Further details of the UK government’s GDPR replacement legislation, the Data Protection and Digital Information Bill, have been published and experts warn that if it becomes law the ability for companies to easily share data between the EU and UK could be put at risk.
The post-Brexit data legislation, formerly known as the Data Reform Bill, includes rules on web cookies, changes to the Information Commissioner’s Office (ICO) and updated compliance rules for businesses. Many of the details were released last month as part of a preview of the data reform legislation, but the latest update includes specific details on the proposals.
Matt Warman, minister for media, data and digital infrastructure, summarised the reforms in a ministerial statement to parliament. He said that through the bill “we will realise the opportunities of responsible data use whilst maintaining the UK’s high data protection standard,” noting that countries are not required to have the same rules in order to be granted data adequacy.
The concept of data adequacy is used by the EU to describe other countries, territories, sectors and organisations that it deems to provide an “essentially equivalent” level of data protection to that which exists within the EU, according to the ICO.
A data adequacy agreement was signed between the UK and EU last year, despite some opposition from MEPs, allowing free flows of data to continue across the channel. But this will be reviewed by European lawmakers on a regular basis as the UK changes its domestic data legislation. Were the agreement to be voided by the EU, UK businesses could lose more than £1bn in reduced trading revenue and £420m in compliance costs over five years, according to government figures shared by the Centre for European Reform.
But Warman said: “The EU does not require countries to have the same rules to grant adequacy, so it is our belief that these reforms are compatible with maintaining a free flow of personal data from the European Economic Area.”
UK data protection and digital information bill: problems ahead?
Current GDPR legislation meets this requirement but this is unlikely to be the case with the new regime, according to Mariano delli Santi, legal and policy officer at civil society organisation Open Rights Group. He told Tech Monitor a major sticking point will be around changes to the ICO that essentially “transform it into a government-controlled authority”.
“The UK Data Protection Bill severely restricts data subjects’ rights, substantially abolishes the right to human review of automated decisions, hollows out the principles of purpose limitation and lawfulness, and transforms the ICO into a government-controlled authority,” he says.
“Any of these provisions is substantially incompatible with the EU General Data Protection Regulation. Beyond the government’s wishful thinking on the matter, if this ever becomes law there is absolutely no chance that the UK adequacy decision will stand.”
A sticking point for a number of analysts and experts is around the rights and control the legislation gives to the secretary of state. Michael Veale, associate professor in digital rights and regulation at UCL tweeted that this change “overshadows everything”, particularly the ability to “amend anything they feel like about the text […] through regulations, circumventing parliamentary debate”.
Overshadowing everything is an ability for the Secretary of State to amend anything they feel like about the text of the UK GDPR through regulations, circumventing Parliamentary debate. This should not happen in a parliamentary democracy, is an abuse of powers, and must not pass. pic.twitter.com/tvvLSdozS2
— Michael Veale (@mikarv) July 18, 2022
In his statement Warman said the changes to the structure and objectives of the ICO will be modernised so that it “remains an internationally renowned regulator”, explaining that this will see it gain increased investigatory powers to keep pace with changing practices.
“The ICO will remain operationally independent while enabling the public and parliament to more effectively hold it to account through key performance indicators,” he declared.
“The secretary of state becomes the political master of the ICO,” Delli Santi says. “This makes the use of personal data by the government and other public authorities substantially unsupervised, and exposes the entire function of the ICO to political manipulation, corporate capture, and cronyism.”
Risk from secretary of state
Overall, the new legislation balances the need for protections with reducing the burden on businesses and is unlikely to put our adequacy with the EU at any risk, argues Jo Joyce, senior counsel from law firm Taylor Wessing.
“There is a lot of fiddling around here but there is nothing in my view that brings us outside the adequacy,” she says. “What this does is effectively make changes around the ICO which will not trouble the EU as there are relatively large differences over how regulators operate throughout the EU already.
“There is definitely less autonomy for the ICO, or at least more parliamentary oversight. That is in my view unlikely to create problems from an EU perspective as the extent to which supervisory bodies are fully independent varies, although it is likely changes around ICO autonomy and powers is likely to be the most commented on.”
The secretary of state being given the power to amend the text by statutory instrument, rather than taking changes to the legislation back to parliament, could cause concern for the EU, Joyce says. As drafted, the law contains minimal provisions for scrutiny.
“It puts a lot of power in the hands of the secretary of state,” she says. “That isn’t something that is likely to trouble the EU of itself because, while it isn’t a European way of doing things, other countries with adequacy such as Japan have very different ways of updating legislation.”
She adds that the risk is in future amendments with “unforeseen consequences”, explaining: “The fact the secretary of state has the power, without laying a bill before parliament, to do things with minimal consultation is concerning. It may require changes to the legislation before it is put to parliament. I think some of the stuff around scrutiny timeframes, what the secretary of state has to do to make amendments may change.”