Data Reform Bill Announced in Queen's Speech
Published: May 12th, 2022
7 min read
Background
During the Queen's Speech on 10 May 2022, the government announced it was introducing the Data Reform Bill to enable the UK to reform its data protection regime and deviate from EU rules established by the EU's General Data Protection Regulation (EU GDPR).
Following Brexit, the UK introduced the 'UK GDPR' which broadly implemented the provisions of the EU GDPR. The government now wishes to take advantage of Brexit and has stated that the purpose of the Bill is to:
Create a world class data rights regime that will allow for the creation of a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate, and improves the lives of people in the UK;
Modernise ICO, making sure it has the capabilities and powers to take stronger action against organisations who breach data rules while requiring it to be more accountable to Parliament and the public; and
Increase industry participation in smart data schemes, which will give citizens and small businesses more control of their data, and help those who need healthcare treatments, by helping improve appropriate access to data in health and social care contexts.
Reform of the Current Data Protection Regime
The text of the Bill has not yet been published so we are unable to comment on the exact reforms that are included within the Bill. However, the Bill follows the government's consultation on data protection reform which closed in November last year. The reforms proposed included removing the following obligations from data controllers to:
Appoint a data protection officer;
Conduct data protection impact assessments;
Consult with the Information Commissioner in relation to high-risk processing; and
Prepare records of processing activities.
Details of the full reforms proposed are set out in the Consultation which is available to view here - https://www.gov.uk/government/consultations/data-a-new-direction
Comment
As yet the detail of the Bill is unknown as it has not yet been published. Whilst the intention behind the Bill is to reduce red-tape, it is difficult to see how the administrative burden will be reduced for organisations, particularly if the organisation has customers located in both the UK and the EU. Any significant departure from the existing data protection regime would mean organisations may have to run two separate data protection regimes - one for customers located in the UK and one for customers located in the EU. It also raises concerns for the EU's decision to grant the UK adequacy for data flows from the UK to the EU.
We will publish further information once the text from the Bill is made available.