Is the proposed Data Protection and Digital Information Bill fit for purpose?
A new Data Protection and Digital Information Bill is currently being considered by UK ministers. The Bill has been created to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations, providing them with greater flexibility on how to comply with certain aspects of the data protection legislation and improving the clarity of the framework.
However, in practice there are some fundamental issues with what is being proposed in the Bill. I support the initiative of simplifying data privacy and the idea of making it more accessible, yet, there are some real challenges the Bill poses for organisations wishing to act from beyond the realms of the UK.
International transfer of personal data
For those businesses wishing to operate outside of the UK, under the new proposals, organisations would be able to take a risk-based approach to assessing the impact of transferring personal data internationally using standard contractual clauses. This change could present a real risk to the free flow of personal data between the UK and the EU.
Such a risk-based approach may differ from the EU approaches where some data protection authorities have said that the GDPR’s provisions on transfers of personal data to third countries do not allow for this approach.
The very nature of the new Bill is to simplify the UK’s data protection framework, yet, in reality for businesses operating outside of the UK it will cause more complexity and more confusion.
Ensuring the right safeguards are in place
Another one of the key challenges with the proposed Bill is ensuring the right safeguards are in the place so that data is protected. The Bill aims to lower safeguards governing data collection and processing in order to reduce the ‘burden’ on business, by, for example, abolishing the statutory requirement for organisations that process data to have an independent Data Protection Officer.
Instead, organisations will designate a senior employee to oversee an organisation’s compliance with data protection rules. It also suggests introducing a new, ‘flexible’ accountability regime that allows businesses to decide on how far they will be compliant, based on the scale of, and their perceived risks of, their operations.
More clarity on consents
Finally, the proposed Bill needs to provide more clarity on consents. Currently, consent is defined as ‘any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
Under the new Bill, if a person gives permission for their data to be used for a specific research project, this consent can be extended (without further permission) to other projects, even if these were unknown at the original time of consent. The idea of the Bill is to reduce consent fatigue, yet, although it addresses consent, my fear is that it actually makes things even more complicated.
It will be interesting to see if and how the Bill progresses. The Law Society has aired its reservations surrounding the approach for being too business- and innovation-focussed, which may be detrimental to individual rights and protection. The data rights activist body Open Rights Group has also commented on the Bill’s restriction of data subject’s rights within the EU GDPR. Without some urgent changes to the points mentioned above, I perceive some challenging times ahead.
*This Article is for information purposes only. It contains my own views and opinions and doesn’t constitute legal advice. You should not act upon this information without seeking legal advice.
About the author
Wendy Lloyd Godwin is the founder of Life Science Law. She is a solicitor with more than 20 years of professional experience in the pharma/biotech sector and a leading legal expert within the life science industry. She has also built and managed in-house legal and compliance teams in several multinational organisations and knows first-hand the challenges managers face when a team member leaves, or there is a sudden unexpected surge in workload.