GDPR reforms must protect the UK’s data adequacy arrangement with the EU, warns IT body
Proposed changes to Britain’s GDPR rules, announced in the recent Queen’s speech, must not put the flow of data between the EU and the UK at risk, according to the professional body for information technology.
BCS, the Chartered Institute for IT said the benefits of a leaner data protection regime should not come at the expense of the UK’s current ‘ data adequacy’ arrangement with the EU.
The Government said in the Queen’s speech it was keen to replace “highly complex” data protection laws inherited from the EU, post-Brexit with a new Data Reform Bill.
The Bill would be used to reform existing General Data Protection Regulation (GDPR) and the UK Data Protection Act – to streamline data protection laws and cut red tape.
The changes are intended to help increase the competitiveness of UK businesses and boost the economy. The government also claims the move will make things easier for businesses by creating a more flexible, outcomes-focused approach “rather than box-ticking exercises” while also introducing clearer rules around personal data use.
Details of the proposals are yet to be published, but it is also expected that web cookie consent banners that appear when visiting a website could be scrapped as part of the reforms.
Dr Sam De Silva, Chair of BCS’ Law Specialist Group and a technology and data partner at international law firm CMS said: “What was in the Queen’s Speech in relation to the reform of data protection was not surprising, because it generally follows the principles outlined in the Government’s Consultation Paper on Reforms to the UK Data Protection Regime – ‘Data: A New Direction’.
“However, of course the devil will be in the detail – which we do not have sight of yet. If that detail reveals that the web cookie consent banners are to be removed, whilst that appears radical, organisations would still be required to comply with the UK GDPR principles on lawfulness, fairness and transparency when using cookies or similar technologies.
“So whilst the change may mean it is easier to comply PECR (Privacy and Electronic Communications Regulations) and would reduce some of the current cookie consent requirements, it will be interesting to see the position in the Bill in relation to consent when cookies are used for marketing, real-time bidding or building profiles of users. The latter of course is where the majority of the tracking activity by organisations is done.
“Of course, any material deviation the UK adopts in relation to data protection does risk its adequacy status so I hope there will be a detailed and objective analysis undertaken to assess whether the benefits from UK’s data reform outweigh the risks of not continuing to have an adequacy status.”