Reform of data protection law takes centre stage

The UK government has put forward reform proposals designed to reduce the data protection burden currently placed on business, while ensuring that consumers remain protected. In-House Perspective reports on the possible implications for in-house lawyers.

The UK government put forward in July its Data Reform Bill, which, post-Brexit, will make changes to the country’s data protection regime. In doing so, the UK will move a step away from the EU General Data Protection Regulation (GDPR), which it implemented in 2018 through the Data Protection Act and which was then amended by the Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019 to create a domestic data protection law, referred to as the UK GDPR.  

Some of the key changes the UK has proposed include removing the UK GDPR’s prescriptive requirements on data risk management and replacing them with an outcomes-based system; modernising the UK’s regulator in this area, known as the Information Commissioner’s Office; introducing tougher fines for nuisance marketers; replacing opt-in cookie collection with an opt-out system; clarifying definitions on how consent is obtained for research; and introducing rules to enable freer data flows to overseas countries.

If passed, the Data Reform Bill is unlikely to be a new piece of legislation in of itself, and instead will be implemented through amendments to the UK GDPR, the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act 2018.

The government’s intention is that some of the regulatory burden of complying with the UK GDPR is lessened, says Julian Hamblin, Vice Chair of the IBA Technology Law Committee and a partner at Trethowans in the UK, although the question is whether businesses that have to comply with both the UK GDPR and EU GDPR – due to where they operate – will see any benefit at all or even find compliance more complex as a result.

‘For example, some international businesses may find it simplest to continue to carry out Data Protection Impact Assessments’ – which are replaced under the Data Reform Bill – ‘and maintain their current cookie practices regardless of the changes rather than adopting two different processes for the UK and the EU aspects of their business,’ says Hamblin.

The government has talked an ambitious game, but in reality, its response has been somewhat muted, says Adam Rose, Chair of the IBA Data Protection Governance and Privacy Subcommittee and a partner at Mishcon de Reya. ‘At its best, the proposed changes will help the UK become a more important science and technology centre – whether the changes go far enough in themselves to achieve that is untested.’ 

‘The government is also keen to make clear that data subjects will continue to enjoy a level of data protection rights – squaring the reform agenda with individual rights will be a trick to pull off’, however, adds Rose.

One aspect of the proposed reforms that’s causing concern are the implications for the EU-UK post-Brexit  agreement on mutual data flow and whether it’s jeopardised. After Brexit, when the UK left the EU, the EU accepted that the UK met the bloc’s data standards and the UK was granted special status to enable data to flow freely from the EU to the UK.

‘Some of the proposed changes potentially risk that arrangement being undermined, and that would cause serious concerns for both British business that rely on those free data flows, and for their EU counterparts,’ says Rose.

The EU continues to demonstrate its commitment to the GDPR and its determination to severely punish those who commit data protection breaches. For example, various data protection authorities in the EU have issued relatively large GDPR fines so far this year, including in Sweden to lender Klarna, Hungary to Budapest Bank and Ireland to the Bank of Ireland.

‘Many of the fines have been for failing to determine the lawful basis for processing data and the UK’s potential changes demonstrate a possible rift in approach from the EU in this area,’ says Rose.

It would be premature for businesses and in-house legal teams to start changing their data protection programmes until the UK’s new law has been adopted, says James Castro-Edwards, counsel at Arnold & Porter in London. But while the final form of the legislation is some way off, the government’s response to its consultation in this area provides an indication of the direction of travel.

‘The good news is that the [government’s] response suggests that organisations which are already compliant with the UK GDPR are likely to be well-prepared for the new regime when it does take effect,’ he says.

For organisations, the best preparation for the reformed law is to ensure compliance with the existing law, says Emily Carter, a partner at Kingsley Napley in the UK. ‘Looking ahead, organisations should bear in mind that there will not be “one-size-fits-all” compliance. Rather, they should actively identify and address the risks associated with their specific data processing activities. For some organisations, especially those with limited resources and high volumes of sensitive personal data, this change in focus may be challenging.’

All businesses are going to have to take the PECR – which regulates matters such as direct marketing – more seriously going forward due to the proposed sharp increase in potential fines, says Hamblin. ‘Therefore, in the short term, an assessment of, and an emphasis on, a business’ compliance with PECR – for example, by new internal policies, internal training and an assessment of outsourced service providers assisting businesses with PECR-related activities – would be a good starting point to addressing the Data Reform Bill implications.’

The UK is not the only jurisdiction where data protection is once again taking legislative centre stage: China, for example, has recently introduced two new laws – the Data Security Law and the Personal Information Protection Law – aimed at tightening national security and giving citizens more say on how their data is used.

Unsurprisingly, says Rose, the new Chinese Data Security Law is focused on issues of national security, while the Personal Information Protection Law (PIPL) is modelled on the GDPR, although with a greater emphasis on consent. ‘Given the different cultural and political outlooks between China and the EU, comparisons are rarely helpful – the PIPL, on the face of it, appears to give citizens greater say over what happens to data relating to them. Whether, in practice, that is how things pan out is harder to assess.’

Meanwhile, following the 2020 judgment of the Court of Justice of the European Union in Schrems II, which invalidated the EU-US Privacy Shield data sharing agreement, there has been significant focus on how personal data can be safely transferred to the US. This is particularly given the perceived risk of intelligence service access to personal data which exists in the US, says Hamblin.

In March it was announced that the European Commission and the US had agreed in principle on a new Trans-Atlantic Data Privacy Framework, but the detail of this remains to be translated into law. ‘Any such framework will not automatically apply to transfers between the UK and the US, although it would seem likely that the UK would follow suit for the benefit of UK businesses if the framework is deemed sufficient by the EU,’ says Hamblin.

Since the introduction of the GDPR there has been an increasing emphasis worldwide upon harmonisation of the laws to facilitate the safe transfer of data internationally, as well as enforcement of the law in transnational contexts, says Carter.

‘However, as regulation is inherently reactive, and technology develops more swiftly than legislation, information regulators across the world must focus on working together to swiftly respond to privacy harms,’ she adds.