Government consults on changes to UK data protection regime
On 10 September 2021, the Government launched a public consultation on potentially wide-ranging reforms to UK data protection and privacy laws.
When the UK left the EU, the EU’s General Data Protection Regulation (the “EU GDPR”) effectively became part of UK law. The European Commission then granted an ‘adequacy decision’ in relation the UK which, at present, allows the free flow of data between the UK and the EU.
However, the Government’s view is that some aspects of the UK’s current data protection regime are too complex and/or too vague, and place a disproportionate burden on businesses, particularly start-ups and SMEs. So the rationale for the proposed changes is to try to make life easier for businesses – especially smaller businesses – from a compliance perspective, without undermining consumer confidence in how our personal data is used by businesses. Not an easy proposition.
On top of that, any material departure from the EU GDPR could impact the UK’s current ‘adequacy decision’ and so restrict the free flow of data between the UK and the EU. As such, the proposed reforms will need to strike a delicate balance between delivering a standard of data protection and privacy that is the same as the EU GDPR, while at the same time reducing the compliance burden for businesses. It remains to be seen whether that will be possible.
The consultation will focus on 5 key objectives:
- Removing barriers to innovation: data is key to the growth of the UK economy. The Government feels some areas of current law prevent or restrict responsible innovation in data-driven technologies.
- Reducing the compliance burden: existing UK data protection and privacy laws are prescriptive – businesses must perform certain actions to be compliant. In the Government’s view, this has created a ‘box-ticking’ regime which doesn’t differentiate between businesses of varying types and sizes.
- Facilitating international data flows: the Government wants to work with international partners to remove unnecessary obstacles to cross-border data flows. This is in line with the Government’s ambition for the UK to be a leader in digital trade and a key data marketplace in the global economy.
- Improving public services: the Covid-19 pandemic has highlighted the importance of sharing data between the public and private sectors. But the Government also recognises that there are still problems with how, for example, public health data can be safely collected, used and shared.
- Reforming the Information Commissioner’s Office: the Government want the ICO to move away from addressing low-level complaints and focus on (i) encouraging responsible data use by businesses and (ii) resolving more serious threats to the level of public trust in how consumer data is used.
The Government will gather evidence and information, during the consultation period, to evaluate the basis for changing the UK’s current data protection and privacy legislation. It is estimated the proposed reform package could have a net economic benefit of more than £1billion over the next decade.
However, the Government is also very keen to emphasise that:
- if some or all of the proposed changes do become law, businesses that currently comply with the UK’s data protection regime should remain largely compliant (except for a small number of new requirements); and
- the protection and security of an individual’s personal data will continue to be the priority.
The deadline for participating in the consultation process is 19 November 2021. If you would like to participate, or if you would like advice on data protection issues generally, please contact Matthew Miller or Tim Lucas in our Corporate and Commercial team.