The Queen’s Speech confirmed the government’s intention to bring forward a Data Reform Bill, but some in the tech sector are concerned about the impact of the UK’s potential divergence from European data protection standards.
Delivered by Prince Charles on 10 May, the Queen’s Speech made clear the government’s intention to reform the UK’s data protection regime by introducing legislation which, according to the government’s explanatory notes, will “take advantage of the benefits of Brexit to create a world-class data rights regime”.
It said the bill “will allow us to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK”.
The government claimed that the UK’s General Data Protection Regulation (GDPR) and the Data Protection Act 2018 are “highly complex and prescriptive pieces of legislation” that “encourage excessive paperwork, and create burdens on businesses with little benefit to citizens”.
It said the new bill would: ultimately increase the competitiveness and efficiency of UK businesses; ensure data is used to empower citizens and improve their lives; create a clearer regulatory environment; provide people with greater clarity on their data rights; and “cement the UK’s position as a science and technology superpower”.
The bill is also intended to modernise the Information Commissioner’s Office (ICO) and increase industry participation in “smart data schemes” designed to give citizens and small businesses more control of their data.
Despite the government’s commitment to creating a “first-rate data rights regime” with stronger enforcement, some are still concerned about the UK’s direction of travel when it comes to privacy and data protection standards.
Mahlet Zimeta, head of public policy at the Open Data Institute, for example, said the Data Reform Bill represented a “fork in the road” for the UK’s digital economy. “A Data Bill that is just a bonfire of regulations would be a missed opportunity,” she said. “The government must build on existing data protection laws and lead the world with a future-facing data governance regime.”
Zimeta added that while “ministers may be tempted to think that slashing red tape around data use will support small businesses and help the UK to become a science superpower”, there is a risk that this could backfire and end up weakening the UK’s data economy in the long term “if public trust is impacted, or economic growth from data use is not sustainable, inclusive and equitable”.
Eleonor Duhs, a partner and head of data privacy at law Firm Bates Wells, said that while the reforms are likely to result in significant savings for businesses, other changes will remove protections that individuals have enjoyed under data protection law for decades.
Many of the potential changes referred to by Duhs are outlined in a consultation on proposed changes to the UK’s data landscape, which was launched on 9 September 2021.
Entitled Data: a new direction, the proposals suggested removing organisations’ requirements to designate data protection officers (DPOs), ending the need for mandatory data protection impact assessments (DPIAs), and introducing a “fee regime” for subject access requests (SARs).
In June 2021, the government’s Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) published a report that recommended ditching the UK GDPR’s Article 22 protections, which give people “the right not to be subject to a decision based solely on automated processing, including profiling”.
Although the government is yet to formally respond to the consultation, it noted that the TIGRR proposal is actively being considered, and that “such a change would remove the right not to be subject to a decision resulting from ‘solely automated’ processing if that decision has legal or ‘similarly significant’ effects on data subjects”, adding: “This would mean that solely automated decision-making in relation to personal data would be permitted.”
But Duhs said: “Denying people the right to review decisions made by computers is contentious and the negative impact on individuals could be dramatic.
“Computer algorithms often have in-built biases and eliminating humans from the equation could lead to people being discriminated against, which in turn may result in litigation.”
These changes could also impact the use of algorithms and surveillance technologies in the workplace, with UK trade unions warning about the dangers of unchecked technology deployments by employers in recent months.
In March 2022, for example, the Trades Union Congress (TUC) said the intrusive and increasing use of surveillance technology in the workplace was “spiralling out of control”, and could lead to widespread discrimination, work intensification and unfair treatment without stronger regulation to protect workers.
“Employers are delegating serious decisions to algorithms – such as recruitment, promotions and sometimes even sackings,” said TUC general secretary Frances O’Grady at the time. “Workers must be properly consulted on the use of AI and be protected from its punitive ways of working.”
Specialist technology workers union Prospect has also been calling for collective bargaining over how technology is deployed in the workplace, even publishing guidance to help workers negotiate with employers on the matter in February 2022.
Responding to the Data Reform Bill announcement, Prospect research director Andrew Pakes said: “Data protection is more important than ever with the rise of surveillance software both at work and in our communities. We need to ensure that the UK is building world-class data rights, rather than engaging in a race to the bottom on privacy and standards.
“The government needs to be clear that the Data Bill will not ditch data rights or be a green light for business that they can ignore human oversight over how our data is used at work.”
Jonathan McDonald, a partner at international law firm Charles Russell Speechlys, added: “We will only have a clear picture of the proposed reforms once the government officially responds to the consultation it opened in September.
“There remains, of course, huge speculation over what it may, and should, entail. An end to cookie banners? A greater focus on clamping down on nuisance spam emails and telephone calls, which, as the ICO pointed out in its response to the September consultation, still generate more complaints than anything else; or, alternatively, something more fundamental altogether?
“And if we have something more fundamental, how will this affect data flows between the UK and Europe? This remains an ever-evolving space.”