UK Ministers are currently considering a new Data Protection and Digital Information Bill. The Bill is intended to update and simplify the UK’s data protection framework with a view to reducing burdens on organizations, providing them with greater flexibility on how to comply with certain aspects of the data protection legislation and improving the clarity of the framework.
At Life Science Law we work with organizations to help unravel some of the tricky areas surrounding data privacy to help ensure they keep within the realms of GDPR.We support the initiative of simplifying data privacy and the idea of making it more accessible, yet in practice there are some fundamental issues with what is being proposed, not least the challenges the Bill poses for organizations wishing to act from beyond the realms of the UK.
Here are some issues with the Bill.
Ensuring the right safeguards are in place
One of the key challenges with the proposed Bill is ensuring the right safeguards are in the place so that data is protected. The Bill aims to lower safeguards governing data collection and processing in order to reduce the ‘burden’ on business, by, for example, abolishing the statutory requirement for organizations that process data to have an independent Data Protection Officer.
Instead, organizations will designate a senior employee to oversee an organization’s compliance with data protection rules. It also suggests introducing a new, ‘flexible’ accountability regime that allows businesses to decide on how far they will be compliant, based on the scale of their operations, and their perceived risks.
International transfer of personal data
Another key challenge is for those businesses wishing to operate outside of the UK. Under the new proposals, organizations would be able to take a risk-based approach to assessing the impact of transferring personal data internationally using standard contractual clauses. This change could present a real risk to the free flow of personal data between the UK and the EU.
Such a risk based approach may differ from the EU approaches where some data protection authorities have said that the GDPR’s provisions on transfers of personal data to third countries do not allow for this approach.
The very nature of the new Bill is to simplify the UK’s data protection framework, yet in reality for businesses operating outside of the UK it will cause more complexity and more confusion.
More clarity on consents
Finally, the proposed Bill needs to provide more clarity on consents. Currently consent is defined as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
Under the new Bill if a person gives permission for their data to be used for a specific research project, this consent can be extended (without further permission) to other projects, even if these were unknown at the original time of consent. The idea of the Bill is to reduce consent fatigue, yet although it addresses consent, my fear is that it actually makes things even more complicated.
It will be interesting to see if and how the Bill progresses. The Law Society has aired its reservations surrounding the approach for being too business and innovation focussed which may be detrimental to individual rights and protection. The data rights activist body, Open Rights Group has also commented on the Bill’s restriction of data subject’s rights within the EU GDPR. Without some urgent changes to the points mentioned above I perceive some challenging times ahead.
This Article is for information purposes only. It contains our own views and opinions and doesn’t constitute legal advice. You should not act upon this information without seeking legal advice.