NEWS19 May 2022

BCS warns government to not damage EU data agreement

Brexit Europe GDPR News Privacy Public Sector UK

UK – Changes by the UK government to the General Data Protection Regulation (GDPR) must protect the country’s data adequacy agreement with the European Union, said BCS, the Chartered Institute for IT.

EU data privacy abstract image

The warning from BCS comes as the government included proposed reforms to the GDPR in its recent Queen’s speech, with a mooted new Data Reform Bill to change the “highly complex” GDPR laws.

While details on the content of the proposed reforms are not yet publicly available, the government claims the changes will make things easier for businesses by creating a more flexible, outcomes-focused approach “rather than box-ticking exercises” while also introducing clearer rules around personal data use.

BCS has warned that any proposed changes should not contravene the UK’s data adequacy agreement with the EU, but said that the rumoured removal of cookie consent banners online could still be within the scope of the GDPR.

Since leaving the EU, the UK has retained the GDPR in domestic law as the UK GDPR, which sits alongside an amended version of the Data Protection Act 2018.

The key principles, rights and obligations have remained the same, but there are differences in rules on transfers of personal data between the UK and the European Economic Area.

In June 2021, a data adequacy agreement was ratified between the EU and UK which kept the UK’s existing data adequacy agreement in place and approved the UK’s data protection system and protocols for the transfer of personal data from Europe.

The European Commission introduced a four-year ‘sunset clause’ into its data adequacy agreement with the UK and stated it could withdraw the agreement at any time if the UK fails to appropriately protect EU citizens’ data.

Dr Sam De Silva, chair of BCS’ Law Specialist Group and a technology and data partner at international law firm CMS, said: “The devil will be in the detail – which we do not have sight of yet. If that detail reveals that the web cookie consent banners are to be removed, while that appears radical, organisations would still be required to comply with the UK GDPR principles on lawfulness, fairness and transparency when using cookies or similar technologies.

“So while the change may mean it is easier to comply PECR (Privacy and Electronic Communications Regulations) and would reduce some of the current cookie consent requirements, it will be interesting to see the position in the bill in relation to consent when cookies are used for marketing, real-time bidding or building profiles of users. The latter of course is where the majority of the tracking activity by organisations is done.

“Of course, any material deviation the UK adopts in relation to data protection does risk its adequacy status so I hope there will be a detailed and objective analysis undertaken to assess whether the benefits from UK’s data reform outweigh the risks of not continuing to have an adequacy status.”