Out-Law Analysis 5 min. read
25 May 2023, 4:10 pm
In the five years since the General Data Protection Regulation (GDPR) took effect, the data protection legislative landscape in the UK has changed significantly, with further reform on the horizon.
The UK government’s intention is clear: to deliver a pro-innovation, business-friendly, regulatory environment. However, while some targeted amendments planned would benefit businesses, the enactment of proposals set out in the Data Protection and Digital Information (No. 2) Bill would not require the type of overhaul of data protection practices that the GDPR heralded.
When the GDPR took effect on 25 May 2018, the UK was still an EU member state, though it had voted to relinquish its EU membership by that point. When the Brexit transition period expired, the GDPR was incorporated in UK law as retained EU law – with some small amendments to facilitate its application to the UK. The UK GDPR now sits side by side with the EU GDPR and is supplemented in the UK by rules in other legislation – not least the Data Protection Act 2018.
However, amidst a broader drive to streamline the retained EU law on the UK statute book and demonstrate post-Brexit sovereignty, UK divergence from the EU GDPR has been on the agenda.
In June 2021, the UK Taskforce for Innovation, Growth and Regulatory Reform, comprised of prominent Conservative MPs Sir Iain Duncan Smith, Theresa Villiers and George Freeman and established under the then Boris Johnson-led government, proposed replacing the UK GDPR with “a new, more proportionate, UK Framework of Citizen Data Rights”.
Within months of that report, the government opened a consultation on reform. In June 2022, it published its policy response, adopting some of the recommendations made by the taskforce, though stopping short of a radical overhaul of the UK GDPR regime. The next month, the UK Data Protection and Digital Information (DPDI) Bill was introduced into parliament, signalling the government’s intention to deliver speedy reform, but progress of the Bill stalled when Boris Johnson resigned.
When Liz Truss was appointed prime minister, the government’s policy on data protection reform appeared to shift, with a senior minister suggesting at the Conservative party conference in October 2022 that there would be a major rethink of the DPDI Bill.
Within weeks, however, Truss had resigned and been replaced as UK prime minister by Rishi Sunak. Under his watch, the government re-consulted on reform with stakeholders and in March this year introduced The Data Protection and Digital Information (No. 2) Bill into the UK parliament.
The DPDI (No.2) Bill is not radically different to the original DPDI Bill – which has been abandoned – but it would, if enacted, bring some divergence with the EU GDPR.
Throughout the last couple of years, the government has been consistent about voicing its intention to promote data-related innovation and curb administrative burdens on business arising under the existing UK data protection regime, which derives from the EU GDPR.
The rhetoric is reflected in the government’s wider digital policy.
Empowering responsible innovation and sustainable economic growth is also a core objective under the ‘ICO25’ strategic plan
For example, the national data strategy, published in 2020, in-part aims to better enable businesses to use data to innovate – including by enabling greater access to data and addressing barriers to data sharing. It is also reflected in the plans the government set out recently for the future regulation of the use of AI in the UK, which differ significantly to more prescriptive new regulations proposed in the EU, under the EU AI Act. The government described its plans, set out in its AI white paper, as a new “pro-innovation framework”, and said they will “bring clarity and coherence to the AI regulatory landscape”.
There is evidence of a pro-innovation approach to data protection regulation in the UK already. The Information Commissioner’s Office (ICO) has long been regarded as a pragmatic regulator and there are examples of this in its work.
The ICO’s transfer risk assessment tool, for example, advocates a risk-based approach to assessments for transfers of personal data to third countries – an approach that is baked into the DPDI (No.2) Bill.
Other data protection authorities in the EU take a different view. The Austrian data protection authority has said that Chapter V of the GDPR – under which the international data transfer rules sit – “does not recognise a risk-based approach”, while the European Data Protection Board (EDPB) is also on record as saying that, in some cases, businesses could find that no supplementary measure can be applied to data transfer arrangements that enables them to meet the requirements of the EU GDPR for exporting that data to countries outside the European Economic Area (EEA).
The risk-based approach is also reflected in the ICO’s approach to enforcement.
Since the GDPR took effect, the number of fines imposed by the ICO has been significantly less than countries such as Spain and Germany, while the total value of the fines the ICO has imposed in that period is dwarfed by countries such as Ireland and France. In a speech last November setting out his regulatory philosophy, information commissioner John Edwards confirmed that the ICO under his watch would be “regulating for outcomes, not outputs” and said the ICO’s impact should not be measured by the number of value of fines it issues.
By establishing its regulatory sandbox, the ICO has also given businesses an opportunity to engage with the authority on how data protection law applies to innovative digital products and services. Empowering responsible innovation and sustainable economic growth is also a core objective under the ‘ICO25’ strategic plan.
The recent decision in the dispute between Experian and the ICO – though subject to appeal – also highlights the willingness of the information rights tribunal to give due recognition to business interests and the wider benefits of their data processing activities when assessing data protection compliance and how the law should be interpreted.
At the moment, the UK’s data protection regime is aligned with the EU’s and thus benefits from a so-called ‘adequacy’ decision of the European Commission. This enables the free flow of personal data between organisations in EEA and the UK – vital to cross-border trade.
Maintaining adequacy while delivering data protection law reform is a stated objective of the government, though losing that status would not be “a complete disaster”, according to acting government minister John Whittingdale.
In this context, it is unsurprising that the UK is pursuing relatively modest reforms to the UK GDPR with its DPDI (No.2) Bill. For large organisations operating across borders, the proposed changes are unlikely to alter compliance practices.
However, some of the changes the government has proposed would be genuinely beneficial for business.
We have already explained that we see potential for the changing UK approach to data protection exemptions to enable AI development. Other proposals in the Bill would, if enacted, make it easier for businesses to use technologies like AI in a way that supports automated decision making. Current constraints posed by the ‘purpose limitation’ principle and its effect on organisations’ ability to use personal data collected for other purposes to train AI and other tools to create accurate, and unbiased, outcomes are also targeted by provisions of the Bill.
Other amendments proposed place more of an emphasis on interpretation. For example, the government hopes to make the existing research exemption less restrictive by broadening the definition of ‘scientific research purposes’ to capture the processing of personal data for the purposes of any commercial research activity “that can reasonably be described as scientific” – and not just non-commercial research such as that carried out by universities.
For businesses, a new UK data protection framework that genuinely facilitates innovation and reduces administrative burdens while maintaining an EU adequacy decision would be very welcome and could, together with other reforms such as those relating to AI regulation, enhance the UK’s attractiveness as a global hub for trialling and commercialising new technologies.
Out-Law Analysis
25 May 2023