The UK Government Announces Major Changes to Data Privacy Laws After Brexit

The United Kingdom (UK) Government announced on 10 May 2022 its intention to present a reform bill that would enact major reforms to the current domestic data protection regime. In the Queen's Speech, the Prince of Wales announced the proposed Data Reform Bill, which aims to provide "a more flexible, outcomes-focused approach to data protection that helps develop a culture of data protection, as opposed to 'tick-box exercises."

As part of its Brexit negotiations, the United Kingdom enacted the Data Protection Act 2018 to integrate the GDPR into domestic law (the UK GDPR). In June of 2021, the European Commission (EC) published a decision affirming that the in-place measures provide an acceptable degree of protection for Article 45 of the EU GDPR. The judgment of sufficiency by the EC is not permanent and may be withdrawn if the EC deems that the United Kingdom no longer offers the necessary protection. The EC is due to reassess the conclusion of appropriateness no later than 2024. However, the EU has already signalled that a review may be conducted sooner if the United Kingdom deviates too much from its target.

The Data Reform Bill, issued after consultation, is intended to modernise the UK's current data policies in the wake of the country's exit from the European Union. The government argues that the EU's General Data Protection Regulation (GDPR), adopted into UK law post-Brexit, impedes creative data usage in the digital age.

Unlocking the potential of data is one of the 10 Tech Priorities of the government. According to the National Data Strategy, data is a strategic asset, and its proper use should be seen as a tremendous opportunity. This consultation is the first step towards achieving Mission 2 of the National Data Strategy, establishing a growth-friendly and trustworthy data regime.

Outside of the EU, the United Kingdom will be able to reform its approach to regulation and grab chances with its new regulatory freedoms, contributing to the country's economy, innovation, and competitiveness. The United Kingdom needs flexible and adaptive data protection regulations that strengthen its worldwide image as a centre for data-driven businesses that adhere to necessary data protection requirements.

Those favouring Brexit said it would enable the United Kingdom to break from the EU's regulations and norms. These variances would allow the United Kingdom to reap a "Brexit dividend." Such a statute was the EU's data privacy regulation. On 10 September 2021, the Department for Digital, Culture, Media, and Sport (DCMS) of the United Kingdom Government released a consultation detailing its ideas to change the UK's data protection radically and privacy framework.

GDPR stresses accountability. The EU GDPR requires data controllers to keep a record of processing, perform Data Protection Impact Assessments (DPIAs), and appoint a Data Protection Officer for "large" companies (DPO). The recommended changes would allow companies to determine how much risk to take when processing personal data. This diverges from the one-size-fits-all method but introduces the "comply or explain" principle.

The UK GDPR compels data controllers to notify any data breaches unless they are "unlikely to result in a harm to natural people". The UK government proposes raising this threshold to minimise the amount of ICO reports data controllers must submit. A new voluntary undertaking model will enable data controllers to design a breach-remediation strategy.

In most instances, data controllers can't charge subjects for subject access requests (DSARs). The UK Government has suggested abolishing this limitation and putting the regulations in line with FOIA 2000. Public agencies may charge for transmitting information under this system.

Organisations cannot keep or access information on a computer or smartphone (i.e., using 'cookies') without the individual's permission (unless such cookies are strictly necessary). The UK Government has suggested reforming cookie regulations to reduce "consent fatigue" by allowing a wider variety of cookies to be used without permission (such as analytical or tracker cookies) or only needing agreement for specific defined reasons such as intrusive tracking or real-time bidding.

The government says maintaining EU adequacy is achievable and reasonable. The related impact study released with the consultation implies it may be hedging its bets — it has already done the arithmetic for both the sufficient UK and non-adequate UK post-implementation.