Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
In June, the Government published its outline plans for the Data Reform Bill, the first major post-Brexit set of amendments to the Data Protection Act 2018. The focus is on ‘reducing burdens on business’ by, for example, reducing the situations in which a DPO or a DPIA is required for smaller businesses, cutting down on ‘user consent’ pop-ups by an opt-out model for cookies, and providing more clarity around when personal data can be used for research purposes. There are also proposals to ‘modernise’ the Information Commissioner’s Office, by setting it objectives and increasing its accountability to Parliament via the Culture Secretary.
The clear thrust of the Bill is towards taking advantage of the possible benefits that use of personal data can confer, rather than enhancing protection for individual rights and freedoms. But it also does not offer much for businesses and other organisations dealing with data protection issues on a day to day basis. Despite recognition of the burden of data subject access requests, for example, there is no real amendment to the DSAR regime other than a proposal to align the ‘manifestly unfounded or excessive’ test with the ‘vexatious or excessive’ test familiar from s.12 of the Freedom of Information Act 2000. There are no proposals on time limits or to introduce any sort of proportionality requirement for searches, and the idea of a nominal fee or a cost ceiling has been rejected.
There are also no proposals to alter the low bar for bringing either damages claims or s.167 claims in respect of data protection infringements, and the ‘jurisdictional disconnect’ of enforcement variously by the ICO, tribunals and courts is going to continue, despite judicial criticism in cases such as Killock v Information Commissioner [2021] UKUT 299 (AAC).
Broadly, these are fairly limited changes to the DPA and UK GDPR: that’s perhaps unsurprising given the risk to the UK’s data adequacy decision from the EU if there were a wholesale departure from the GDPR framework. It of course remains to be seen if what we will coyly call ‘ongoing political developments’ either lead to even these limited plans being stripped back, or alternatively turbo-charged.
Consultation response on the Data Reform Bill
A monthly data protection bulletin from the barristers at 5 Essex Chambers
The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.