A new data reform bill included in the 2022 Queen’s Speech promises a “pro-growth” framework of greater benefit to both businesses and citizens of the UK, but potential divergence from the standards set by the General Data Protection Regulation (GDPR) could put an end to the data adequacy decision that allows personal data to continue flowing between it and the EU.
Queen’s Speech announces Data Reform Bill, many details still up in the air
The Queen’s Speech is an annual event in which the government lays out its legislative plans ahead of the beginning of the parliamentary year. This year’s version includes 38 bills, one of which is the Data Reform Bill. The bill looks to codify some business-friendly reforms that leading government figures have been talking about for some time now.
The actual text of the Data Reform Bill is not yet available; the Queen’s Speech instead outlined general points that an eventual draft will address. Proponents called it the foundation of a “world class data rights regime” to underpin a “pro-growth and trusted UK data protection framework” that reduces burdens on businesses and spurs innovation.
This focus on business needs is where the Data Reform Bill may end up running astray of the data adequacy agreement that keeps the UK in the good graces of the EU post-Brexit. The Queen’s Speech noted some of the expected benefits for businesses: a revised data protection framework focusing on “privacy outcomes” rather than “box-ticking,” a “clearer regulatory environment” for personal data use, and simplifying research rules for the benefit of technology and science companies.
While the Queen’s Speech primarily used the moment to tout benefits to business, it did also mention some developments oriented to citizen data privacy. One of the headline items was a proposed overhaul of the Information Commissioner’s Office (ICO), the country’s lead regulator. The Queen’s Speech called for both greater capabilities and powers for the organization in pursuing enforcement of breaches, as well as greater accountability to both the public and Parliament.
Another item in this area was a call for increased participation in Smart Data Schemes. This is a policy initiative that the UK government began holding working groups on in 2021; it calls for standards and infrastructure aimed at boosting the country’s data economy, but it could also benefit consumers (depending on how it is developed) with things such as safer and more private online financial transactions.
The Queen’s Speech supported that general idea with a call for data policy that empowers citizens and creates more effective delivery of services, and that citizens have greater clarity on their rights to view and control their personal data.
Data adequacy agreement with EU could be threatened if business receives too many benefits
The future of the Data Reform Bill is still very much in question, as a draft has to be produced and debated before it can move to a vote. The content of the Queen’s Speech does not make clear exactly what the eventual form will look like, but previous overtures to business by leading figures in the government (including some in regulatory capacities) has raised alarm that it will be an attempt to reduce data privacy rights from the roughly GDPR-equivalent terms that citizens currently enjoy.
The pro-business talk has been circulating since late 2020, when the UK government proposed a Digital Market Unit (DMU) meant to oversee the large “gatekeeper” platforms that the data adequacy rules are primarily aimed at. This plan did have some balance, proposing that citizens be allowed to completely opt out of behavioral profiling and targeted advertising with each platform should they so desire. But digital secretary Oliver Dowden seemed to go out of his way to declare himself “pro tech” and tout the economic benefits of all of this personal data collection.
If the Data Reform Bill introduces major changes, it could prompt a review of the EU’s data adequacy decision allowing the UK to remain a “trusted partner” for the international flow of personal data. One key issue could be how the UK handles data flows to third party countries that are not trusted data partners in the EU’s eyes. Another potential sticking point is the possibility of entirely removing cookie consent banners from the nation’s regulatory requirements, something that Dowden and other government figures have publicly supported.
Whether or not the Data Reform Bill ends up crossing any lines with the EU, the present data adequacy decision is due to sunset and be up for review again in 2024. The European Commission could potentially move to withdraw the data adequacy status prior to that if it feels that the Data Reform Bill terms stray too far from the protections offered to EU citizens by the GDPR.