UK government heralds next step in process of diverging from EU data protection regime, but extent of divergence not yet clear

On 10 May 2022 it was announced in the Queen's Speech at the state opening of Parliament that the UK government will be introducing a Data Reform Bill. The purpose of the bill will be to reform the existing UK data protection regime that has been "inherited" from the European Union following Brexit, namely the General Data Protection Regulation (GDPR).

The announcement follows the UK government's consultation on the existing data protection regime launched in September 2021 called "Data: a new direction", although the conclusions of the consultation have yet to be published. The consultation was the first step in delivering the government's National Data Strategy which hopes to "create an ambitious, pro-growth and innovation-friendly data protection regime". The announcement of the data reform bill signals the next step in the process for changing the UK's data protection regime.

What will be in the bill?

The detailed contents of the bill are still unknown, but reports suggest that the draft could be published in the next few weeks.

The government's consultation from last year and the briefing notes from the Queen's Speech give a little more information about its likely scope. This includes:

  • Removing compliance obligations that are seen as "burdens on businesses" (or "box-ticking" exercises) that currently exist in the current regime and replacing this with a risk-based accountability framework. In the aftermath of the Queen's Speech, some Members of Parliament have suggested that this means the removal of cookie banners. While this was not mentioned specifically in the speech, it is possible – given that the government's consultation document raised the possibility of removing the requirement for cookie consent for some relatively benign uses of personal data, such as website analytics;
  • Making it easier for organisations to make use of personal data for the purposes of innovation and research (this may include clarifying when personal data can be processed for research purposes);
  • Facilitating sharing of citizens' data by government departments to "improve the delivery of services"; and
  • Reforms to the role of the Information Commissioner's Office (the UK's data privacy regulator) to modernise and strengthen its enforcement powers and ensure it is more accountable to government and the public.

How far will the UK data regime deviate from the EU GDPR?

Based on the consultation and the briefing notes, the suggestion is that the Data Reform Bill is likely to lead to de-regulation with respect to personal data in the UK. As yet, without sight of the bill itself, it is unknown exactly how far the UK government will in fact de-regulate and therefore deviate from the EU's data protection regime. This is particularly the case given that any major deviations could call into question the UK's adequacy decision, which currently allows for the free flow of personal data between the European Economic Area (EEA) and the UK.

What will be the likely impact on businesses?

Depending on exactly how the UK government implements these reforms, they could be seen as welcome news to organisations – particularly the removal of burdensome compliance obligations. For larger organisations that operate in both the EEA and the UK, de-regulation under the UK regime may have limited impact where they are still subject to the higher compliance standards in the EEA. As such, some of those most likely to benefit from the changes could be UK SMEs and public sector organisations, as well as those organisations looking to make use of personal data for scientific research.