UK data protection reform planned

The government, which confirmed the plans in a new statement, said the proposed reforms align with the innovation strategy it published in July. That strategy envisages greater use of personal data to support things like the advancement of medical science and the digital economy.

“The government wants to improve the UK’s data protection regime to make it even more ambitious and innovation-friendly while still being underpinned by secure and trustworthy privacy standards,” the Department for Digital, Culture, Media and Sport (DCMS) said. “It believes improved data sharing can help deliver more agile, effective and efficient public services and help make the UK a science and technology superpower.”

“In the coming weeks the government will launch a consultation on changes to break down barriers to innovative and responsible uses of data so it can boost growth, especially for start-ups and small firms, speed up scientific discoveries and improve public services,” DCMS said.

The UK’s data protection regime was last updated substantively in 2018 when the General Data Protection Regulation (GDPR) took effect alongside a new Data Protection Act. The GDPR, together with its sister directive on data processing in the law enforcement context, replaced laws that had been in force in the EU since 1995. The previous UK Data Protection Act implemented the 1995 EU directive and had been in force since 1998. At the point of Brexit, the GDPR, which previously had direct effect in the UK as an EU member state, was transposed into UK with minor changes, meaning that there is now the EU GDPR in force across the remaining 27 EU member states and closely aligned UK GDPR applicable in the UK.

However, in its national data strategy published in 2020, the UK government hinted that it would use its freedom to deviate from EU law in the area of data protection. At the time it said it acknowledged the importance of “regulatory certainty and high data protection standards” but said it wants UK data protection laws “to remain fit for purpose amid rapid technological change” and “not too burdensome for the average company” or “unnecessarily complex nor vague”. It said it wants the data protection regime to be one “that helps innovators and entrepreneurs to use data legitimately to build and expand their businesses, without undue regulatory uncertainty or risk in the UK and globally”.

Data protection law expert Claire Edwards of Pinsent Masons, the law firm behind Out-Law, said: “The data protection regime has seen a lot of change in recent years – much of it to the benefit of the data subject and aimed at ensuring those who collect our data protect it. However, many businesses feel the compliance burden is unnecessarily high. Any revised framework which can ensure that personal data is protected but which also recognises the global economy in which businesses operate and allows for innovation through streamlined efficient legal parameters has to be a positive.”

“The prospect of reforms to the UK’s data protection framework does raise the question of what it means for how the EU views data protection standards in the UK. That view has major implications for UK trade across the European Economic Area, the EU having only recently adopted an adequacy decision in respect of the UK to facilitate cross-border data flows. With a significant element of data flows from the UK still with the EEA, the government need to have one eye on ensuring that the free flow of data is not jeopardised with the reforms planned,” she said.

DCMS set out the plans for data protection reform in an announcement in which it confirmed that the UK government is prioritising the agreement of several new “data adequacy partnerships”, including with the US, as a means of bolstering international trade. DCMS also confirmed that New Zealand privacy commissioner John Edwards is the government’s preferred candidate to be the UK’s next information commissioner. The current incumbent, Elizabeth Denham, is due to leave her post in October.