Government response to Data Reform Bill consultation distances UK from GDPR

Government publishes response to Data Reform Bill consultation

Image:
Government publishes response to Data Reform Bill consultation

New laws would help firms grow by eliminating 'red tape and pointless paperwork,' it says

The Government has published its response to a consultation on the upcoming Data Reform Bill, outlining how it plans to diverge from European Union-based data protection rules.

The UK's Department for Digital, Culture, Media and Sport (DCMS), which proposed the new de-regulatory measures, claims the reforms have the potential to deliver more than £1 billion in savings for businesses over the course of the next ten years.

The move follows the Government's Consultation Paper on Reforms to the UK Data Protection Regime - 'Data: A New Direction' - which it released in September last year.

The upcoming Bill aims to overhaul the UK's existing data protection system, potentially causing substantial revisions to the EU GDPR and Data Protection Act.

The Government has previously said it intends to use Brexit to overhaul "highly complex" data protection rules inherited from the EU.

The GDPR is presently the basis for UK data privacy legislation, but the Government has indicated on several occasions that it wishes to dilute several of the regulation's provisions.

It insists that new legislation would assist promote UK firms by eliminating "red tape and pointless paperwork" associated with EU data laws, as well as decreasing the barrier to personal data being used in scientific research.

However, this ignores the fact that British businesses will still need to comply with the GDPR when processing EU citizens' data.

Nadine Dorries, the digital secretary, said the Data Reform Bill has the potential to assist in establishing the post-Brexit UK as a "science and tech superpower" by making it simpler for businesses and researchers to "unlock the power of data" while still maintaining "our global gold standard" for data protection.

"Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation," she said in a statement.

As a result of the new legislation, organisations will no longer be required to hire a data protection officer (DPO), or to carry out data protection impact assessments (DPIAs). Instead, they will need to designate a suitable individual to oversee the organisation's DP compliance, and assessing data protection impact will be devolved to an organisation's more general risk-based privacy management programme.

Nevertheless, organisations will still be obliged to maintain a "privacy management programme" to ensure that they are responsible for the way in which they process personal data.

The new Bill would raise financial penalty for nuisance calls and texts, as well as fines for other significant data breaches under the existing Privacy and Electronic Communications Regulations (PECR).

The fines will be increased from the existing maximum of £500,000 and be brought in line with the UK GDPR penalties, which are up to 4% of worldwide revenue or £17.5 million, whichever is larger.

According to the Government, the new opt-out mechanism for cookies will drastically cut down on the need for users to click through consent banners on each and every page that they visit, resulting in substantially fewer of the annoying boxes appearing online (while this might be preferred by the layperson, an opt-out system instead of opt-in is certainly going to make people easier to track as they move around the Web - against the entire point of the GDPR - Ed.).

The Information Commissioner's Office (ICO) will be reorganised as part of this package. It will now have a chair, a CEO, and a board to ensure 'it remains an internationally renowned regulator'.

"I share and support the ambition of these reforms," said John Edwards, UK Information Commissioner.

"I am pleased to see the Government has taken our concerns about independence on board. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society."

While many organisations, including the ICO, have commended the planned steps, not everyone is pleased.

Open Rights Group (ORG), a privacy advocacy organisation based in the UK, was critical of the new laws since they limit users' choice and liability for lawbreakers.

"The Government are boldly taking the side of the abusers and the law-breakers: the UK Data Reform Bill will make it the default setting to spy on us, and your burden to opt-out of something you never wanted in the first place," the ORG said.

Mariano delli Santi, a data protection activist at ORG, described the proposals as "irresponsible," adding that "they risk leading to a massive and expensive rupture with the EU, making data transfers costly for UK businesses, costing jobs during an economic downturn".

Correction: the original article stated that "some organisations, such as small firms, will no longer be required to hire a data protection officer (DPO) or conduct lengthy impact assessments, as the GDPR mandates". In fact, the requirement to appoint a DPO has been removed completely and the obligation to carry out DPIAs has been devolved into a more general 'risk-based privacy management' requirement.