The UK government has revealed more details about the new data privacy law – The Data Reform Bill – which is due to replace the General Data Protection Regulation (GDPR).
When the UK voted to leave the European Union, the process of replacing EU laws began. One of the laws expected to see significant changes was the GDPR. After a period of consultation with the public and businesses, the government developed the Data Reform Bill, which is hailed as “An ambitious, pro-growth and innovation-friendly data protection regime.” The UK government says, “Data is a strategic asset and its responsible use should be seen as a huge opportunity to embrace,” and that freeing the UK from the shackles of the GDPR will help to “drive growth, innovation, and competition across the country”. The UK government believes the GDPR is holding back the innovative use of data by businesses.
“The UK needs agile and adaptable data protection laws that enhance its global reputation as a hub for responsible data-driven business that respects high standards of data protection,” said the UK government in its original consultation pitch. The UK government claims that scrapping the GDPR and replacing it with the Data Reform Bill will save small businesses £1 billion over the next 10 years, and will help the UK deliver better public services through the use and access to personal data.
The GDPR gives EU citizens rights over their personal data and how it can be used and requires consent to be obtained from EU citizens before their personal data can be collected and used. Businesses are also required to implement safeguards to ensure personal data is kept private and confidential, and businesses are held accountable for privacy breaches.
The UK government claims complying with the GDPR has largely been a box checking exercise with respect to user consent that is inconvenient for consumers and businesses alike. The aim is to make it less cumbersome for all and to have a risk-based approach with respect to data protection. The data protection required will depend on the relative risk of each organization’s data processing activities. Under the Data Reform Bill, it will not be necessary for all organizations to appoint a Data Protection Officer (DPO), the need for impact assessments will be reduced if businesses can manage risks themselves, they will not have to keep records of data processing activities, and they will have a greater amount of flexibility as to how they meet data protection standards. They will, however, still be required to have a privacy management program.
The UK’s data regulator, the Information Commissioners Office will also be reformed. There will be simplified legal requirements for obtaining user consent for scientific research and data transfers between the UK and “like-minded countries” (i.e the United States) will be improved.
One of the common criticisms of the GDPR is that by asking for consent to collect, process, and sell the personal data of Internet users, users had to click a lot of consent forms – one for every website visited. Under the GDPR, consent to process personal data – including tracking users – requires opt-in consent. To decrease the burden on UK users, the Data Reform Bill will replace this requirement and will instead allow users to provide their consent more generally. That means after setting their preferences, they will be applied to all websites. This will reduce the number of boxes that need to be clicked, although this will take some personal control away from Internet users. The UK government says consent will be provided online, and the system of recording consent will be in place before any changes to UK law are made. The UK government will work with industry and regulators to develop a method of collecting and managing consent.
The Data Reform Bill is not only concerned with easing restrictions to benefit businesses. The UK government wants to take a harder line on nuisance calls and texts and will be increasing the financial penalties for companies that use calls and texts for marketing without first obtaining consent. Instead of the maximum fine of £500,000, the maximum penalty will be £17.5 million or 4% of global annual turnover, whichever is higher.
“Today is an important step in cementing post-Brexit Britain’s position as a science and tech superpower. Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection,” said Secretary of State for Digital, Culture, Media, and Sport (DCMS), Nadine Dorries. “Outside of the EU, we can ensure people can control their personal data while preventing businesses, researchers, and civil society from being held back by a lack of clarity and cumbersome EU legislation.
While the proposed changes to the UK data privacy laws have had a warm reception from business organizations such as the Confederation of British Industry (CBI), the new law is not without its critics. There has been considerable criticism over the consultation process, which more than 30 civil rights organizations have called rigged. In a letter to the DCMS, the 30 privacy groups allege the government did not meet or engage with them as part of the consultation process, something the government denies. Critics have called the consultation process unlawful, and warn that the lack of consultation with civil rights groups could lead to a weakening of rights for women, workers, patients, migrants, ethnic minorities, LGBT communities.
The main criticism of the Data Reform Bill is that by making the personal data of UK citizens easier for businesses to collect, use, and sell, there will be a big impact on UK citizens’ rights. There is also potential for the law change to undermine legal remedies and independent oversight – for instance, reducing the ability of individuals to challenge unfair automated decision-making by algorithms, and the right to inspect and port their data, which could be especially bad for the gig economy.
The Open Rights Group has pointed out that there is no evidence that the GDPR is hampering business or stifling innovation. While many businesses may undoubtedly benefit from the law change, for consumers, the price of not having to click a few consent boxes could be high in terms of privacy. “These irresponsible proposals will endanger consumers and make it easy for businesses to spy on you, build machines to judge you, and wait for you to work it out,” said Open Rights Group data protection campaigner, Mariano delli Santi.
The law changes also have the potential to hamper data flow with the EU. After Brexit, the EU allowed data to flow from the EU to the UK unimpeded as the EU considered the UK to have data protections in place that were just as robust as the EU. It remains to be seen whether the EU will continue to think that way if the Data Reform Bill is signed into law.