Legal experts have shown considerable uncertainty around the details of UK Government’s recommended amendments to data security law and the Data Protection and Digital Information bill (Data Reform Bill). They maintain that it could potentially result in
the termination of well-run data flows with EU countries.
The long-anticipated Data Reform Bill was publicised post Brexit as the UK endeavoured to upgrade its legal system. The balance between upgrading the GDPR and deviating too far from it is essential, however. If deviation does occur, the EU could reconsider
the ‘adequacy’ agreement. This would enable data to flow to and from the UK freely, but with significant financial ramifications for businesses in the UK.
Concern for data protection regulations in the UK
Jon Baines, a senior data protection specialist at Mishcon de Reya, cautioned that with the many recommended adjustments in the bill, the UK GDPR is beginning to appear quite different to its European relative.
He further said:
“The more the two regimes diverge, the more there is a risk that the EU might question whether it still considers the UK to have an ‘adequate’ regime for the purposes of data transfers.”
A senior lawyer at Ropes & Gray’s data, privacy and cyber security practice, Edward Machin, also had concerns. He argued that the GDPR is not flawless and that it would be irresponsible for the UK not to learn a lesson from its own approach. His first thoughts
of the bill were that the government had reached a compromise in favour of business and had disregarded various matters. He believes that safeguards and reduced rights for people would be topics targeted for modification before finalisation of the bill.
Furthermore, the bill strives to lessen the autonomy of the ICO which was influential in preparing the GDPR. Machin said that it is disheartening that the government has held its belief that parliament requires increased authority over the ICO. As a regulator,
the ICO is not unpredictable nor inactive, so it is not easy to see the rationale of a change that compromises its status worldwide for insignificant gain. Also, there are worries that government will carry too much authority to change government policy without
calling for the careful examination of legislators.
Matt Warman, the Digital minister, reiterated certain Brexit points in his own summary. He said that the bill would maintain the UK’s attitude to supporting worldwide data flows by taking advantage of its self-sufficient position to make partnerships with
the world’s most rapidly growing economies. He said that the reforms would make certain that the mechanisms to transfer personal data globally are safe and adaptable to support the growth of British business.
Why move away from GDPR towards the Data Reform Bill?
The Data Protection and Digital Information Bill aims to revise and simplify the UK’s data protection framework. It incorporates actions relating to smart data and digital identity, to name just a couple.
But why does the UK government want to move away from GDPR and instead implement the Data Reform Bill? The government has intended to step aside from the EU’s data protection regime for some time now, especially since it has left the EU, and says the that
new bill will promote innovation while removing the red tape linked to implementing new regulations. It appears that the UK government understands the power of data in our digital economy, and this is one of the main reasons that an effective regulatory system
is needed: to enable innovation in new technologies.
The EU has proven sluggish at signing data transfer agreements with various countries across Europe and this has meant many businesses are employing GDPR with a hard hand instead of the flexibility which the Data Reform Bill would allow, and therefore encourage
British business to prosper.
Moving away from GDPR may risk data adequacy
With all the seemingly positive benefits of the Data Reform Bill, there is a concern that it will weaken standards too much. The challenge is to devise reforms that sustain the current high standards around safeguarding personal data, while still allowing
businesses to utilise data in order to innovate. It will also be important to ensure that any reforms do not threaten the existing data adequacy status between the UK and the EU. We do not want a freeze to the flow of data across borders altogether.