The government has announced significant proposed reforms to data privacy laws in the form of a Data Reform Bill, which was introduced into Parliament on 18 July 2022.
The Bill, part of the UK’s National Data Strategy, aims to improve on the UK’s current data protection standards whilst minimising the administrative burden of requirements on businesses in the UK.
We look at key aspects of the Bill, which originated from a government consultation, the response to which came out earlier this year.
Part of the Bill focuses on reducing ‘consent fatigue’.
Websites will use an ‘opt-out’ rather than ‘opt-in’ model for cookie consents and the onus for protecting data will be on users to alter their own browser settings to better protect their data. This means accepting cookies each time you enter a new site may be a thing of the past!
There will also be greater financial penalties for nuisance calls, texts, and certain data breaches where no consent has been given for such marketing. For example, fines will now be made in-line with current UK GDPR guidelines, the higher of up to 4% of the company’s global turnover or £17.5 million.
The Bill aims to modernise the Information Commissioner’s Office (ICO) including extending its legal remit, clarifying its framework for decision-making, and building out its leadership to enhance its reputation internationally.
The proposed board of the ICO will be entirely independent and consist of a chair, chief executive, and other board members. The Bill also proposes greater accountability of the ICO to the public and the government. The ICO will also be expected to consider in future decision making:
In addition, the ICO will be expected to set up expert panels in relevant areas when developing statutory guidance.
The Bill seeks to limit the definition of “data protection” to only include situations where:
The Bill also poses removing the requirement:
The Bill has removed previous restrictions on automated decision making. It proposes to allow for solely automated decision making in relation to significant decisions where appropriate safeguards are in place, including the right to human intervention. There is not yet clarity as to what would constitute a “significant” decision in this context.
Whilst data privacy laws will need to remain at the standard imposed by the EU GDPR to facilitate effective data transfer between the UK and EU, the Bill also seeks to strengthen data transfers with trade areas outside the EU. The Bill puts forward an autonomous UK international transfer regime in lieu of the current EU-aligned regime.
The UK has highlighted high target jurisdictions where adequacy decisions will be prioritised. This includes the US, Australia and Singapore. On 5 July 2022, the UK announced that it has reached a data agreement with the Republic of Korea which hopes to create a new age of digital trade between the two nations.
The proposed reform aims to encourage at-home scientific innovation by offering further clarity as to how data can be used for research purposes.
The Bill removes some of the tick boxes before scientists can collect data, by removing the need for granular specification of the ultimate purpose of any research before it can begin.
The Bill also suggests clarifying the standard to which data should anonymised to be relevant to each situation and the extent to which any data can be reused for further research.
There is a substantial risk it will jeopardise the UK’s adequacy decision with the EU, which facilitates free data flow between the UK and EU. For instance, the Law Society aired its reservations surrounding the approach for being too business and innovation focussed which may be to the detriment of individual rights and protection.
The data rights activist body, Open Rights Group have commented on the Bill’s restriction of data subject’s rights “substantially incompatible” with the EU GDPR.
As a result, we expect ongoing discourse between the EU and UK to resolve these issues.