The U.K. Department for Science Innovation and Technology unveiled legislation to modernize the country's use of data to boost the economy by 10 billion GBP, according to departmental estimates.
The Data Use and Access Bill represents the Labour government's latest take on a potential path to modernizing the U.K. General Data Protection Regulation. The most recent reform bill, the proposed Data Protection and Digital Information Bill, failed to pass prior to July's national elections despite extensive debate and discussions by U.K. Parliament.
According to the DSIT, the objectives of the proposed Data Use and Access Bill are three-pronged: utilizing data for the public benefit; implementing enhanced technological and data use practices in law enforcement agencies and the National Health Service; and mapping the country's underground infrastructure.
"(The bill) has the enormous potential to make our lives better, boosting our National Health Service, cutting costs when we shop, and saving us valuable time," U.K. Secretary of State for Science, Innovation and Technology Peter Kyle said in a statement. "With laws that help us to use data securely and effectively, this Bill will help us boost the U.K.'s economy, free up vital time for our front-line workers, and relieve people from unnecessary admin so that they can get on with their lives."
What's old is new again
Taylor Wessing Data Protection and Privacy Partner Victoria Hordern, CIPP/E, CIPT, said a "substantial" portion of the U.K.'s latest data reform proposal calls back to provisions from the prior bill. She said the latest proposal takes different approaches in a couple key areas, including ambitions of amending the definition of "personal data" and abandoning the potential dilution of U.K. General Data Protection Regulation accountability requirements for data protection officers, records of processing activities and data protection impact assessments.
"The bill steers a course between developing a U.K. approach layered onto a European foundation of data protection law, whilst not severing the cord from an EU framework, which the U.K. needs to keep in order to maintain adequacy," Hordern said in an email.
According to the bill's text, Part I of the legislation would empower the Secretary of State and Secretary of the Treasury to draft subsequent legislation permitting the use of certain business and customer data for economic benefit. Part II of the legislation compels the Secretary of State to set rules "concerning the provision of digital verification services," while creating a verification "trust framework."
As previously proposed in the DPDI Bill, Part VI of the new bill would eliminate the sole data protection powers of the U.K. Information Commissioner's Office and replace the office with a proposed Information Commission that is structured similar to the Financial Conduct Authority, Competition and Markets Authority, and the Office of Communications.
Despite the proposed restructuring of the ICO, Information Commissioner John Edwards issued a statement saying, "We welcome the introduction of the Data Use and Access Bill in the House of Lords and look forward to seeing it progress through parliament to Royal Assent," while adding the ICO would issue a formal response "in due course."
"This is an important piece of legislation, which will allow my office to continue to operate as a trusted, fair and independent regulator and provide certainty for all organisations as they innovate and promote the U.K. economy," Edwards said in his statement.
Linklaters Partner Richard Cumbley said an important change to the bill shortens the Information Commission's investigatory period for issuing fines for violations to six months, as well as placing the same privacy restrictions on the use of pixel tracking and device fingerprinting as currently exists for browsing cookies. He also noted the Secretary of State's new authority to deem jurisdictions adequate or inadequate with the U.K. General Data Protection Regulation.
"What is left is a large collection of precisely focused stiletto measures to address particular weaknesses of the current regime," Cumbley said in a statement. "Pixel tracking and device finger printing are clearly brought on to the same footing as cookies, restricting a perceived loophole widely used by online marketers to avoid cookie rules."
IAPP Research and Insights Director Joe Jones said in the grand scheme, the changes to the U.K.'s data protection regime proposed in the Data Use and Access Bill are in keeping with the prior reform effort.
"While there have been some important nip-and-tuck changes to past proposals to reform the U.K. GDPR, the bill as a whole reflects the emerging view of data as something that not only requires protection where individuals are concerned, but also that data is and can be a strategic and empowering asset as well as a source of risk." Jones said.
International data transfer impacts
The introduction of the legislation comes on the heels of the House of Lord's European Affairs Committee sending a report to Kyle 22 Oct. containing key takeaways and recommendations heading into EU-U.K. data adequacy renewal evaluations by the European Commission prior to the agreement expiring in June of next year.
The report notes that the committee's work was largely centered around reviewing the prior Tory government's DPDI Bill, but anticipates the new legislation would be drafted for the purposes of "covering some of the same issues as its predecessor."
Nonetheless, the committee gives a strong recommendation that renewing EU-U.K. adequacy is a vital necessity, reading in part: "losing EU data adequacy status would impose significant extra costs and administrative burdens on businesses and public-sector organisations which share data between the U.K. and the EU."
"We conclude that adequacy reduces administrative burdens and compliance costs, increases legal certainty, makes the U.K. a more attractive location for investment, and supports digital growth," the report states. "The government should therefore pursue data protection policies that are aimed at retaining the U.K.'s data adequacy status with the EU, under both the GDPR and the Law Enforcement Directive."
The report also outlines potential speed bumps for renewing EU adequacy, such as ensuring the next adequacy agreement is "compatible with the (Court of Justice of the European Union's) case law." It recommends the independence of the data protection regulator must be maintained as the Data Use and Access Bill gets deliberated in Parliament and in any subsequent bills put forward by the Secretary of State and Secretary of the Treasury.
"The (government) should bear in mind that the Commission and European Parliament scrutinised closely the previous government's Data Protection and Digital Information Bill," the report states. "The government should engage with the (European) Commission and other EU stakeholders, in good time, in order to explain and provide reassurance with respect to any planned data protection reforms."
Linklaters Partner Greg Palmer said the Data Use and Access Bill will provide U.K. businesses with legal certainty heading into the likely EU adequacy renewal.
"(The proposed law) will be welcomed by U.K. business it avoids unnecessary divergence from the EU data protection regime and reduces the risk of the EU deciding the U.K. is not an adequate jurisdiction for transfers of personal data," Palmer said in a statement.
Taylor Wessing's Hordern said that nothing contained in the new bill stuck out as a potential roadblock to renewing EU adequacy.
"I don't think the U.K.'s adequacy will be under threat if the bill becomes law," Hordern said in an email. "There are certain powers for the Secretary of State to introduce further regulations, but these are not wholesale and the disquiet over the potential of political involvement affecting the role of the U.K. regulator has subsided."
Alex LaCasse is a staff writer for the IAPP.