You may recall towards the end of 2021 that the UK government announced that it was looking to “overhaul” the UK’s data protection regime and introduced a consultation which looked at specific GDPR and PECR controls. On the 10th May 2022, Prince Charles delivered the Queen’s speech at the State opening of Parliament (for a new term) in which the government’s plans and legislation are listed for the forthcoming parliamentary session. Within the speech is a mention of the plan to overhaul UK data protection laws.
Although to be honest, that was pretty much all that Prince Charles said, so we still need to wait for the detail, some of which might come out during parliamentary discussions, but generally we will need to look out for the publication of what is being called the Data Reform Bill, which will have the detail.
It’s still some time off in terms of expected implementation, and there is always a possibility (although I suspect a remote possibility) it won’t be implemented, as not all Bills announced in the Queen’s speech go ahead to become legislation (particularly if there is a a lot of opposition to them).
Here’s a list, based on the consultation, of what the Data Reform Bill might contain:
- The removal of some of the accountability obligations, replacing them with a more “flexible and risk-based” approach
- Some changes to the process for dealing with subject access requests including the re-introduction of a fee regime
- An alternative approach to the use of cookies that either does not require consent for analytical cookies or allows the use of cookies for limited purposes without consent. Furthermore, to help cookie banner fatigue, empower users to use software or browser settings to pre-set their cookie preferences
- Extension of the “soft opt-in” rules in PECR to non-business organisations
- More powers to the ICO for enforcing phone marketing rules (to tackle nuisance calls)
- PECR fines to be increased inline with GDPR fines
- More countries to be added to the UK list of adequacy regulations (i.e. more countries deemed to have adequate data protection and presumably more than approved by the EU) based on risk-based assessments and may be made against regions or groups of countries that share the same data protection values.
- Where adequacy is not appropriate, the government plans to review alternative transfer mechanisms and possibly empower businesses to identify or create their own (not sure how this might factor in with the ICO’s new IDTA)
- Reform of the ICO including introducing statutory objectives and duties of the ICO, with the Secretary of State being able to set ICO priorities (as they do with other regulators like Ofcom, Ofgem, etc.)
- Possible reforms of the way complaints are handled, with an expectation that a complaint should not be raised with the ICO until it’s been raised with the controller and that there should be a requirement on controllers to have a transparent complaints handling process
- Changes to any perceived barriers to allow “responsible innovation” for research purposes
- An update on the use of personal data for political campaigning
The BBC have been covering the Queen’s speech including providing a recording of Prince Charles delivering the speech: https://www.bbc.co.uk/news/av/uk-politics-61394791 although as I say there is only a brief mention of data protection reform (at approx. 4mins 26secs).
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR