Privacy & Information Security Law Blog

On May 10, 2022, as part of the Queen’s Speech, the UK government announced its intention to introduce a Data Reform Bill (the “Bill”). The UK government’s background and briefing notes to the Queen’s Speech state that the purpose of the Bill is to “take advantage of the benefits of Brexit to create a world class data rights regime…that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.”

The Bill will seek to modernize the UK Information Commissioner’s Office (“ICO”), providing it with the power to take “stronger action” against businesses that breach data rules, while also requiring the ICO to be accountable to Parliament and the public. The background and briefing notes further state that the Bill will focus on a flexible, “outcomes-focused” approach rather than “box-ticking,” and will simplify the rules relating to the use of personal data for research purposes, to promote the UK as a science and technology “superpower.”

The UK government also referred to the UK General Data Protection Regulation (“GDPR”) (inherited as a result of the UK’s former membership in the European Union) and the Data Protection Act of 2018 as “highly complex and prescriptive” legislation that imposes excessive administrative burdens on business while providing little benefit to citizens. The UK will nonetheless seek renewal of the European Commission’s adequacy decision with respect to the UK upon its automatic expiry in 2025, which is required for personal data to continue to flow uninhibited between the EU and the UK. Any change in the UK’s data protection regime that would lower the standard of data protection in the UK may, however, put at risk the UK’s status as an adequate destination for personal data under the EU GDPR.