UK Data Reform Bill risks EU 'adequacy' agreement
Plans may see gov't take direct control of ICO guidance and appointments.
The UK government’s proposed Data Reform Bill could jeopardise the country’s EU adequacy status, and risks politicising the ICO, legal briefings have warned.
In last week’s Queen’s Speech, the government announced its general plans to overhaul GDPR to “establish a new pro-growth and trusted data protection framework” designed to shift the emphasis of the UK's data regime to become more ‘outcomes-focused’ and reduce burdens on UK businesses, allowing them to become more efficient and competitive”, among other goals.
But depending on the direction of the final bill, reform of the current GDPR framework brings with it significant risks, according to IT and data protection legal experts.
Law firm Addleshaw Goddard (AG) said in a briefing the proposed changes are currently “vague enough to be fairly innocuous”. But the briefing highlighted several aspects of the proposed Data Reform Bill which could cause problems – for businesses, consumers, and industry in general.
AG’s note said the proposals are broadly in line with last year’s consultation document: “Data: A new direction” – but as this was very broad, with more than 150 specific questions, it remains unclear which specific areas the bill will tackle.
Specifically mentioned in the Queen’s Speech were changes to the ICO, which, if they followed the consultation document, could see the body brought under direct government control. This could include making appointment of the ICO chief executive within the gift of government, and giving the secretary of state power to approve the ICO’s Guidance and Codes of Conduct.
“These proposals create the possibility of external interference in the operations of the ICO and could significantly impact its ability scrutinise governmental and public sector use (or abuse) of personal data,” said the AG briefing.
Can the UK retain adequacy?
Another key concern is if the UK deviates too far from GDPR, it may struggle to retain its “adequacy” status with the EU, allowing data to flow freely between UK and EU organisations. Uniquely, according to AG, the European Commission’s 2021 decision on the UK’s data protection adequacy includes a sunset clause, meaning it will expire in 2025, “for the specific purpose of guarding against future divergence by the UK”.
“Therefore, in seeking to ease the administrative burdens of compliance for businesses there is also a risk of sailing too close to the wind; should the UK's position change sufficiently for it to lose its adequacy status, this will create a significant and expensive compliance problem for businesses that routinely transfer personal data across borders,” warned AG.
BCS, the Charted Institute for IT, made a similar warning in its comment on the proposed Data Reform Bill. Dr Sam De Silva, chair of BCS’s Law Specialist Group and a technology and data partner at law firm CMS, noted “the devil will be in the detail” of the bill.
“Any material deviation the UK adopts in relation to data protection does risk its adequacy status so I hope there will be a detailed and objective analysis undertaken to assess whether the benefits from UK’s data reform outweigh the risks of not continuing to have an adequacy status,” he said.
AG noted other data protection regimes are not based on the GDPR model, instead using the “more risk-based” Privacy Management Programme approach favoured by the UK’s consultation.
“Although a great many of the data protection and privacy laws that have emerged since 2018 have borrowed heavily from the GDPR model, the adequacy decisions in favour of New Zealand, Canada and Argentina are proof that there is plenty of room for manoeuvre within the concept of “essentially equivalent protection’,” said the AG briefing.
See also: The EU’s Digital Services Act — what you need to know
Addleshaw Goddard acknowledged that GDPR has its “vocal detractors” and has a lot of scope for reform.
“There certainly seems to be a growing consensus that data laws and regulators should train their sights on the small number of operators who do more to undermine data protection than everyone else combined,” the AG briefing observed.
And De Silva noted that even if the widely-reviled cookie banners were abolished, organisations would still have to comply with UK principles on “lawfulness, fairness and transparency” when using cookies or similar technology.
“So whilst the change may mean it is easier to comply PECR (Privacy and Electronic Communications Regulations) and would reduce some of the current cookie consent requirements, it will be interesting to see the position in the Bill in relation to consent when cookies are used for marketing, real-time bidding or building profiles of users. The latter of course is where the majority of the tracking activity by organisations is done,” De Silva added.
There is of course the issue of whether the Data Reform Bill makes it to parliament this session. As the Institute for Government has noted, this year’s Queen’s Speech included 38 bills – by far the largest number recorded, and dwarfing the 30 bills in the 2017 speech, which was meant to cover two years.