HighlightsPrivacy espresso seriesResourcesJuly 21, 2022What’s in the UK Government’s data protection reform proposal

In this privacyespresso our UK expert, Kim Walker from the law firm Shakespeare Martineau, illustrates the recent data protection reform proposal published by the UK Government as a response to its consultation “Data: a new direction” opened on September 2021.

According to Kim, the consultation aimed to reduce the GDPR’s burdens for UK businesses and led to some interesting revision requests. Also, the proposal seems less radical than initially expected, leading to positive expectations in terms of its coexistence with the EU regulation. This may not be casual, as the UK businesses have no interest in losing the UK adequacy recognition by the EU.

However, there are relevant changes still, such as:

– Removal of the DPO requirement.

– Removal of the mandatory requirements for a record of processing activities (ROPA) and for a data protection impact assessment (DPIA). Both activities will be replaced by a risk-based and more flexible series of requirements.

– Creation of a “whitelist” of cases for legitimate interest recognition. This should simplify the process of using it as a legal basis for data.

– Removal of the opt-in consent for website trackers and, possibly, of the cookie banners, when only “non-intrusive” cookies are used. This is probably the farther proposal from EU regulations and rulings as the definition of an intrusive and non-intrusive cookie is not that plain.

If implemented, this proposal may create some risks for UK businesses. In particular, the fact that the suggested structure is less prescriptive raises concerns about the quality level of the new privacy standards, also in respect of the EU-GDPR requirements. In line with these uncertainties, some experts fear this may lead to a step back of the EU institutions in keeping the adequacy decision with the UK alive.

At the moment, such a scenario seems mitigated by the fact that the proposal does not seem to be too disruptive, and that the EDPB has recently stated it will consider some aspects of the UK proposal for the next GDPR revisions. However, a relevant probe will come when the UK reaches an adequacy decision with the US, as this may lead to a much stronger reaction from the EU.