Kathryn Wynn: New UK data protection law would be step back after GDPR
Mathematician and architect of the Tesco Clubcard, Clive Humby, is said to have coined the phrase “Data is the new oil” back in 2006, and this sentiment was echoed in a later Economist report titled: “The world’s most valuable resource is no longer oil, but data”.
Launching a consultation on proposed reforms to UK data protection laws in September, the then Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden, took a similar approach: “Data is now one of the most important resources in the world. It fuels the global economy, drives science and innovation, and powers the technology we rely upon to work, shop and connect with friends and family.”
The consultation is evidence of the government’s attempt to move forward with its Brexit promises – it was certainly part of Vote Leave’s vision for a post Brexit UK – and it aims to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.
The consultation is structured around five key objectives: reducing barriers to innovation; reducing burdens on business and delivering better outcomes for people; boosting trade and reducing barriers to data flows; delivering better public services; and reform of the Information Commissioner’s Office (ICO) – the UK regulator for date protection.
In issuing such a consultation, the government aims to take steps to reduce compliance burdens for organisations. However, there are grave concerns that the proposed reforms risk the UK’s “adequacy status” – which permits data to be transferred freely from the EU member states to the UK – being revoked when it comes up for review in four years’ time.
Under the UK data protection laws, those countries without adequacy (a “restricted country”) must put in place “appropriate safeguards” before transferring personal data. This would make it much more difficult (and expensive) for business to transfer data freely from the EU to the UK.
The consultation recognises this in its impact statement:
“The Government welcomed the EU’s adoption of adequacy decisions for the UK in June 2021, and we firmly believe there to be no incompatibility between our proposed package of reforms and our adequacy status with the EU. In the event EU adequacy is maintained alongside these reforms, this would rise to £1.45bn, through saving £410m in associated costs of switching to alternative transfer mechanisms. In addition, there is likely to be a benefit to UK trade, although our modelling of this is subject to more uncertainty.”
The introduction of new law would almost represent a step back, at a time when organisations have only just completed their implementation programmes for the 2018 EU General Data Protection Regulation reforms.
A drastic change could inadvertently create uncertainty and compliance risks for organisations, therefore it may be more useful to issue detailed ICO guidance as an alternative to the creation of new laws.
The consultation has now closed and the Bill is expected to be introduced next May or June, meanwhile it is imperative that organisations keep abreast of developments around this proposed reform as it is developed into a new data protection bill and factor in this “new direction” into their data strategies.
Kathryn Wynn is a partner and data and privacy specialist at Pinsent Masons. This article first appeared in The Scotsman.