background
The UK’s current data protection regime is largely based on European Union (“EU”) regulation, following the incorporation of the EU GDPR into domestic law as the UK GDPR. In its 2021 consultation, Data: a new direction, and following the UK’s departure from the EU, the UK government introduced the Bill to Parliament in July 2022, proposing a range of reforms to the UK GDPR…
new data protection regime
During her speech, Michelle Donelan, the Secretary of State for Digital, Culture, Media and Support, stated that the current UK data protection regime limited “the potential of (UK) businesses”, and that the new regime will be the UK’s “own business and consumer-friendly British data protection system”. Donelan stated that the new data protection framework would “protect consumer privacy”, whilst retaining “data adequacy so that businesses can trade freely”, specifically referencing the burden that smaller organisations face in complying with the UK GDPR.
The UK government’s rhetoric surrounding the new regime suggests that it may diverge even further from the EU GDPR than the Bill. If the Bill is any indication as to how the UK government intend to diverge, it is likely that the new regime will include:
- changes to the accountability framework, including alternatives to data protection impact assessment requirements;
- changes to data subject access requests, to bring such requests in line with the UK’s freedom of information regime;
- changes to the requirements for international data transfers; and
- reform of the ICO and its powers.
divergence from the eu gdpr
Whilst a simpler protection regime is likely to be welcomed by organisations in the UK, significant divergence from the EU GDPR may result in additional complexities for those organisations who need to comply with both UK and EU data protection laws. Central to the EU and UK’s data protection regimes are the requirements surrounding the transfer of EU or UK personal data, respectively, to those countries deemed not to have an “adequate” data protection regime in place.
As it stands, the European Commission has ruled the UK data protection framework as “adequate”, which means that personal data may flow freely from the EU to the UK without the need for additional transfer safeguards. The UK’s current adequacy status will be reviewed in 2024.
Divergence from the EU GDPR in the UK’s proposed new regime may result in the UK losing its adequacy status, which is heavily relied on by UK organisations that transfer personal data from the EU to the UK. Where organisations process both EU and UK personal data, any divergence between the two regimes is likely to result in an increase to their data protection obligations and the requirement to ensure compliance with two sets of regimes. This could be costly and time consuming and will require cross-border organisations to keep abreast of developments under both regimes.