On the 18th July the UK government unveiled the Data Protection and Digital Information Bill – broadly a response to the ‘Data: A New Direction’ Consultation, which looked to create ‘a new ambitious, pro-growth and innovation-friendly data protection regime in the UK’.
The new Bill seeks to take the UK in a different direction from the EU and its GDPR data protection and privacy rules, which it is free to do following Brexit. Indeed this reform is being described as a ‘Brexit Dividend’ Bill by the UK government – one that can be seen as a clear benefit of leaving the EU. The government seems convinced of these benefits, choosing to release the Bill amidst the significant political uncertainty caused by Boris’ resignation and the ensuing leadership contest.
Does the Bill threaten the existing data adequacy decision?
One key question stemming from the Bill is how will breaking from GDPR and implementing new rules impact businesses who operate across the UK and EU? The UK government has been in close contact with the European Commission throughout the reform process, so it’s unlikely that changes risk the UK losing its EU adequacy decision. Adequacy is a status granted by the EU to non-EU countries and territories. It basically states they have an ‘essentially equivalent’ level of data protection to that which exists within the EU, and enables the frictionless exchange of data between the EU and other countries – enabling a variety of businesses to seamlessly operate across both.
It’s certain the European Commission will closely monitor the Bill’s passage through the Parliament and its implementation. The European Commission’s preliminary decision could also change if the government is forced to accept backbench amendments that move the Bill further from the status quo.
Impact of data reform
Due to the desire to maintain data adequacy, the scope of the changes introduced by the Bill may be less revolutionary than some stakeholders wanted. Nevertheless, the overall proposals represent a step in the right direction.
The proposals cover a wide range of areas – key ones for tech companies include:
Creating a statutory definition of ‘scientific research’ and consolidating the definition of consent for scientific research. While this may help to boost research-related activity it is not yet fully clear whether this includes commercial R&D activities
Providing a list of areas that are recognised as ‘legitimate interests’, where processing will be lawful without the need for data processors and controllers to consider the weighing-and-balancing of risks. This list is currently very narrow and further consideration needs to be given to widening it to bring in line with the consultation proposals.
Further clarity on automated decision-making in the context of AI-related technologies. This includes definitions of the types of permitted automated decisions and the information that must be provided to data subjects. However further clarification is needed on how this will interact with the Government’s approach to future AI governance (something that the EU is also currently evaluating).
The Bill also provides the statutory underpinning to digital identity verification services (DVS) in the UK. It’s likely this will build on the ‘UK digital identity and attributes trust framework’ published in June 2022, which aims to enhance standards and trust in DVS. One key action suggested by the framework was establishing a register of DVS providers that meet agreed standards.
Proposed changes to The Information Commissioner's Office
The Bill has also outlined significant reform of the key data regulator, the Information Commissioner's Office (ICO) – renamed the ‘Information Commission’. While its role and responsibilities will remain the same, new objectives will be aligned to growth, innovation and competition. To this end, the Bill also proposes transforming the ICO’s governance structure to have a statutory board plus a Chair and Chief Executive to consider the economic impact of its decisions, develop a robust international strategy, as well as new transparency and reporting requirements.
What’s next for UK data reform?
The UK is keen to forge its own path when it comes to data – perceiving a Brexit dividend and the opportunity to realize a more industry-friendly stance. However, multinational businesses still face the traditional challenges derived from facing more prescriptive requirements elsewhere which could cause friction in meeting KYC (know your customer) and anti-money laundering requirements.
This global patchwork of different approaches to data protection seem destined to continue, at least in the near term. It seems unlikely that global consensus will be reached on common rules and approach in the near term. The UK is taking a positive step by seeking to improve its approach to data privacy, and I believe it will drive a positive result for tech companies, innovation, and their customers.
Our compliance manager's guide walks through the regulatory landscape, best practices for identity verification as part of a KYC program, and what to look out for when partnering with technology providers.