The UK government’s plans to reform data protection laws have been criticised by campaigners and lawyers for giving too much power to ministers over privacy and data sharing, as well as reducing digital rights and safeguards.
The Data Protection and Digital Information Bill, which was introduced to Parliament on 18 July 2022, provides more detail on reforms to the UK’s post-Brexit data protection landscape.
While the government claims the reforms will protect citizens better while unburdening businesses, lawyers and civil society groups are worried that the changes could lead to a lower standard of data protection and undermine digital rights contained within the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Formerly known as the Data Reform Bill, the updated Bill was described by Matt Warman, minister for media, data and digital infrastructure, as an “opportunity to seize the benefits of Brexit and transform the UK’s independent data laws”.
Warman said the burdens of the UK’s current data protection requirements have held businesses back from realising the benefits of greater personal data use, adding: “By focusing on outcomes, not box-ticking, we will unburden businesses from prescriptive requirements and empower them to protect personal data in the most proportionate and appropriate way. Our changes could create around £1bn in business savings over 10 years.
“The Bill will sustain and scale the UK’s approach to supporting international data flows by capitalising on its independent status to strike partnerships with some of the world’s fastest-growing economies. Reforms will ensure that the mechanisms to transfer personal data internationally are secure and flexible to help British businesses grow.”
The introduction of the 192-page Bill comes a month after the government published its official response to a consultation on the Data Reform Bill in June 2022, in which it pledged to press ahead with a number of changes to the UK’s post-Brexit data protection framework.
Suggested changes included removing organisations’ requirements to designate data protection officers (DPOs), ending the need for mandatory data protection impact assessments (DPIAs), introducing a “fee regime” for subject access requests (SARs), and removing the requirement to review data adequacy decisions every four years. All of these are now included in the updated Bill in some form.
“We now have confirmation of what the UK’s post-GDPR data framework is intended to look like,” said Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy and cyber security practice. “Nips and tucks rather than a full facelift, although many of the small changes could have significant effects in practice and likely won’t go unnoticed as the Bill moves through Parliament.
“The GDPR isn’t perfect and it would be foolish for the UK not to learn from those lessons in its own approach, but it’s walking a tightrope between improvements to the current framework and performative changes for the sake of ripping up Brussels red tape. My initial impressions of the Bill are that the government has struck the balance in favour of business and overlooked some civil society concerns, so I would think that reduced rights and safeguards for individuals will be areas that are targeted for revision before the Bill is finalised.”
There are also concerns that the direction of travel the UK is taking could lead to it losing its data adequacy status with the European Union (EU), which allows the continued free flow of data between UK businesses and those in the bloc.
The European Commission granted the UK data adequacy in June 2021, but warned that this may yet be revoked if the UK’s new data protection rules diverge significantly from the EU’s.
MEPs have also previously argued that UK laws allowing government agencies to access and retain bulk data on individuals who are not under suspicion is inconsistent with the GDPR, and that data sharing between UK signals intelligence agency GCHQ and the US National Security Agency “would not protect EU citizens or residents”.
But Warman said: “The EU does not require countries to have the same rules to grant adequacy, so it is our belief that these reforms are compatible with maintaining a free flow of personal data from the European Economic Area.”
Further changes
While the June 2022 consultation response previewed many of the intended changes to UK data protection law, the updated Bill goes into more detail and makes a number of further changes that were not previously announced.
For example, one of the most significant additions to the Bill is that it would make any data processing lawful if it is conducted for a “recognised legitimate interests”, which are listed in Annex 1 of the Bill’s text. As it stands, the legitimate interests that provide a lawful basis for data processing include: national security, public security and defence; emergencies and crime; safeguarding vulnerable individuals; and democratic engagement.
However, the Bill would also give the secretary of state sweeping powers to extend or reduce the list of legitimate interests that organisations can use as grounds for data processing, as well as to amend almost any aspect of the legislation through further regulations, thereby circumventing parliamentary debate on future changes.
Mariano delli Santi, legal and policy officer at Open Rights Group (ORG), said: “The Bill will remove the balancing test for data uses based on [a list of] legitimate interests. That is to say, an interest will be considered legitimate even if it is harmful. The government will have the power to amend this list as soon as we are looking the other way.”
He added: “This translates as: the government wants to have the power to establish arbitrary lawful grounds for data uses that lack definition, foreseeability and safeguards against abuses. Parliament will be asked to rubber-stamp what the government proposes.”
On top of new powers for the secretary of state, the Bill also contains provisions to water down Article 22 GDPR restrictions that protect people from solely automated decision-making.