Data Reform Bill: Is the UK painting itself into a corner?

• The UK’s data protection regime remains very much a part of the Government’s plans and a new Data Reform Bill is expected to surface during the summer.
• Tougher fines for firms hounding people with nuisance calls and a clampdown on bureaucracy and “red tape” are part of reforms to transform the UK’s data laws.
• The UK claimed the “highly complex EU GDPR” has held back many organizations from using data as dynamically as they could.

After the United Kingdom (UK) left the European Union (EU), the former was quick to voice out its disagreement with the rules that require companies to protect personal data. For the British administration, the EU’s General Data Protection Regulation (GDPR) has its flaws and above all, it was cumbersome. The UK government has remained adamant on removing the “pointless bureaucracy” and “box ticking” of the GDPR for businesses in the UK. Its plans to reshape the UK’s data laws eventually gave birth to the proposed Data Reform Bill.

During the state opening of parliament in May, the Prince of Wales announced the government’s intention to reform the UK’s current data regime, which comprise the UK GDPR and the DPA (Data Protection Act 2018). According to the official briefing around the Queen’s speech, reforming the UK GDPR and DPA 2018 should “create over £1 billion in business savings over 10 years by reducing burdens on businesses of all sizes”, such as “excessive paperwork” and other obligations that have “little benefit to citizens”.

On September 10, 2021 the UK’s Department for Culture, Media and Sport (DCMS) published a consultation document entitled “Data: a new direction (Consultation)”, calling for views on a number of proposals that could bring change to the UK’s data landscape. Consultation closed on November 19, 2021 and the outcome has been published.

In essence, it seeks to lessen the administrative burden on organizations, while maintaining an “adequate level” of protection for individuals’ rights.

What would the Data Reform Bill mean for UK businesses?

Law firm Addleshaw Goddard (AG) said in a briefing the proposed changes are currently “vague enough to be fairly innocuous”. But its briefing highlighted several aspects of the proposed Bill which could cause problems – for businesses, consumers, and industry in general. In particular, AG said the proposals remain as broad as those defined in “Data: A new direction” so it remains unclear which specific areas the bill will tackle.

A key concern is that should the UK deviate too far from GDPR, it may struggle to retain its “adequacy” data status with the EU, needed to allow data to flow freely between UK and EU organizations. The European Commission’s 2021 approval of the UK’s data protection “adequacy” includes a sunset clause making the status expire in 2025, “for the specific purpose of guarding against future divergence by the UK”. Stray too far from the GDPR, then, and data links with the rest of Europe will be cut – with consequences for every industry.

“Therefore, in seeking to ease the administrative burdens of compliance for businesses there is also a risk of sailing too close to the wind; should the UK’s position change sufficiently for it to lose its adequacy status, this will create a significant and expensive compliance problem for businesses that routinely transfer personal data across borders,” warned AG.

BCS, the Chartered Institute for IT, made a similar warning in its comment on the proposed Data Reform Bill. BCS’s Law Specialist Group chair Sam De Silva emphasized that “the devil will be in the detail” of the bill. “Any material deviation the UK adopts in relation to data protection does risk its adequacy status so I hope there will be a detailed and objective analysis undertaken to assess whether the benefits from UK’s data reform outweigh the risks of not continuing to have an adequacy status,” he said.

In a report by The Register, experts were quoted stating that the new data law approach will result in many large companies that operate both in the EU and the UK to comply with two regimes. As it is, businesses had already “done a huge amount of work and spent a lot of money” complying with GDPR.

“Companies with a footprint in the EU and UK will not welcome proposals to diverge from GDPR. If the UK just goes on its own and tries to do something different from the EU it is going to be much more expensive for them. I don’t really see that data protection companies are hungry to do something different from GDPR,” she said.