A departure from the GDPR and the promise of a more flexible approach to the management of data risks
UK plans to establish new data laws for the digital age: The Government has published its response to a September 2021 consultation, which aims to harness the power of data to help British businesses trade abroad, and boost the UK’s position as a science and technology superpower. It sets out how the Data Reform Bill (announced in this year’s Queen’s Speech) will strengthen the UK’s already high data protection standards, empower the country to strike new data partnerships, and fuel the responsible use of data by providing clearer definitions on how consent is obtained for research. The reforms will also modernise and grant new powers to the Information Commissioner’s Office (ICO), allowing it to better help firms comply with the law.
Reforms intended to overcome the shortcomings of the EU’s GDPR: According to DCMS, the Data Reform Bill is an important step forward for a post-Brexit Britain, which will ensure that people can control their personal data, while preventing companies, researchers and civil society from being held back by “a lack of clarity and cumbersome EU legislation”. It bemoans an over-reliance on ‘box-ticking’ and unnecessary burdens on small businesses and startups since the UK adopted the General Data Protection Regulation (GDPR) four years ago, proposing a more flexible approach to the management of data risks. The new bill will also update Privacy and Electronic Communications Regulations (PECR) rules to minimise the number of ‘user consent’ pop-ups and banners for cookies, and will increase financial penalties for nuisance calls and texts and other serious data breaches to up to 4% of global turnover or £17.5m, whichever is greater.
But they give way to the prospect of divergent regulatory structures: The ICO supports the proposed changes; however, as previously noted, a departure from the GDPR could disrupt the trade agreement struck with the EU in 2020, which partly relies on the UK retaining adequacy with the GDPR. The UK tech sector previously spoke in favour of retaining adequacy with the GDPR in order to have easier access to the European market. While DCMS considers its proposals do not place adequacy under threat, some stakeholders – many of whom will have invested significant sums to be GDPR-compliant – have voiced concerns as to what the Data Reform Bill means for cross-border data flows and the prospect of trade barriers, as well as for privacy under an opt-out model of consent for cookies. Nevertheless, with data-driven trade generating nearly three quarters of the UK’s total service exports and an estimated £234bn for the economy in 2019, the Government clearly thinks the potential prize is worth the risk.