UK: Unpacking proposed national reforms in data protection
On 10 May 2022, the UK Government announced in the Her Majesty's Most Gracious Speech To Both Houses of Parliament ('the Queen's Speech')1 a series of legislative changes which provide important data protection law, digital, human rights, and Brexit-related developments.2 The coming changes will be significant and require organisations to factor them into their legal risk assessments/planning. Paula Barrett, Liz Fitzsimons, and Jean-David Behlow, from Eversheds Sutherland (International) LLP, give an overview over the Government's data protection and IT proposals.
Data Reform Bill
The Government announced that the "UK's data protection regime will be reformed". It will introduce a Data Reform Bill (yet to be published) and has set out some of the driving principles behind the reform which are in line with the Government's National Data Strategy.3
The Data Reform Bill wants to simplify the current UK data protection regime (which would be based on privacy outcomes), 'give stronger rights and powers to consumers and citizens, place proper responsibility on companies using data, and free up data for innovation and in the public interest', create a 'world class data protection framework', 'reduce burdens on businesses', 'boost the economy', foster 'responsible innovation', and 'drive scientific progress'.
The Data Reform Bill also wants to modernise and reinforce the capabilities of the Information Commissioner's Office ('ICO'), while making it more accountable to Parliament and the public. It remains to be seen how this will materialise, without diminishing its independence, and whether the ICO will have appropriate resources to undertake its functions and enforce its powers.
Though the briefing notes of the Queen's Speech set out some laudable objectives, the actual text of those changes has yet to be published. In the interim, the 'Data: A New Direction Consultation'4, issued in September 2021, set out quite a lot of information about the extensive range of changes which the Government has in mind. The response to the consultation, published on 17 June 2022, confirms (in line with the content of the Queen's Speech) the strong desire to push ahead on many of those points consulted upon.5
To reform the UK data protection regime, the Government will 'take advantage of the benefits of Brexit' and the Brexit Freedoms Bill to end the supremacy of EU law over UK law. While the current UK General Data Protection Regulation (Regulation (EU) (2016/679) ('UK GDPR') broadly follows the General Data Protection Regulation (Regulation (EU) (2016/679) ('GDPR'), it will be interesting to see how far the UK will want to differ from the GDPR, and the potential impacts on the UK adequacy status, the equivalent to the EU-US transatlantic framework for UK transfers to the US (if agreed at all), and the relationship between the ICO and the other EU data protection regulators. Whilst most commentary has focused on fears of loss of the EU adequacy decision in favour of the UK, change to the UK data protection regime does not de facto mean the loss of adequacy decision – it’s worth remembering that the EU has made an adequacy decision in favour of several countries whose laws are not a carbon copy of the GDPR.
Other important legislative changes
This was a Queen's Speech with a banquet of legislative change for those advising on data strategy. The Data Reform Bill and Brexit Freedoms Bill are important courses, but there are several others to be digested, and some might have even bigger long-term impacts. The Government will introduce a series of other bills which will impact the wider digital economy and reinforce the UK's ability to pull away from European laws following its departure from the EU. Organisations which conduct business online, social media platforms, and companies operating in the IT and communications space will need to look at the proposed changes very closely.
We have selected examples of bills which are likely to be significant including:
- the Draft Digital Markets, Completion and Consumer Bill which wants to 'give consumers more choice and control over data' (in line with the Data Reform Bill);
- the Product Security and Telecommunications Infrastructure Bill which proposes to 'improve cyber resilience and […] ensure that digital and smart products are secure against cyberattacks'. It requires that manufacturers, importers, and distributors of smart devices comply with minimum security standards. This bill will need to be looked at alongside the data protection regime, including the data minimisation requirements of the GPPR. The Government released a call for evidence about the use of connected and smart technology in the home, the workplace, and cities.6 The terms ask whether existing frameworks (like data protection legislation and the Public Security and Telecommunications Infrastructure Bill), adequately address concerns with smart technology. Responses must be submitted before 23 June 2022; and
- the Online Safety Bill, which affects technology companies and social media platforms, should improve online protection for users (especially children), whilst protecting freedom of expression. There's a clear intention to make organisations responsible for their users' safety online.
A Bill of Rights will be introduced to ensure that the UK human rights framework 'meets the needs of the society it serves and commands public confidence'. The underlying stated objective is to 'restore the balance of power between the legislature and the courts' and 'restore some common sense'. The intended benefits of this include 'defending freedom of speech … enhancing public debate', and 'curbing the incremental expansion of a rights culture' to ensure it has 'proper democratic oversight' and stops displacing 'due focus on personal responsibility and the public interest'.
The Ministry of Justice's ('MoJ') consultation on the 'Human Rights Act Reform: A Modern Bill of Rights'7 sets the scene in more detail. This will have implications not only for human rights but also for individual fundamental rights relevant to data protection, as well as decision-making when balancing private rights (to privacy and confidentiality) compared to public rights to access relevant data, such as from public authorities under transparency legislation. The ICO's published response to the MoJ consultation8 included commentary on how the changes could impact the UK's adequacy status.
Change is a constant in the world of data strategy and compliance, but the pace in the UK is going to be significant. To make sure you are understanding the fuller picture, it is going to be important to track the package, not just one element. Read together, there is a lot to come and to be debated in Parliament, and organisations should keep a close eye on the various reforms in order to prepare for potential changes.
Paula Barrett Partner, Global Co-lead of Privacy and Cybersecurity
Liz Fitzsimons Partner, Privacy and Cybersecurity
Jean-David Behlow Senior Associate, Privacy and Cybersecurity
Eversheds Sutherland (International) LLP, London
1. Available at: https://www.gov.uk/government/speeches/queens-speech-2022
2. See the briefing notes of the Queen's speech for further details, available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1074113/Lobby_Pack_10_May_2022.pdf
3. Available at: https://www.gov.uk/guidance/national-data-strategy
4. Available at: https://www.gov.uk/government/consultations/data-a-new-direction
5. Available at: https://www.gov.uk/government/consultations/data-a-new-direction/outcome/data-a-new-direction-government-response-to-consultation
6. See: https://committees.parliament.uk/work/6686/connected-tech-smart-or-sinister/
7. Available at: https://www.gov.uk/government/consultations/human-rights-act-reform-a-modern-bill-of-rights
8. Available at: https://ico.org.uk/about-the-ico/consultations/ministry-of-justice-consultation-human-rights-act-reform-a-modern-bill-of-rights/