacy (1972) established 10 principles for the handling of personal data that were to influence data protection statutes in Europe.
- The Lindop Report on Data Protection (1978) examined public- and private-sector computer systems, recommending a flexible legislative environment with a set of broad principles guiding a data protection authority in its development of codes of practice aimed at various sectors of the economy.
- The UK enacted a Data Protection Act (DPA or The Act) in 1984.
- The Act gave new rights to individuals about whom information was recorded on computers; individuals could find out information about themselves, challenge it if appropriate, and claim compensation in certain circumstances.
- The Act was superseded by the DPA of 1998 which built on a number of provisions set out by the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.
- The DPA of 1998 was then superseded by the DPA of 2018, which enshrined the principles of the EU’s General Data Protection Regulation (GDPR) in UK law.
- That was then amended on January 1, 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU and created the UK GDPR.
Recapping the recap
The EU GDPR sets out core definitions and fundamental data protection principles relating to data processing, the lawful grounds for processing data, as well as certain accountability duties and obligations which apply to both organizations and individuals which are processing personal data. The UK GDPR was intended to do the same. The UK GDPR has applied in since January 1, 2021.
The Act (DPA) complements and supplements the legislation set out in the UK GDPR and contains the enforcement powers of the Information Commissioner’s Office (ICO).
The ICO is the UK’s independent body set up to uphold information rights and investigate breaches of the law as they pertain to the previously mentioned legislation.
At the time of writing, the EU GDPR and the UK GDPR are broadly similar and have parallel bodies enforcing the legislation, which have not yet diverged significantly.
Why the change?
Not really sure that it can be summed up better than this from the June press release: “Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection. Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation.” You see the UK government party line, as far as anything EU goes, is that it’s unnecessary. Their take is the UK can do better on its own, and the resulting changes bring only benefits, no downsides.
What does the UK Data Reform bill change?
What we know is based on the most recent draft (which is likely to change as a result of the new consultation process that is going to be undertaken)—here are some highlights:
- Defining how personal data can be re-used
- Creating exemptions for legitimate interests
- Reversing the prohibition of automated decision making and creating a right to safeguards
- Removal of mandatory Data Protection Officer (DPO) requirements—organizations will need to appoint the responsibilities to someone
- Removal of mandatory Data Protection Impact Assessments (DPIA) requirements—organizations will still be required to identify and manage risks
- Setting a threshold for organizations to refuse to respond to a Data Subject Access Requests (DSAR)
- Permitting cookies (and similar technologies) placed on user devices for “non-intrusive” purposes
- Moving to an opt-out model for cookie consent
- Removing cookie banner requirements for UK residents
- Allow the Secretary of State to approve ICO codes of practice and statutory guidance
- Provide the Secretary of State with the power to create new UK mechanisms for transferring data overseas
- Provide discretion for the ICO in terms of investigation of complaints, including refusal of “vexatious” complaints or complaints where the data subject has not first attempted to resolve the issue directly with the data controller
What’s the mood on the ground?
Members of European Parliament (MEPs) are also not particularly impressed after a series of meetings with UK government officials on the changes. Here’s a selection of their quotes:
- “It was appalling, it was all about growth and innovation and nothing about human rights” (describing the meetings)
- “didn’t seem to know anything about data protection” (describing an ICO official)
- “giving in on privacy in exchange for business gain.”
- “In Europe, the protection of the individual prevails; in the U.K. the protection of the economy,”
The Open Right Group view of the changes paints an even worse picture, if you can believe it. Their view cites general watering down of existing legislation (and thereby citizen’s rights) along with the removal of the ICO’s independence by giving sweeping oversight of the organization to the Secretary of State stating: “the UK Government are on a collision course with their international obligations under the ECHR and the CoE convention 108+ on personal data protection—both fundamental elements of the UK adequacy determination, and whose rupture would spell troubles for the UK digital sector.”
A two-year old study put the cost to UK businesses of losing the adequacy decision for data transfers between the EU and UK at around £1-£1.6 billion. The loss would effectively put the UK in the same position as the United States is currently, where transferring data from the EU to the United States is illegal. The United States recognizes the value of that transfer and is doing what they can to get a new data sharing agreement agreed to, while the UK government seems to be making a concerted effort to lose theirs.
So what happens next?
They’ve finished playing musical chairs in Westminster, for the moment, which means the bill that has been in limbo since the June press release is back on the agenda at the DCMS. “We are genuinely interested in continuing to engage with the whole range of stakeholders. Different business sectors as well as privacy and consumer groups,” Deputy Director Owen Rowland said. “We’ll be providing details in the next couple of weeks in terms of the opportunities that we are going to particularly set up.”
What does this mean for you/r business?
Not much at the moment beyond wait and see with a side of prepare for the worst. If you’re not sure where to start in creating your privacy strategy, we’re here to chat.