The Data Protection and Digital Information Bill – designed to replace the General Data Protection Regulation (GDPR) in the UK – received its first reading in the UK House of Commons on 18 July 2022. This Bill now faces a long journey through parliament before it is introduced. How likely is it that the current draft will be the bill that passes?
Boris Johnson is now serving as the UK’s caretaker Prime Minister. Nadine Dorries, the Secretary of State for the Department of Culture, Media and Sport (DCMS) and the sponsor of the Bill, may not retain her role after he goes. There are also concerns in the privacy community that the bill moves too far from GDPR for the UK to maintain ‘adequacy’ with the EU, which allows for the unimpeded transfer of personal data. All of these issues could mean that the Bill changes or stalls as the process continues.
There are five stages in the House of Commons, five in the House of Lords and two final stages before the Bill is passed. These stages take varying amounts of time but are typically completed within a year. If the Bill does not pass before the next general election, it will lapse. The latest date for the next general election is 24 January 2025, however the change of leadership could mean the election happens much sooner than this.
The Bill is designed around a series of goals which are aligned to the current administration’s objectives for Brexit. This is highly associated with Johnson. Leadership candidates include individuals to the left and right of the party, who are more and less Eurosceptic. Conservative grandees such as Michael Heseltine have told the media that, depending on who wins, the leadership contest could signal a change of direction for the UK’s relationship with Europe. If the new leader pivots towards a closer relationship with Europe, that could also affect the direction of the Bill.
So, what is currently proposed and what might be most likely to change?
DCMS recently published the results of its consultation on data protection in the UK, which underpins the Bill. The introduction to the document states: “The reforms proposed in the consultation provide an opportunity for the UK to reshape its approach to regulation outside of the EU”. It describes using “repatriated ‘adequacy’ powers… to remove inappropriate barriers to the flow of UK personal data overseas in support of trade, scientific collaboration and national security and law enforcement cooperation” and UK scientists “impeded by overcautious, unclear EU-derived rules on how they can use people’s personal data”.
The counterpoint to this is a description of “the wider bloc of like-minded, democratic economies which support greater interoperability of regulatory frameworks on data and more stable principles for trusted government access to data”.
This fits with a general orientation towards the Commonwealth and the United States, and away from Europe. With Europe’s GDPR the basis for many regulations around the world, and its reputation as the ‘gold standard’ for data protection, this move has been greeted with consternation by many privacy professionals and it seems plausible to me that privacy campaigners will seize any opportunities afforded by a change of leadership to review this.
While there is no prospect of the Brexit decision being reopened, it is possible that the winning candidate may seek a different relationship with Europe that causes them to move back towards alignment with the GDPR. This may also be affected by the prospect of a global recession, where economic forecasts may make either the current orientation or a reorientation towards Europe more attractive.
The consultation states that “This government’s ambition on data is clear: we will establish the UK as the most attractive global data marketplace.” It then clarifies this by describing “a data rights regime which delivers not only economic benefits but wider societal benefits alongside personal benefits to citizens” and “reducing the burdens on businesses that impede the responsible use of personal data”.
Data-driven innovation is essential for countries to meet their most important strategic challenges, including the need to address climate change and population shifts. It appears that the government is hoping to make the UK attractive to innovative start-ups and for multinationals looking for a suitable location to develop and trial new data-driven innovations by reducing the compliance burden for early-stage development.
The change of leadership is unlikely to affect this objective, as data-driven innovation is such an important global priority. However, if a new leader chooses to revert to a more Europe-facing approach, some of the suggestions for varying away from GDPR may be dropped or changed.
For most organisations, the most significant implications are:
- The ability to define a bespoke approach to meeting data protection obligations, which may vary away from GDPR obligations such as the need to complete a DPIA (Data Protection Impact Assessment) according to a standard template
- For some organisations, the removal of the need to appoint a DPO (Data Protection Officer). This is replaced by the need to identify a senior responsible individual with responsibility for overseeing the privacy management programme
- Removal of the requirement to maintain records of processing activities in a prescribed format. This is replaced by the requirement to maintain personal data inventories
- Introduction of certain limited processing activities that will not require a full Legitimate Interest Assessment
- Changing the threshold for refusing a subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’
- Allowing cookies for a limited number of non-intrusive cookies as a first step towards an alternative technical arrangement to replace the need for cookie banners
- Additional powers for the Information Commissioner’s Office (which may be renamed); enhanced transparency requirements around investigations; and the ability to extend the statutory deadline to issue a penalty following a notice of intent.
These changes only affect organisations for as long as the processing is limited to personal data relating to UK citizens within the UK. As soon as the scope expands the local regulatory requirements will need to be met. This means that organisations seeking to use the UK as a test bed for innovation will need to create a bespoke approach to data protection for research and development, and a pathway to bring innovations in line with global policies as part of the roll out plan.
The senior responsible individual will need to have access to data protection expertise as required and is likely to need support to define this approach and pathway and to assure senior leadership that it is appropriate and fit for purpose. Any variation back towards Europe would move some elements from the rollout pathway to the test environment, simplifying roll out but potentially increasing the burden on projects that may not make it that far.
We have seen some commentary that suggests that organisations will see the UK as being soft on data protection. That is not Gemserv’s view, nor do we believe that a change of leadership will lead to the UK becoming soft on data protection. If the UK wants to encourage data-driven innovation to be developed here, it is essential that the data protection requirements are sufficiently robust and so far the government has been clear that it recognises this.
We agree with the government that data-driven innovation is essential to deliver socially and environmentally valuable outcomes and hope that, whatever happens over the next few months, the Bill that emerges will support these essential new products and services to succeed.