Out-Law News 2 min. read
06 Sep 2022, 3:02 pm
Reforms to UK data protection law face delay after a scheduled parliamentary debate on the legislative proposals was postponed on Monday.
A second reading of the UK Data Protection and Digital Information Bill was withdrawn from the day’s House of Commons business “to allow ministers to consider the legislation further”, Commons leader Mark Spencer told MPs on Monday afternoon. The move followed the announcement of the election of Liz Truss to the leadership of the governing Conservative party at lunchtime yesterday. No new date has yet been set for the second reading of the Bill to take place.
The Bill was introduced into parliament in July following a major consultation the government held last year on reforming the UK General Data Protection Regulation (GDPR) and other privacy legislation that has its origins in EU law.
Data protection law expert Rosie Nance of Pinsent Masons said: “It is likely that the new government will take forward reform of the UK GDPR in some form.”
“One of Truss’s main pledges has been the ‘bonfire’ of EU red tape to remove retained EU laws from the UK statute book. However, the Department for Digital, Culture, Media and Sport (DCMS) drafted the current text of the Data Protection and Digital Information Bill with the stated intention of promoting an evolution rather than a revolution in UK data protection law. It remains to be seen whether there will be a change of tack under a new prime minister and secretary of state in the DCMS, following the resignation of Nadine Dorries who had sponsored the Bill,” she said.
One of the main changes proposed under the Bill concerns the international transfer of personal data.
Under the proposals, organisations would be able to take a risk-based approach to assessing the impact of transferring personal data internationally using mechanisms such as standard contractual clauses (SCCs).
At the time the Bill was introduced, Pinsent Masons experts highlighted how this change could present a risk to the continued free flow of personal data between the UK and EU.
“This risk-based approach may be at odds with the approach in the EU, where some data protection authorities have said that the GDPR’s provisions on transfers of personal data to third countries do not allow for a risk-based approach,” they said. “Organisations are likely to be keen for a simplification of their processes around international transfers. However, if concerns around the UK's approach to onward transfers lead to the UK losing its EU adequacy status, the government has admitted that the costs of this change would outweigh the benefits.
Pinsent Masons’ comments were recently cited in a research briefing on the Bill for the House of Commons Library (98-page / 1.11MB PDF).
Nance said: “Any reform that marks a significant departure from the principles of the EU GDPR is likely to jeopardise the UK’s chances of having its adequacy status renewed in less than three years, or even result in a withdrawal before then. Companies that do business in and with the UK might then face two additional remediation programmes while the memory of GDPR is still fresh: one to comply with the new laws in the UK, and another to meet the Schrems II requirements for data flows to the UK as a third country.”
Nance will be discussing the future of the Data Protection and Digital Information Bill at an event being hosted by industry body techUK on Thursday 15 September 2022.
Pinsent Masons is hosting an event on international data transfers, and what businesses need to do ahead of two approaching compliance deadlines, on Tuesday 20 September – registration for the event is open.