This article was co-authored by Edward Le Gassick, Trainee Solicitor, London.
On 28 February, the Secretary of State for the newly created Science, Innovation and Technology Department, Michelle Donelan, informed the press that the Data Protection and Digital Information Bill will return to Parliament next week.
Donelan’s announcement was rather unexpected and directly contradicted previous statements around the Bill and its bleak chances of being considered before the next parliamentary session. However, this apparent U-turn is likely caused by the breakthrough on the UK's and EU’s discussions about the Northern Ireland Protocol, and the fact that data sharing agreements played a crucial role in the formulation of the Windsor Framework.
Donelan is expected to make a speech on Thursday announcing proposals for a new UK GDPR equivalent. In advance of this, we examine what the new approach to data regulation might entail and the consequences to businesses and their insurers.
A hesitant predecessor
The Data Protection and Digital Information Bill (DPDI) was introduced by Boris Johnson’s government on 18 July 2022. It modified the UK GDPR (i.e. the UK adoption of the EU GDPR) and the Data Protection Act 2018, and laid the foundations for creating a regime that would be simpler and easier for businesses to navigate. However, the DPDI Bill’s formulation largely sought to amend rather than replace existing legislation.
Following the subsequent government leadership change in September 2022, the DPDI Bill was withdrawn, but its light-footed approach to existing legislation remains valuable context when considering the upcoming proposal.
The former DPDI Bill’s path to becoming an Act of Parliament was curtailed by political events, but we anticipate elements of the revised proposal will likely borrow heavily from the previous draft. This is especially relevant given the recently reached agreement with the EU that largely relies on data sharing, and the fact that the government conducted a detailed consultation on this topic in 2021, the outcome of which formed the foundation of the DPDI.
Taking the above into account, it is likely that the new proposal will include:
- An enhancement of regulatory powers of the ICO, operating under a new and independent composition as the ‘Information Commissioner’.
- Reduced cookie and direct consent requirements.
- A subjective definition of ‘personal data’ (with a simplified test).
- A novel system of agreements concerning international data transfers, under a different test to the existing GDPR ‘adequacy’ system.
- Changes to Data Subject Access Requests to create grounds for organisations to reject vexatious requests.
- Creation of exemptions from certain data protection requirements for smaller SMEs.
- Provisions that will make it easier for companies to develop innovative, data-driven solutions.
- New rules around data collection for scientific research.
- A requirement for companies to appoint an executive in charge of data protection.
- Consideration of data sharing arrangements in the context of the Windsor Framework.
The European Commission (EC) granted an ‘adequacy’ decision to the UK in June 2021 - effectively agreeing that UK legislation offered an equivalent level of protection to EU citizens in broadly the same way as the EU GDPR. Although lasting until June 2025, the adequacy decision may be withdrawn at any point if the UK data landscape changes and so any new legislation can (and almost certainly will) be re-tested for suitability by the EC.
It is worth noting that any significant legislative departure from the UK GDPR runs an appreciable risk of the UK failing to meet the adequacy criteria of the EU GDPR regime, which in turn would generate weighty economic consequences. These include the requirement of bespoke agreements to facilitate data transfers between the EU and UK, and significantly increased costs to businesses needing to comply with both systems of regulation. The experience of businesses dealing with data transfers to the US, and the protracted legal challenges stemming from the Schrems II decision, stand as a testament to the potential problems.
Considering the economic importance of maintaining smooth data transfers with EU nations, it is reasonable to suggest that the revised proposal will not be as radical as previously advertised. Instead, it will represent a diluted reformulation and renaming of existing legislation, allowing the UK to retain ‘third country’ status under EU GDPR and facilitate the agreement that the UK and EU reached on Northern Ireland.
George Chaisty recently spoke in discussion with the Bermudian Privacy Commissioner at the NetDiligence Cyber Risk Summit in Bermuda where he and two US lawyers provided a global update on recent changes in the privacy and data regulatory landscape, including in respect of the proposed changes in UK legislation.