UK Data Protection Reform Bill Announced in 2022 Queen’s Speech

The 2022 Queen’s Speech, delivered May 10 to mark the State Opening of Parliament, included the UK government’s announcement of its intention to reform the data protection regime of the United Kingdom. The proposed Data Protection Reform Bill is expected to introduce significant changes to the UK GDPR and the Data Protection Act 2018. It follows the UK government’s stated intention to create a more business-friendly data regime that promotes growth and innovation. Specific details are yet to be confirmed, however if the bill results in significant divergence from the EU data protection regime, the UK risks losing its EU adequacy finding. This would restrict data transfers from the EU to the UK, a detriment to business which could outweigh the bill’s benefits.

Background

The Department for Digital, Culture, Media and Sport (DCMS) announced its intention to deliver a more business-friendly data protection regime in September 2021, with the launch of its consultation paper Data: A New Direction. The consultation paper stated the UK government’s ambition of “unleashing data’s power … for the benefit of British businesses.” The consultation closed on November 19, and the government is expected to publish its findings in the coming weeks.

In January 2022, the new UK Information Commissioner, John Edwards, commenced his term with a clear mandate to protect individuals’ data rights while taking “a balanced approach that promotes further innovation and economic growth.” This mandate is in line with the UK government’s ambition to deliver “a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK.”

Overview of the Data Reform Bill

There are limited details available on the Data Reform Bill, however a Lobby Pack published by the Prime Minister’s Office on 10 May provides the following overview:

The purpose of the bill is to:

• Take advantage of Brexit to create “a world class data rights regime that will allow us to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.”
• Modernize the Information Commissioner’s Office, ensuring it has the capabilities and powers to take stronger enforcement action against organizations who breach data rules, while making it more accountable to Parliament and the public.
• Increase industry participation in Smart Data Schemes which will give citizens and small businesses more control over their data. It will also assist people needing health care treatments by helping improve appropriate access to data in health and social care contexts.

The main benefits of the bill would be:

• Increased competitiveness and efficiencies of UK businesses “for example by creating a data protection framework that is focused on privacy outcomes rather than box-ticking.” It has been suggested this could include abandoning cookie consent banners (though privacy advocates might argue this ‘red tape’ gives people the choice to opt-out of being tracked online).
• Empowering citizens and improving their lives via more effective delivery of public healthcare, security and government services.
• Creating a clearer regulatory environment for personal data use that will fuel responsible innovation and drive scientific progress.

The bill seeks to ensure that UK citizens’ personal data is “protected to a gold standard while enabling public bodies to share and improve the delivery of services.” It will apply across the UK, with some measures extending and applying in England and Wales only.

The government claims that the UK GDPR and the Data Protection Act 2018 are highly complex and prescriptive. It argues that they encourage excessive paperwork and create burdens for businesses with little benefit to citizens. According to DCMS, the proposed reforms will result in business savings of £1bn over a 10-year period and “a £27.8 billion uplift in UK GDP.”

EU Reaction

Reports suggest that there is concern in the EU that the UK could diverge from the standards of the GDPR. This could have significant consequences. The GDPR and the UK GDPR both prohibit the transfer of personal data to ‘third countries’ that do not ensure an adequate level of protection of personal data. Under the GDPR, a third country is a country outside the European Economic Area (EEA), while the UK GDPR defines a ‘third country’ as a country outside the UK.

The UK became a ‘third country’ for the purposes of the GDPR when it formally left the EU on December 31, 2020. In June 2021, the European Commission made an adequacy finding regarding the UK, which enabled the free flow of personal data to continue. However, the adequacy decision will automatically expire in 2025 and renewal will be contingent on the UK maintaining data protection standards that are comparable to those of the EU.

Brussels has reportedly expressed concerns around the UK’s stated desire to establish new data flows with countries including the US, Australia, South Korea, and Singapore. This could result in EU citizens’ personal data being transferred to countries with inadequate privacy regimes. Minor reforms that do not materially jeopardize individuals’ rights are unlikely to be a concern. However, any UK deregulation that could result in EU citizens’ rights being significantly eroded could potentially result in the European Commission withdrawing the UK’s adequacy.

Conclusion

The Data Reform Bill promises much, maintaining a “gold standard” of data protection for citizens, while fostering a pro-growth, pro-innovation environment for business. The extent to which the UK government achieves these apparently conflicting aims remains to be seen. All will be revealed in the text of the bill, to be published later this year, and in the government’s response to its consultation on proposed data protection reforms, which is expected in the coming weeks.  

© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.