NEWS17 June 2022

Data reform bill proposes GDPR changes

Brexit GDPR News Privacy Public Sector UK

UK – The government has published a data reform bill to change the UK’s data laws post-Brexit, including new powers for the Information Commissioner’s Office (ICO) and a relaxation of some requirements of the UK General Data Protection Regulation (GDPR).

GDPR abstract image

The bill, which was launched as part of London Tech Week, will also provide tougher fines for nuisance calls and a reduction in bureaucracy and paperwork as part of the government’s desire to change data laws to “seize the benefits of Brexit”.

The UK has a data adequacy agreement with the EU that was agreed last year to maintain data transfers between the two economic entities post-Brexit.

However, the European Commission introduced a four-year ‘sunset clause’ into data adequacy agreement and stated it could withdraw the agreement at any time if the UK fails to appropriately protect EU citizens’ data.

As part of the UK reforms, the bill will seek to cut down on the number of ‘user consent’ pop-ups and banners on websites through an opt-out model for cookies, with the government committing to working with the industry and the regulator to ensure technology is effective and readily available before introduction.

Fines will be increased for nuisance calls and texts, as well as other serious data breaches under the UK’s Privacy and Electronic Communications Regulations (PECR), with the aims of preventing companies from contacting people for marketing purposes without consent.

The ICO will be modernised to have a chair, chief executive and a board, in addition to clearer strategic objectives to uphold data rights and encouraging the responsible use of personal data, but with greater emphasis on growth, innovation and competition.

The ICO will be required to set up a panel of experts in relevant fields when developing each piece of statutory guidance, with the secretary of state also needed to approve ICO statutory codes and guidance before they are presented to parliament.

Businesses will be granted more flexibility in how they manage data risks, including whether some organisations, such as small businesses, require a data protection officer and to undertake impact assessments.

Organisations will still be required to have a privacy management programme to ensure they are accountable for how they process personal data, according to the government.

The Data Reform Bill will more clearly define the scope of scientific research and give scientists clarity about when they can obtain user consent to collect or use data for broad research purposes.

The government stated this would remove the need for them to have the ultimate purpose of their research project finalised before collecting data, for example, allowing people to provide consent for their data to be used in ‘cancer research’ rather than a particular cancer study.

Data-driven trade generated nearly three-quarters of the UK’s total service exports in 2019 and generated an estimated £234bn for the economy, and the government said it would seek data adequacy deals with priority countries, including the US, Australia, the Republic of Korea and Singapore.

Digital secretary Nadine Dorries said: “Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection.

“Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation.”

John Edwards, UK information commissioner, said: “Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society.

“The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.”

Chris Combemale, chief executive at the Data & Marketing Association (DMA), said: “The DMA strongly supports the government’s proposed reforms, which will establish a better balance between data-driven innovation, economic growth and privacy protections across the UK.

“A number of issues that the DMA community highlighted in our consultation response have been addressed by the government, which will enable further innovation in customer engagement, especially for charity fundraising.

“However, not every recommendation made by our member organisations has been adopted, so we will continue to seek greater clarity in the final legislative texts around the use of legitimate interests.”