On 10 May 2022 the UK Government announced, through the Queen’s Speech, that the United Kingdom's data protection regime is to be reformed.
What is the bill?
The Data Reform Bill (“the Bill”) will reform the UK’s current data protection framework. As a result of Brexit, the UK incorporated the EU data protection regime (the EU GDPR) into domestic law as the “UK GDPR”.
The Bill follows the government’s consultation on reforms to the UK data protection regime, conducted last year, the results of which are yet to be published. A key theme of the consultation was reducing the perceived burdens that businesses face under the existing data protection framework. This theme is continued in the government's announcement of the Bill. Its briefing states that the three main elements are:
- ensuring that UK citizens’ personal data is protected to a gold standard, while enabling public bodies to share data to improve the delivery of services;
- using data and reforming regulations to improve the everyday lives of people in the UK, for example, by enabling data to be shared more efficiently between public bodies; and
- designing a more flexible, outcomes-focused approach to data protection which helps create a culture of data protection, rather than ‘tick box’ exercises.
The government has asserted that the driving force of these changes is the need to increase the competitiveness of UK businesses by reducing the burdens they face. It has presented this as part of a ‘Brexit bonfire’ of EU legislation to reduce red tape for businesses. The government intends that the changes to the data protection regime will tackle the excessive burdens and paperwork that the current data protection framework entails, which it perceives as having little benefit to UK citizens.
Additionally, the Bill seeks to provide clarity to researchers on how best to use personal data. The government aims to use the legislative freedom that Brexit allows to create a data rights regime that will, amongst other things, “help scientists to innovate and improve the lives of people in the UK”.
The UK GDPR currently mirrors the regime in the rest of the EU. As a result, the EU has made an adequacy decision in respect of the UK which allows data to flow freely between the UK and EU member states.
The government has emphasised that the standard of protection of personal data will not be diminished, stating that it will still be protected to a “gold standard”. Nevertheless, its emphasis on reducing perceived administrative burdens necessitates a certain degree of divergence from the current regime. The European Commission’s adequacy decision may be revoked if the Commission determines that the UK’s level of protection of personal data falls below that offered to EU citizens. The EU is due to review the adequacy decision in 2024, but has indicated that this review may come sooner if the UK’s data protection regime starts to differ significantly from that in the EU.
Furthermore, many businesses have invested significant time and expense implementing detailed compliance frameworks. While the purpose of the Bill is to reduce the red tape that businesses face as a result of the EU regime, in reality many organisations operate both within the UK and the EU. It is therefore possible that this Bill will increase the burdens that organisations face by creating an additional legislative regime and increasing the number of rules that businesses are required to be aware of and comply with.
Keep a lookout
The announcement on 10 May was light on detail, and more information will emerge on the government’s proposals over the coming months. We will closely monitor any proposed changes to the UK’s data protection regime, and are ready to advise clients on the implications that these may have on their use of personal data.