Suggested UK data protection reforms
Whilst the content of the Data Reform Bill has not yet been produced, a key issue the Government looks to address is reducing the administrative burden that the UK GDPR places on organisations by removing the red tape around data use. The exact form and extent of the Data Reform Bill remain unclear at this stage, however, some of the important areas the Government is looking to address are noted below:
- Moving away from a ‘one-size-fits-all’ model: the Government has stated that the current structure of the UK GDPR places disproportionate burdens on organisations, giving the example of a small hairdresser having the same standard of regulation as a multi-million-pound company. Therefore, the Data Reform Bill will likely contain different standards for different organisations to ease this burden, particularly for smaller organisations.
- Focussing on privacy outcomes rather than ‘box-ticking’: this outcomes-based approach will likely see a change to things such as cookie banners, which rely on individuals simply ticking boxes to give their consent to cookies. Elizabeth Denham (the former Information Commissioner) stated that cookie banners create ‘cookie fatigue’, and individuals should be making meaningful, informed choices about their data rather than simply ticking boxes.
- Reforming Article 22 of the UK GDPR around automated decision making: currently the UK GDPR has a number of rules and regulations around automated decision making and profiling, for example when an organisation is hiring new employees. The Data Reform Bill will look to address this in the near future in recognition of the likely prevalence of this type of decision making, removing significant administrative burdens that currently exist for organisations.
It is clear that the Government is adopting a business-friendly approach by looking to ease the administrative constraints that the UK GDPR places on organisations in order to promote economic growth and efficiency. This is very much a positive for organisations that may no longer be bogged down with extensive and complex compliance requirements. Furthermore, the Data Reform Bill looks to simplify the regulatory environment around data privacy, giving organisations more clarity on their obligations, in turn reducing the risk of non-compliance.
Impact: rights of individuals and the UK’s data economy
Whilst these reforms are likely to be welcomed by businesses, the Government’s economic-facing reform may have an impact on the data rights of individuals. For example, the reform around automated decision-making could have an adverse effect on individuals, as artificial intelligence often has built-in bias which may lead to inadvertent discrimination, particularly in the context of employment-related decisions.
Under the current data protection regime, the level of protection for personal data is broadly the same in the UK as it is in the EU.
The Government must therefore be careful not to balance the scale too in favour of businesses as this could impact on the ‘adequacy’ of the UK’s data protection regime for the EU, which currently allows for data to flow freely between the two. The EU’s adequacy decision contains a ‘sunset’ clause, meaning the decision will expire in 2025 to account for the possibility of the UK’s further divergence from the GDPR post-Brexit. The proposed data reform could therefore lead to the EU withdrawing its adequacy decision for the UK, which in turn, could lead to highly extensive and costly compliance obligations on businesses transferring data from the UK to the EU and vice versa.
Further considerations
The Data Reform Bill is currently in the very early stages, and it will likely be subject to much debate over the coming months, meaning that its final form is currently unclear. However, what is clear is that the UK’s data protection regime is undergoing significant change, therefore, meaning that organisations within the UK must keep up-to-date with its evolution, particularly in the context of data transfers to the EU.