The new Data Reform Bill is slated to create more than £1bn in business savings over 10 years, but many are sceptical.
The UK has revealed details of its planned data protection regime as it steers away from the EU’s GDPR, which includes cutting down on cookie pop-ups, tougher fines for nuisance calls and simplifying data requirements around research.
Published on Friday (17 June) as part of London Tech Week, the new details come from the government’s response to a public consultation launched last September. The UK’s aim is to boost business following Brexit by weeding out bureaucracy it claims is associated with EU data laws.
UK digital secretary Nadine Dorries said that the Data Reform Bill can help cement post-Brexit UK as a “science and tech superpower” by making it easier for businesses and researchers to “unlock the power of data” while retaining a “global gold standard” for data protection.
“Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation,” she said in a statement.
The UK’s Department for Digital, Culture, Media and Sport, which has proposed the new regulatory measures, claims that the reforms have the potential to create more than £1bn in business savings over 10 years.
The UK’s answer to GDPR
The EU’s General Data Protection Regulation, or GDPR, came into force in May 2018, promising a new age in privacy rights for Europeans.
But the UK has suggested that the EU model is a “highly complex”, one-size-fits-all approach to data protection that places unnecessary burdens on businesses.
With its new rules, the UK is looking to remove the need for certain organisations such as small businesses to a recruit a data protection officer (DPO) and undertake lengthy impact assessments as stipulated by the GDPR.
“It means a small business such as an independent pharmacist won’t have to recruit an independent DPO to fulfil the requirements of UK GDPR, provided they can manage risks effectively themselves, and they will not have to fill out unnecessary forms where the risk is low,” a government statement said.
However, organisations will still be required to have a privacy management programme to ensure they are accountable for how they process personal data. “The same high data protection standards will remain, but organisations will have more flexibility to determine how they meet these standards.”
It will increase fines for nuisance calls from companies calling people without consent and other serious data breaches, levying fines of up to 4pc global turnover or £17.5m, whichever is greater.
A new opt-out model of cookie-based data collection also aims to reduce the number of times users have to click on banners to confirm their consent on every website they visit. This will potentially be solved by adding consent through settings in a user’s internet browser.
“The government will work with the industry and the regulator to ensure technology is effective and readily available so people can set their online cookie preferences to opt out via automated means. This will help web users to retain choice and control over how their data is used,” the statement went on.
The UK Information Commissioner’s Office (ICO) is also set for modernisation. It will now have a chair, a chief executive and a board “to make sure it remains an internationally renowned regulator”.
Response
While groups such as the ICO and the Biometrics Commissioner have largely praised the proposed measures, not everyone is happy.
Tech policy and regulation specialist Heather Burns wrote that there was a “bait-and-switch hidden” in the cookie policy announcement and that European risk assessment bureaucracy was being replaced with British bureaucracy.
In response, entrepreneur, engineer and open-source advocate Miguel de Icaza, who recently warned against people jumping into a crypto gold rush, tweeted that there’s “nasty stuff” hiding behind the proposed rules to remove pop-ups.
Prof David Carroll, who famously sued Cambridge Analytica over his personal data and appeared in Netflix’s The Great Hack documentary, also responded with a pithy statement on Twitter: “Britain’s splinternet is going to be really really shitty wow.”
UK-based digital campaigning organisation and privacy advocate Open Rights Group criticised the new rules for narrowing-down choice for users and accountability for law-breakers.
“The government are boldly taking the side of the abusers and the law-breakers: the UK Data Reform Bill will make it the default setting to spy on us, and your burden to opt out of something you never wanted in the first place,” the group said in a statement.
There is also the matter of the UK’s new data laws having to meet the EU’s adequacy standards for the seamless flow of data between the two blocs, which is up in the air until the government issues more clarity on the bill and its proposed reforms.
Meanwhile, Reuters reports that the head of the European Data Protection Board has criticised the poor enforcement of GDPR and said Big Tech investigations should be handled by a central body rather than national agencies, such as the much criticised Irish Data Protection Commission.
Updated, 2.17pm, 20 June 2022: This article was updated to include reference to work by Heather Burns.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.