Series
Blogs
UK – Modest data protection reforms with a handful of big changes
UK – Modest data protection reforms with a handful of big changes
22 June 2022
Series
Blogs
22 June 2022
The Department of Digital, Culture, Media and Sport has released details of its proposed reforms to UK data protection laws following last year’s consultation.
The proposals set out a series of sensible, if relatively limited, changes to the law (summarised here). While the effect of these changes will vary from entity to entity, only a handful are likely to be significant for most UK businesses.
Some may be disappointed by the lack of significant deregulation, but others will be pleased by the continuity and stability these changes provide. In particular, the changes are unlikely to disturb the EU’s finding that the UK has adequate data protection laws.
The starting point for these reforms is Brexit. Following the UK’s departure from the EU, the UK incorporated the GDPR into national law to create the UK GDPR. The UK GDPR was subject to minimal changes to make it “work” post-Brexit, such as removing the Information Commissioner’s participation in the European Data Protection Board. The substantive obligations under the law remained largely unchanged.
The UK Government was, however, keen, to take advantage of Brexit to shape its own regulatory framework for data. The Taskforce on Innovation, Growth and Regulatory Reform published a report in June 2021 suggesting the UK GDPR should be scrapped and replaced with a UK Framework of Citizen Data Rights, though that was predicated on some unconventional views about the operation of the current framework.
This was followed by a detailed paper – Data: A new direction – issued by the Department of Digital, Culture, Media and Sport in September 2021 (discussed here). That set out a very detailed and well-thought-out series of proposals for reform to UK data protection laws. Following an extensive consultation, with 2,924 responses and over 40 roundtables, the Government has now issued its response and proposals for reform.
The key point is that the UK GDPR emerges largely unscathed. There is very little change to any of the key concepts, data protection principles, legal basis or many of the other building blocks to the law.
While the Government’s proposals for reform are detailed and wide ranging, the effect is likely to be relatively modest. There are a number of reasons for this:
The table here contains a detailed breakdown of these changes.
This means that for most UK businesses there are only a handful of really significant changes. These include:
The success of these reforms will be judged against three criteria. First, do they continue to deliver a high level of protection to UK citizens’ personal data? Secondly, is there a real benefit to UK businesses by removing excessive or inefficient regulation? Thirdly, will they preserve the EU’s finding that the UK’s data protection laws are adequate?
While the reforms score well on the first and third criteria, there is precious little by way of deregulation. The reforms will help clarify and streamline the law, and will remove some burdens, such as appointing DPOs, preparing DPIAs and maintaining RoPAs, but even these are largely replaced by equivalent obligations.
Why is this? Much of the answer comes from consultation responses. The vast majority of the respondents opposed any significant reforms to, or watering down of, the UK GDPR. Put differently, the rights in the UK GDPR are now so embedded there was little desire, even amongst some businesses, to move away from them.
Added to that is the fact that UK businesses that operate in the EU will have to continue to comply with the EU GDPR in any event, and more and more countries around the world are moving to a GDPR-style model.
Having said that, it is disappointing not to see smarter reforms capable of balancing each of the criteria above. For example, the UK could have distinguished between structured or unstructured electronic data in relation to subject access requests (unstructured electronic data being inherently very burdensome to handle in response to a request) or could have trimmed off some of the UK’s “gold plating”, such as the obligation to prepare an appropriate policy when processing special category personal data.
The elephant in the room is the risk the EU revokes its finding that the UK has adequate data protection laws. This could seriously disrupt data flows from the EU to the UK, which would lead to significant real-world effects.
The UK Government is very confident that these reforms will not endanger the UK’s adequacy status and, given their modest ambit, seems justified in its views.
However, the EU’s adequacy process is partly legal and partly political. From a legal perspective, it is possible a concerned EU citizen or body could bring a challenge in the CJEU. From a political perspective, the current standoff between the UK and the EU over Northern Ireland might escalate and push the EU Commission to re-scrutinise the UK’s data protection law. These reforms might provide the pretext for either challenge.
The final reform is a surprise. The Department of Digital, Culture, Media and Sport has suggested that the “Information Commissioner’s Office” may no longer accurately reflect the organisation's functions and it is “considering options for a new name for the regulator”.
No alternatives are suggested. Perhaps “The Office of the Data Authority” or “OfData”? One assumes that this will not be put to the public, though “Data McDataface” would certainly suggest the UK is shaping its own regulatory framework post-Brexit.