UK Government Proposes Raft of Post-Brexit Data Protection Measures and Reforms

DCMS announces new Data Protection Measures

The UK Government has launched a package of data protection measures with the intention of reforming the UK’s approach to data protection in a post-Brexit world.The Department of Culture, Media and Sport (“DCMS”) announced its new plans on 26 August 2021.  In making its announcement, it acknowledged the importance of data to innovation and the global digital economy, in addition to the tackling of crime, the delivery of critical public services and health and scientific research. The Government’s plans included the following key points:

1. A new UK Information Commissioner

The DCMS has named John Edwards as its preferred candidate to be the UK’s new Information Commissioner. Mr Edwards is currently New Zealand’s Privacy Commissioner. The DCMS stated that Mr Edwards will have a clear mandate to take a balanced approach to promote further innovation and economic growth on the one hand, and to protect data rights on the other. This new mandate represents a shift in emphasis from the UK ICO’s traditional role, which was primarily to uphold data rights.

2. International Data Partnerships

The DCMS also issued a mission statement setting out the UK’s approach to adequacy assessments and international transfers. The mission statement acknowledges the importance of international data transfers to international commerce, innovation and international co-operation. The UK is working in partnership with a number of priority territories for adequacy. These priority territories include the USA, India, Australia, Dubai IFC, Singapore, Republic of Korea, Indonesia and Brazil (amongst others). An “adequate” destination territory is one that is deemed to have sufficiently protective data laws to receive frictionless data transfers, so this is an important decision from a trade and commerce perspective in today’s connected world. Where the UK decides whether to grant adequacy to a destination territory, it will consider whether the destination territory’s data protection laws are similar to UK GDPR standards. The UK will assess the adequacy of the destination territory in the following areas:

• the rule of law, respect for human rights and fundamental freedoms;
• the existence and effective functioning of an independent regulator; and
• relevant international commitments.

The UK will go through four work phases when deciding on a adequacy grant, from an initial “gatekeeping” phase, through “assessment” and “recommendation” phases, completing the adequacy grant process with the making of regulations to give effect to the adequacy determination (the “procedural” phase).Where the UK grants a destination territory adequacy status, the UK may monitor that status and review it not less than every four years.  A UK adequacy decision may be challenged in the UK courts via judicial review.  If a challenge is successful, the courts may annul the adequacy decision. 

UK Government Consultation on Data Protection Reforms

The UK Government also kicked-off a consultation on 9 September 2021 on further reforms to the UK data protection regime.  The DCMS intends this consultation to be first step towards delivering a pro-growth and trusted data regime.The proposed reforms cover several areas, including:

• reducing barriers to responsible innovation in sectors such as AI/machine learning and scientific research;
• reducing barriers on businesses and delivering better outcomes for people, such as new thresholds for data subject access requests and liberalising the regulation of cookies;
• boosting trade and reducing barriers to data flows, including the measures described under “International Data Partnerships” above, permitting the repetitive use of derogations for data transfers and an exemption for “reverse transfers” between the UK and origin territory of that data;
• delivering better public services; and
• reform of the UK ICO, to include new objectives and a clearer strategic vision for the regulator; improving accountability mechanisms, and refocusing its commitments away from handling a high volume of low-level complaints and towards addressing the most serious threats to public trust and inappropriate barriers to responsible data use.

 UK ICO’s Consultation on International Data Transfers

Meanwhile, following the ICO’s announcement earlier in the year that it would be producing its own equivalent of the EU standard contractual clauses (which are a tool to legitimise international data transfers under EU GDPR), it published its own model International Data Transfer Agreement (“IDTA”) in draft form in August as part of a new ICO consultation International transfers under UK GDPR. Our initial review suggests that the IDTA has been designed to be user-friendly, with a tabular approach suited for the non-lawyer, and is intended to cover a number of scenarios including cross-referencing linked agreements (such as a services agreement) and multi-party arrangements. The consultation also covers a number of questions including on the interpretation of the territorial scope of GDPR when dealing with international transfers, and seeks views on the draft IDTA as well as a proposed risk assessment tool (the “TRA”) for use in assessing international transfers. 

What is this all likely to mean for UK data protection going forward?

Business will welcome the UK Government’s plans to re-balance UK data protection law towards trade and innovation.  However, the reforms are still at an early stage and are subject to consultation. It is therefore unclear to what extent (and in what form) these reforms will find their way into UK data protection law.There is also the question of the UK’s adequacy status with the EU.  The EU recently granted the UK adequacy status to receive frictionless data transfers on the basis that the UK would remain aligned to EU data standards. We have previously reported on the EU’s grant of adequacy status to the UK here:

 https://www.freeths.co.uk/2021/06/29/eu-commission-grants-uk-data-adequate-status/.

The UK is therefore walking a tightrope between creating a more business-friendly domestic data regime on the one hand and retaining sufficiently EU-aligned data laws to preserve the UK’s data adequacy status with the EU on the other. We can be sure that both UK business and the EU will be monitoring developments in this area with interest over the coming months and years.