Comment The UK government's proposed data protection law reform seeks to create a more business-friendly regime, though its implementation could further complicate the international flow of data between Britain and Europe, which potentially outweighs any benefits to business.

Currently, UK and EU businesses can freely share personal data across international borders. However, if the UK departs from European levels of protection, international data transfers could be restricted, presenting EU and UK businesses with a bureaucratic challenge. 

The Data Protection and Digital Information (No.2) Bill was published on 8th March 2023,  hailed by the government as a "Brexit dividend" that would create a more business-friendly data protection regime that promotes growth and innovation, while upholding individuals' rights.

The government claims the Bill "would seize the post-Brexit opportunity to boost the economy by £4.7 billion over the next decade." Despite these bold claims (which mercifully have not been written on the side of a bus) the bill has not had an easy passage through Parliament. This is the government's second attempt to reform the UK data protection regime, the first Data Protection and Digital Information Bill having stalled in 2022.

The (No.2) Bill has passed through the House of Commons and its first and second readings in the House of Lords (track its passage here). Next will be the Committee Stage, during which the Bill will undergo a line-by-line examination.

If adopted, the Bill would make a number of changes to the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC) Regulations, 2003, rather than introduce new legislation. Many of the changes appear to be largely cosmetic; for instance, various UK GDPR definitions would be amended, though changes to the definition of personal data potentially narrow the scope of individuals' protection.

Cookies and shakeup at the Commissioners' Office

The Information Commissioner's Office (which enforces data protection law in the UK) would be replaced with a new Information Commission, and granted a number of new powers. The Bill would also simplify the rules on website cookie banners, which for many members of the public is likely to be their most frequent interaction with data protection law. This particular change will be broadly welcomed. 

Perhaps the most significant change is that the Bill would streamline the rules on data transfers, which prohibit the transfer of data outside Europe. Currently, the GDPR prohibits the transfer of personal data from Europe to third countries that do not guarantee an "adequate level of protection." Some "third countries"  have sufficiently robust data protection laws to be granted an "adequacy finding," which enables the free-flow of personal data to continue.

Since leaving the EU, the UK benefits from an adequacy decision made by the European Commission, which rests on the fact that the UK data protection regime is closely aligned with that of Europe. However, the European Commission has indicated that if the UK diverges from European data protection standards, it can and will revoke its decision.

In the absence of an adequacy decision, transfers of personal data from the EU to a "third country" require data-sharing businesses to implement one of a number of safeguards which ensure that the exported data is protected to the standards of the GDPR. These safeguards are mandatory in order for businesses to share information about their customers, suppliers and workers across international borders (even where the transfer is to members of the same corporate group).

The most widely used of these safeguards is the standard contractual clauses, which contractually bind the recipient to protect data to GDPR standards. However, implementing the standard clauses to enable the many data-flow permutations of a multinational business can be resource consuming. The EU-US data protection framework (and the UK extension) is an alternative mechanism, that permits the flow of data to US businesses that have certified to the scheme. However, the scheme is the successor to the EU-US Privacy Shield and its predecessor the US Safe Harbor, both of which were declared invalid by the CJEU, following a legal challenge by privacy activist Maximillian Schrems and there is every chance the data protection framework could go the same way.

Data transfers present a complex challenge to international businesses, that may require significant resources to resolve.   

The Data Protection and Digital Information Bill's proposed amendments to the data transfer rules potentially weaken the protection of individuals' personal data when transferred outside Europe.

If the European Commission were to withdraw the UK's adequacy finding, this would present UK businesses with a bureaucratic hurdle that could well outweigh any of the benefits of the Bill, and raises the question: if it's not broken, why fix it?

However, such concerns may be rendered academic by Parliament's announcement of an extension until 12th December 2024: If the General Election takes place before then and results in a new government, the Bill may never be adopted at all. ®

https://www.theregister.com//2024/03/25/uk_digital_information_bill_feature/