The government has published its long-awaited response to a consultation on the proposed Data Reform Bill, pledging to press ahead with a number of changes, that the government says will boost businesses, protect consumers and seize the “benefits” of Brexit.
Its proposals include clamping down what it perceives as red tape around privacy and data protection to save an estimated £1bn, while strengthening data protection standards, reforming the Information Commissioner’s Office (ICO), giving innovators and researchers more flexibility in how they use data in their work, and increasing fines for people who misuse data.
In a move guaranteed to catch the attention of consumers, it also proposes to adopt new measures to minimise the number of cookie pop-ups people see online.
Outlining its response at the end of London Tech Week, the government said that data was core to the UK economy, with data-driven trade generating 75% of the country’s services exports, and revenues of £234bn in 2019, and touched both the core of how businesses operate and how people live their daily lives.
“Today is an important step in cementing post-Brexit Britain’s position as a science and tech superpower. Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society but retains our global gold standard for data protection,” said digital secretary Nadine Dorries.
“Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation.”
John Edwards, the recently appointed information commissioner, said he shared the government’s ambitions and was particularly pleased that the ICO’s concerns around its future independence under the new regime had been taken into account.
“Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms,” said Edwards.
“We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the bill.”
At their core, the reforms hinge on the government’s belief that the European Union (EU) General Data Protection Regulation (GDPR), which transposed into UK law as the UK GDPR after Brexit was finalised, held organisations back from using data in a dynamic way.
It said there was a lack of clarity in the GDPR that led to an overreliance on box ticking, and that the regulation was overly reliant on a one-size-fits-all approach that failed to account for the unique needs of disparate organisations, placing a particular burden on small and medium enterprises (SMEs) and startups. It is these burdens the government is set on removing.
For example, the bill will remove the UK GDPR’s requirements giving organisations little flexibility about risk management, including the need for small business to appoint a data protection officer (DPO) or undertake data protection impact assessments (DPIAs). This will mean, for example, that a small independent retailer working online won’t have to recruit a dedicated data expert provided it can prove it has someone to manage the risks effectively.
In other key areas, the government is proposing to increase fines for nuisance calls, texts and other serious data breaches under the Privacy and Electronic Communications Regulations (PECR) from the current maximum of £500,000 to come in line with GDPR’s limits of up to 4% of global turnover of £17.5m.
The PECR will also be the mechanism by which the government seeks to cut down on the number of cookie consent pop-ups, which currently display every time a user visits a new website. In future, an opt-out model will come into play, reducing the need for users to click through consent banners on every site they visit.
TechUK CEO Julian David agreed that the GDPR as introduced was far from perfect, saying: “The challenge in reforming it has always been how to retain key protections for citizens while introducing clarity and flexibility to enable growth in data-driven innovation and new technologies such as AI [artificial intelligence].
“The reforms announced today find a good balance between making the UK’s data protection system clearer, more flexible and more user friendly to researchers, innovators and smaller companies, while at the same time maintaining levels of data protection in line with the highest global standards.”
David did, however, speak of some outstanding questions around how exactly the reforms will work in practice, specifically around the cookie opt-out system, and proposals for balancing tests with regard to data processing.
“However, on the whole this is a welcome package of reform. TechUK will continue to work closely with the government on these outstanding questions and we look forward to seeing the draft Data Reform Bill in due course,” said David.
EU clash avoided?
Peter Church, a counsel in Linklaters global data team, said it appeared that the government had walked back some of the more radical suggestions, such as scrapping GDPR entirely and replacing it with a new framework – which would have set the UK on yet another collision course with the EU.
“This is hardly a surprise given data protection laws are now a global norm and the GDPR is the template upon which many of those laws are based,” said Church. “This is good news for data flows between the EU and the UK, as these more modest reforms mean the EU Commission is less likely to revoke the UK’s adequacy finding, which would have caused significant disruption.
“The UK is [also] starting to go its own way in relation to international data transfers. The new requirements in the EU to risk assess transfers are turning out to be very costly and time consuming, so there is certainly space for the UK to take a more balanced approach.”
Clifford Chance tech lawyer Herbert Swaniker said that how the reforms translate into the bill will still be monitored closely by other governments and by organisations that operate in both the UK and EU.
“The impact, particularly for larger companies, remains to be seen. Many organisations create global data superstructures, where a UK-specific approach could introduce complexity in decision-making, tech engineering and business costs. The EU Commission will closely monitor these developments. Securing the EU-UK adequacy decision was a top priority,” said Swaniker.
“Data borders and tech wars highlight the economic value and geopolitical nature of data. Last summer, UK businesses were relieved when the EU decided to allow continued free flow of personal data from the bloc to the UK. That decision is based on the UK’s data rules being essentially equivalent to the EU’s. These reforms will need to carefully balance maintenance of this hard-won decision. The UK government’s council of experts will play an important role in striking the right balance.
“Obviously some are concerned that reform could threaten the EU’s decision to allow free flow of personal data to the UK. Careful and thoughtful reform can help bridge any gaps that would threaten the data bridge that has been created on the basis of the current similarity of the EU and UK data framework,” he added.
Beyond this, said Swaniker, it will be critical to review the data transfer proposals in a global context as well on the basis that pursuing partnerships and security data flows isn’t only something of interest to the UK – the European Commission and the US have fingers in the pie too.