Government responds to Data Reform Bill consultation

The government has published its long-awaited response to a consultation on the proposed Data Reform Bill, pledging to press ahead with a number of changes, that the government says will boost businesses, protect consumers and seize the “benefits” of Brexit.

Its proposals include clamping down what it perceives as red tape around privacy and data protection to save an estimated £1bn, while strengthening data protection standards, reforming the Information Commissioner’s Office (ICO), giving innovators and researchers more flexibility in how they use data in their work, and increasing fines for people who misuse data.

In a move guaranteed to catch the attention of consumers, it also proposes to adopt new measures to minimise the number of cookie pop-ups people see online.

Outlining its response at the end of London Tech Week, the government said that data was core to the UK economy, with data-driven trade generating 75% of the country’s services exports, and revenues of £234bn in 2019, and touched both the core of how businesses operate and how people live their daily lives.

“Today is an important step in cementing post-Brexit Britain’s position as a science and tech superpower. Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society but retains our global gold standard for data protection,” said digital secretary Nadine Dorries.

“Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation.”

John Edwards, the recently appointed information commissioner, said he shared the government’s ambitions and was particularly pleased that the ICO’s concerns around its future independence under the new regime had been taken into account.

“Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms,” said Edwards.

“We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the bill.”

At their core, the reforms hinge on the government’s belief that the European Union (EU) General Data Protection Regulation (GDPR), which transposed into UK law as the UK GDPR after Brexit was finalised, held organisations back from using data in a dynamic way.

It said there was a lack of clarity in the GDPR that led to an overreliance on box ticking, and that the regulation was overly reliant on a one-size-fits-all approach that failed to account for the unique needs of disparate organisations, placing a particular burden on small and medium enterprises (SMEs) and startups. It is these burdens the government is set on removing.

For example, the bill will remove the UK GDPR’s requirements giving organisations little flexibility about risk management, including the need for small business to appoint a data protection officer (DPO) or undertake data protection impact assessments (DPIAs). This will mean, for example, that a small independent retailer working online won’t have to recruit a dedicated data expert provided it can prove it has someone to manage the risks effectively.

In other key areas, the government is proposing to increase fines for nuisance calls, texts and other serious data breaches under the Privacy and Electronic Communications Regulations (PECR) from the current maximum of £500,000 to come in line with GDPR’s limits of up to 4% of global turnover of £17.5m.

The PECR will also be the mechanism by which the government seeks to cut down on the number of cookie consent pop-ups, which currently display every time a user visits a new website. In future, an opt-out model will come into play, reducing the need for users to click through consent banners on every site they visit.

TechUK CEO Julian David agreed that the GDPR as introduced was far from perfect, saying: “The challenge in reforming it has always been how to retain key protections for citizens while introducing clarity and flexibility to enable growth in data-driven innovation and new technologies such as AI [artificial intelligence].

“The reforms announced today find a good balance between making the UK’s data protection system clearer, more flexible and more user friendly to researchers, innovators and smaller companies, while at the same time maintaining levels of data protection in line with the highest global standards.”

David did, however, speak of some outstanding questions around how exactly the reforms will work in practice, specifically around the cookie opt-out system, and proposals for balancing tests with regard to data processing.

“However, on the whole this is a welcome package of reform. TechUK will continue to work closely with the government on these outstanding questions and we look forward to seeing the draft Data Reform Bill in due course,” said David.