The Data Reform Bill

The government will be introducing a Data Reform Bill as announced in the Queen’s Speech on 10 May, hoping to deliver a National Data Strategy that creates “an ambitious, pro-growth and innovation-friendly data protection regime“. The bill will reform the existing UK data protection regime that was retained from the European Union following Brexit (the GDPR) and aims to shift data protection legislation to focus more on risk-based outcomes.

It is said that the Bill will take advantage of the freedom given by Brexit and create a world class data rights regime that “will allow us to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK” according to the background briefing papers (you can read more here).

Details have not been published yet, but a consultation from the Department for Culture, Media and Sport (DCMS) from last year as well as the briefing notes from the Queen’s Speech provide some insight into the proposed scope. Additionally, the ICO has issued a response to the DCMS’s consultation last October stating that while they are supportive of the review and its intent, “the devil will be in the detail. It will be important that Government ensures the final package of reforms clearly maintain rights for individuals, minimise burdens for business and safeguard the independence of the regulator.”

The main points are likely to include:

• Removing compliance obligations that are seen as “burdens on businesses”

This may include removing cookie banners for relatively benign uses of personal data as well as removing the existing requirement to have a designated data protection officer and the reporting of a breach if there is no material risk to an individual. These changes would all have the aim of creating a more risk-based accountability framework based on private management programmes. The ICO, while welcoming the proposal generally, has pointed out that organisations should still be held accountable and should still be required to demonstrate accountability.

• Making it easier for business to use personal data for innovation and research

The government proposes combining provisions in the UK GDPR and the DPA 2018 to reduce complexity. It is also considering publishing a limited list of legitimate interests which organisations could rely on to use personal data instead of having to carry out the current test to balance the organisation’s interests with those of the data subject. However, a balancing test would still be required for processing not covered by the published list or if children’s data was involved.

• Delivering better public services

Facilitating sharing of citizens’ data by government departments to “improve the delivery of services”. Whereas some of the suggestions, such as compulsory transparency reporting on use of algorithms in the decision-making for public authorities are welcomed by the ICO, other suggestions are considered with a more cautious approach, such as the proposal of private companies being able to rely on a public body’s lawful ground for processing if carrying out a task for that body.

• Reforming the Information Commissioner’s Office (ICO)

The ICO is the UK’s data privacy regulator. The Bill may seek to modernise and strengthen its role and roll back the requirement for organisations to report – the nature and volume of reports and complaints the ICO receives has increased in recent years and the government want to encourage a more proportionate approach.

The draft Data Reform Bill is likely to be based on the DCMS’s proposals as well as the results of its consultation and it is likely to favour some deregulation of data privacy. At this stage we can only speculate about how far the deregulation will go, but if the UK goes too far it could jeopardise the renewal of the EU’s adequacy decision allowing the free flow of data between the EU and the UK (the current EU decision lasts only until June 2025).

If you have any questions arising from this article or about data protection more generally, please email [email protected].