The UK Government has proposed a more "business-friendly" set of privacy rules in a Data Bill. Critics have said the proposals will remove protections against corporations spying on consumers.
The Data Reform Bill, published today by the Department of Culture Media and Sport will make it easier to use cookies to gather information, and remove some data protection demands on companies. It effectively creates a "UK GDPR" with fewer requirements than the European GDPR, which the UK is no longer required to commit to since leaving the EU. Alongside those provisions, it will increase penalties on companies pestering people with nuisance calls.
The Bill was announced during London Tech Week, a government-backed industry event.
Unlocking business?
The government claims that the Bill will reduce unnecessary paperwork, and save £1 billion over ten years, while "unlocking the power of data" by allowing businesses to use it more freely. It also promises to give scientific research easier access to personal data.
Businesses will no longer be required to appoint a Data Protection Officer, or keep a record of processing activities, or undertake data protection impact assessments, although there will a requirement to have a "privacy management programme".
Websites will be able to use a wider range of cookies without seeking visitors' consent, a move that the Government hopes will eliminate cookie popups. Fines for unlawful use of cookies, will increase from a maximum of £500,000 to a maximum of £17.5m or 4 percent of global annual turnover (whichever is higher). The data regulator, the Information Commissioner, will have a different title and a reorganized office, which will have tougher powers on nuisance phone calls.
“Today is an important step in cementing post-Brexit Britain’s position as a science and tech superpower," said Digital Secretary Nadine Dorries. "Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection. Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation.”
The Bill was promised in the legislative program set out in the Queen's Speech this year, and comes in response to a consultation launched in September 2021 about the use of data by British businesses trade abroad.
The eventual Bill is less sweeping than the complete removal of GDPR powers, which some had feared. Critics like the Open Rights Group, earlier pointed out that there is no evidence that EU GDPR is actually hampering business - in fact it is thriving.
The DCMS says data-driven trade generated nearly three-quarters of the UK’s total service exports and generated an estimated £234 billion for the economy in 2019, all under the current GDPR regime.
John Edwards, UK Information Commissioner, said: “I am pleased to see the government has taken our concerns about independence on board. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms."
Some critics feel the proposed bill still goes too far: "These irresponsible proposals will endanger consumers and make it easy for businesses to spy on you, build machines to judge you, and wait for you to work it out," said Mariano delli Santi, data protection campaigner at Open Rights Group. "Discrimination against minority groups will be easier, and it will be harder for people to challenge the government or corporations.
delli Santi warned of divergence from the EU's GDPR: "They risk leading to a massive and expensive rupture with the EU, making data transfers costly for UK businesses, costing jobs during an economic downturn."
Jon Baines, Senior Data Protection Specialist at Mishcon de Reya LLP, is less worried, commenting: "The Government is not taking forward a lot of the proposals it mooted last year, but this is still a major proposed set of changes. Many of the proposed reforms are clearly intended to be business-friendly.
"The UK will, though, keep the current 'UK GDPR' framework, which is strongly tied to the EU's GDPR. There is still a risk, though, that the European Commission will see some of the changes as a 'step too far' and lead it to review the current 'adequacy' framework permitting free transfer of personal data between the EU and the UK."