New UK data protection law proposals

by

Government sets out response to consultation

Commentary

Following its September 2021 consultation on reform of UK data protection law, on 23 June 2022 the UK government published its response and proposals to move forward.

Whilst the proposals for a post-GDPR data protection law in the UK contain some sensible reforms and updates, it is clear that the proposals are also overtly political in the the sense that they are designed to demonstrate the benefit of post-Brexit regulatory divergence, but it is not entirely clear whether they achieve that aim.

The proposals strike a different balance from EU GDPR between protecting individuals’ right to privacy (less weight) and the interests of business (more weight). This has both drawn criticism from rights groups, and could (if individuals rights are not adequately protected) ultimately lead to the EU reconsidering its decision that the UK law provides adequacy protection to individuals data, and hence that personal data can be freely exported to the UK from the UK.

Proposals

The government has grouped its proposals into 30 headings across 5 broad areas:

  • reducing barriers to responsible innovation
  • reducing burdens on business and delivering better outcomes for people
  • boosting trade and reducing barriers to data flows
  • delivering better public services
  • reforming the regulator, ICO

A summary list of the proposals that the government plans to take forward can be found here. Amongst the more eye-catching proposals are:

  • making it easier to reuse personal data for a different purpose than it was collected for
  • changes to the automated processing rules so that individuals are entitled to safeguards, rather than opting-out
  • lowering the standard for data to be considered anonymised
  • removing the requirement for DPOs (although a responsible senior individual will still be required)
  • abolishing cookie opt-in banners
  • extension of soft opt-in marketing consent to charities and political parties
  • increasing constraints on nuisance calls
  • PECR fines to be aligned with UK GDPR fines
  • to encourage data export
    • measures to allow easier findings of country data adequacy
    • making it easier for data exporters to act pragmatically
    • allow recognition of alternative transfer mechanisms
  • reform of ICO, including requirement to have regard for government priorities

Next steps

The next step will the introduction of a Data Reform Bill into parliament, but no date has yet been set.