What’s this all about?
As part of a general announcement of what it plans to legislate on in the near future, the UK government said that “[t]he United Kingdom’s data protection regime will be reformed [Data Reform Bill].”
What might this mean?
At this stage, given that nothing more has been said in the announcement about the UK government’s reform plans, we can at best only speculate on what may come.
Politically, the government wants to be seen to move away from EU legislation, i.e. EU GDPR – currently, post-Brexit, the UK has its own version of EU GDPR, called UK GDPR, which, apart from a few elements, is in substance very close to EU GDPR.
Last year a UK government department, the Department for Digital, Culture, Media & Sport, undertook an official consultation exercise to look into various possible changes to make to the existing UK data protection regime (https://www.gov.uk/government/consultations/data-a-new-direction). The eventual outcome of this consultation (expected soon) is likely to form the basis of some possible changes, but the Data Reform Bill could well contain more proposed changes, e.g. to the cornerstone of the UK data protection regime the Data Protection Act 2018.
How much of a move away from EU GDPR might there be?
The UK government wants there to be lighter data protection regime, notably for businesses. But how realistic might this be?
Organisations have put considerable resources into being GDPR compliant over recent years and so those organisations with more than just UK operations may prefer to stay with their present one-size-fits-all model, or at least as close as possible to that.
In the summer of 2021 the EU adopted two so-called adequacy decisions for the UK, including one under EU GDPR (which we’ve written about here https://www.corderycompliance.com/eu-dpa-decisions-approved/) which allow for ease of data transfers from the EU to the UK. Certain proposed changes to the UK data protection regime could put the adequacy decisions at risk – bear in mind also that the adequacy decisions contain so-called “sunset clauses” meaning that the adequacy determinations will have to be reviewed in now a bit less than three year’s time in any event.
Privacy activists can also be expected to be vocal in order to prevent any watering down of GDPR, and if they don’t like what eventually comes out of the Data Reform Bill they may choose to mount legal challenges.
For the sake of clarity, there is no new UK data protection law just yet – the data Reform Bill will first need to be published and then go through the UK Parliament, which may take some time.
Organisations shouldn’t hold their breath just yet about any possible radical changes either.
UK data protection law has a long history, predating both EU GDPR and the EU data protection rules before that having first come into existence in 1984. Any changes should best build on the UK’s data protection experience, i.e. evolution and not revolution.
EU GDPR will also still apply in many situations even if the UK data protection regime changes e.g. where a UK business has customers overseas or where a US business employees people in the EU and in the UK.
We have written about recent data protection changes in the UK (concerning data transfers) including here: https://www.corderycompliance.com/datatransfers-ukdates/.
We report on data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The Queen’s Speech setting out the government’s legislative plans can be found here: https://www.gov.uk/government/speeches/queens-speech-2022
We report about compliance issues here: https://www.corderycompliance.com/news/.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|