UK Data Protection Reform: Implications of divergence from the GDPR

Blog post

The publication of the post-Brexit UK Data Protection and Digital Information Bill (Data Reform Bill) in July 2022 signalled the UK Government’s intention to diverge from European data protection law in several critical areas. This blog post analyses this regulatory divergence and their potential implications, not only for UK-EU trade and relations, but also data subjects’ rights.

personal-data-uk.png

In the digital age, as more public and private services are delivered using personal data and technology is fuelling opportunities to exclude and reproduce prejudices at scale, protecting individuals from harmful or discriminatory uses of their data is central to fair outcomes for all. As a result, the EU’s General Data Protection Regulation (GDPR) is rapidly becoming a key tool for organisations seeking equal outcomes and preventing discrimination.

Data protection law in the UK is today spread across multiple legal instruments. The core instrument remains the GDPR 2016, as retained post-Brexit by the European Union (Withdrawal) Act, and amended by various pieces of secondary legislation. This instrument as amended is informally known as the “UK GDPR”. This data protection framework should ensure that individuals can trust that their data is used fairly and responsibly by businesses and other organisations.

The publication of the post-Brexit UK Data Protection and Digital Information Bill (Data Reform Bill) on 18 July 2022, signalled the UK Government’s intention to diverge from European data protection law in several critical areas. With a new Conservative Government in place from September 2022, it is likely that the final content of any Data Reform Bill will go even further in departing from the GDPR. The new UK Secretary of State for Digital, Culture, Media and Sport announced in October 2022 that the government “will be replacing GDPR with our own business and consumer-friendly British data protection system.” In doing so, the UK may lower its standard of protection and accountability for data subjects’ rights from the EU’s.

These changes come at a time when technology is already fuelling opportunities to exclude and reproduce prejudices at scale, such as by harming  mental health, fuelling addictions, violating employment rights, or discriminating against marginalised communities.

This blog post considers some of the main areas of likely divergence between the UK and EU on data protection law (as currently outlined in the Data Protection and Digital Information Bill) and their potential implications, not only for UK-EU trade and relations, but also data subjects’ rights.

Novel “regulatory-making power” for ministers

The Data Reform Bill will allow the UK Secretary of State for Digital, Culture, Media and Sport (DCMS) to modify or override existing protections.

This novel “regulatory-making power” would allow the UK Government to introduce new legal grounds for processing data and allows blanket exemptions that threaten the principle of purpose limitation, a principle enshrined in the GDPR that prevents data collected for a specified purpose from being used for a new, incompatible purpose. The new Bill will also allow the UK Government to modify legal provisions regarding data rights, international data transfers, and the functioning of the Information Commissioner’s Officer, the UK Supervisory Authority, currently responsible for compliance with the UK GDPR.

The UK Government argues that these measures will help develop a “dynamic” data protection framework that evolves and adapts to relevant external developments. However, the introduction of far-reaching regulatory powers for the Secretary of State for DCMS could have significant implications for business, which may face the task of navigating rapidly changing regulatory requirements, to the detriment of clarity and legal certainty.

The EU GDPR, by contrast, allows flexibility within a principle-based framework that is defined in advance, thus preventing sudden or incoherent changes.

Restrictions to data subjects’ rights

Where data subjects’ rights under the GDPR are meant to reduce power imbalances between data subjects and businesses and organisations, a UK Data Reform Bill could further empowers organisations to resist data subjects’ requests.

The GDPR gives individuals a set of data protection rights that can be asserted against those who are using personal data. In the UK GDPR for example, individuals have the right to access and receive a copy of their data. Subject access requests (SARs) enable control over personal data. It allows individuals to understand how their data is being processed, the consequences of such processing, and to verify the legitimacy of data uses. Individuals do not need to justify the reason for their request, and organisations cannot charge individuals for exercising their rights unless they can prove that their request is “manifestly unfounded or excessive”;

The UK Data Protection Bill could make it harder for individuals to exercise their data rights by amending the threshold for organisations to refuse or charge a fee for a data subject access request from "manifestly unfounded" to "vexatious." This proposal has more profound implications than it may suggest. Data subjects' requests could be refused for reasons outside of their control, such as "the resources available to the controller.” It would also allow organisations to request information on the purpose of a request, which could intimidate individuals who are in a position of vulnerability.

Furthermore, the conditions to impose fees or reject data subjects’ requests are left to the discretion of the organisation that receives the request.

Automated decision-making and Article 22

As more public and private services utilise the profiling of personal data through automation and Artificial Intelligence, fair and transparent use of data is needed tostop discrimination, exclusion and the reproduction of prejudices at scale.

The EU GDPR contains provisions which prevent a significant, solely automated decision being made about an individual unless there is a legal basis. These  could include explicit prior consent, the necessity to enter into a contract, or a legal obligation on the part of the data controller to make such a decision.

The UK Data Protection Reform proposes to weaken these provisions by restricting the general prohibition provided by Article 22 of the EU GDPR against solely Automated Decision Making (ADM). The general prohibition would only be retained under Article 22B for ADM that involves the use of sensitive data, such as ethnicity or religious belief. In turn, ADM that does not involve the use of sensitive data could be freely deployed, even against the will of the individuals who are subject to these decisions.

International data transfers and UK-EU adequacy

Data-reliant businesses in the UK often rely on data flowing across borders. Where that data is personal, to move it from the EU to the UK requires an authorising legal basis. While many options are available for this, only an adequacy agreement offers reliability and low administrative cost.

Adequacy decisions — which permit cross-border transfer of data — are made by the European Commission if the country has an equivalent level of data protection to the European Union, ensuring that individuals can rely on the foreign legal system to protect their rights.

The UK adequacy decision is the only adequacy decision that the EU has ever made which includes a specific sunset clause (27 June 2025). In other decisions, no time limitation has been set, but the European Commission has included a review obligation to continuously monitor relevant developments and regularly review the adequacy decision. As a result, there is real concern that both changes to the UK data protection regime, as well as analysis on intelligence co-operation with the USA and data transfers between these intelligence agencies, may threaten this decision and cause significant costs for the UK economy.

The Data Reform Bill would also change how adequacy determination is carried out by the UK. The UK is advancing its own “adequacy” style regime, which includes adopting materially lower data protection standards than the EU.

The requirement to provide an “essentially equivalent level of protection” is superseded by a “data protection test.” The result will be a shift in focus from assessing the level of protection afforded to individuals to the desirability of data transfers and other political priorities the UK Government may have. 

In case law of the European Court of Justice, the existence of judicial remedies and remedies against data processing for foreign intelligence surveillance purposes also play pivotal roles in determining adequacy under the EU GDPR. In the new UK Data Reform Bill, considerations regarding foreign intelligence surveillance regimes are excluded, and requirements concerning judicial or administrative redresses are significantly lowered.

Reform of the UK Data Protection Authority

The UK’s Data Protection Authority, the Information Commissioner’s Office (ICO), would undergo significant transformation, in a way that may undermine its status as an independent supervisory authority. For instance, the Information Commissioner could be compelled to have regard of a “statement of strategic priorities” issued by the Secretary of State. The Secretary of State is also given the power of approval over “appropriate codes of conduct” and the Commissioner’s salary, which creates potential for compromising neutrality.

The UK Data Protection Reform will make Records of Processing Activities and Data Protection Impact Assessments – a process to help identify and minimise the data protection risks of a project – voluntary and subject to the discretion of the data controller. In practice, this would shift the burden of demonstrating compliance with the UK data protection regime from the data controller to the Information Commissioner. This could constitute a further obstacle to the effective oversight of how data is used.

The GDPR mandates a Data Protection Authority to “execute its responsibility for ensuring that the GDPR is enforced with all due diligence.” In contrast, the UK Data Protection Reform would give the ICO discretion to refuse to act on a complaint if the data subject did not attempt to resolve it first with the data controller, or if 45 days have not passed since the complaint was filed.

The potential implications of divergence

In the UK Data Protection Reform, the UK Government proposes to lower the standard of protection and accountability for data subjects from the current standards outlined in the EU’s GDPR.

Blanket exemptions to the principle of purpose limitation and the power to introduce new lawful grounds for processing seem to be at odds with the principles of necessity and proportionality that originates from case-law of the European Court of Human Rights.

The UK is advancing its own “adequacy” style regime, which includes adopting materially lower data protection standards than the EU. A significant concern this raises is that data might enter the UK from the EU under the existing adequacy decision, and then leave to another country that has not been granted EU adequacy, for example, because of its intelligence regime or generally low levels of data protection.

The UK’s adequacy status is subject to ongoing monitoring by the European Commission. However, the UK Data Protection Reform raises questions regarding the arrangement to monitor and possibly revoke the UK-EU adequacy decision in the face of sudden regulatory developments. Given the novel regulatory-making powers that the UK Data Protection Reform would confer on UK Ministers, for example, to introduce new legal grounds for processing data or allow blanket exemptions such sudden developments and the shifting regulatory environment they would create could become the new normal.

Where the EU adequacy system focuses on the effective protection of data subjects’ rights, the UK regime tends to lean toward the interests of either the Secretary of State or the organisation that authorises or carries out the data transfer.

Changes to the duties, scope and relationship between the UK Government and the UK’s supervsiory authority, the ICO, also raise concerns about the independence of the latter and the effectiveness of its oversight functions.

There is the risk that the European Commission may intervene if any changes to the UK’s data protection rules lower the level of data protection in the EU. The UK Government's desire to diverge from the EU by reducing barriers to data flows could threaten its own adequacy status within the EU, potentially costing UK businesses an estimated £1 billion to £1.6 billion.