BCS: UK data reforms must protect data adequacy with EU

Data flows between the EU and UK facilitate commercial success and international safety

Image:

Data flows between the EU and UK facilitate commercial success and international safety

The Government new Data Reform Bill must not risk disrupting data flows between the UK and the EU, says BCS, The Chartered Institute for IT.

The organisation has warned that the new Data Reform Bill also risks politicising the Information Commissioner's Office.

BCS, professional body for Britain's information technology sector, said the proposed modifications to the GDPR laws, outlined in the recent Queen's Speech, must not come at the expense of the UK's current 'data adequacy' agreement with the EU.

Following the UK's exit from the EU at the end of 2020, the UK Government submitted a bill implementing the General Data Protection Regulation (GDPR), the bloc's data protection regulation, as local law.

A year later, the EU issued its data adequacy judgement, declaring that the UK's data protection was adequate to continue data transfers between the EU and the UK. However, it put in place safeguards that enable the European Commission to overturn the decision if the UK's position changes significantly.

These data flows are not limited to commercial interests, but national and international safety as well; for example, it is through data adequacy arrangements that the UK can exchange information on terror suspects with the EU and other third-party countries with an adequacy agreement. These countries include Canada, Switzerland, Argentina and New Zealand.

Last week, the Government announced its intent to create a new Data Reform Bill, which will differ from the GDPR and Data Protection Act. The announcement was made in the Queen's Speech at the Opening of Parliament.

The Government claims the new bill will aim to boost the economy, simplify data-protection legislation, reduce red tape, and ease the burden on companies by establishing a more flexible, outcomes-focused approach and bringing clearer guidelines around personal data usage.

The measures also include ideas to modernise the ICO, to ensure that it has the resources and authority to take tough action against companies that break privacy regulations.

Following the declaration, legal experts urged against deviating significantly from EU rules, fearing it could risk the UK's data adequacy certification with the EU.

Law firm Addleshaw Goddard (AG) said the proposed changes are 'vague enough to be fairly innocuous.'

However, it highlighted numerous areas of the proposed bill that might cause problems for companies, consumers, and the whole industry.

Dr Sam De Silva, chair of BCS's Law Specialist Group, said that any substantial divergence the UK makes in data protection might jeopardise its adequacy status. He hopes the Government will conduct a "thorough and objective" review to determine whether the benefits of the proposed data reform exceed the risk of losing its adequacy status.

"What was in the Queen's Speech in relation to the reform of data protection was not surprising because it generally follows the principles outlined in the Government's Consultation Paper on Reforms to the UK Data Protection Regime - 'Data: A New Direction'," he said.

"However, the devil will be in the detail - which we do not have sight of yet."

While the details of the Data Reform Bill have yet to be released, one rumoured change is the removal of web cookie consent banners that appear when accessing a website.

De Silva out that even if the cookie banners were repealed, businesses would still be required to comply with UK principles of "lawfulness, fairness, and transparency" when using cookies or similar technologies.

"So whilst the change may mean it is easier to comply [with] PECR (Privacy and Electronic Communications Regulations) and would reduce some of the current cookie consent requirements, it will be interesting to see the position in the Bill in relation to consent when cookies are used for marketing, real-time bidding or building profiles of users," De Silva added.

If the Data Reform Bill includes considerable changes, it could lead to a review of the data adequacy ruling.

One important issue might be how the UK manages data transfers to third-party nations that the EU considers untrustworthy data partners.

Whether or not the Data Reform Bill crosses any lines with the EU, the current data adequacy ruling is slated to expire in 2024 and will be reviewed then.

There are alternatives to data adequacy; for example, the USA uses standard contractual clauses to facilitate data flows. However, the Government's own paper on data flows notes that the alternatives are 'more costly and onerous for businesses and public authorities, and are more limited in their application' - especially for SMEs, which make up around 90% of UK firms.