.svg)
With the UK’s latest attempt to replace EU data regulation now introduced to parliament, experts are satisfied that equivalence will be maintained and that it lays the foundations for a UK form of digital identity.
After being hampered by governmental changes last year, the UK's Data Protection and Digital Information Bill has been introduced to parliament by Michelle Donelan, the secretary of state for science, innovation and technology.
Although there has previously been anxiety that the UK would diverge significantly from the EU, this now seems unlikely.
"This legislation leaves the fundamentals of the UK GDPR in place, and is not making any significant changes from the regime that we know,” said Katie Hewson, a partner at Stephenson Harwood. “In spite of the headlines, it won't feel or look that different.”
Rather, she suggested that there are targeted improvements. “My impression is that it is based on practical experience of working with the UK GDPR."
The UK is currently deemed adequate by the EU when it comes to data protection issues. This means that the UK has avoided the fate of the US and other jurisdictions, where making personal data transfers from the EU has become a lot more challenging.
However, the EU’s adequacy decision included a so-called sunset clause, which strictly limits the duration of the decision.
This means that the UK’s adequacy with the EU's General Data Protection Regulation (GDPR) regime will automatically expire four years after entry into force in June 2021.
After that period, the adequacy findings might be renewed, however, only if the UK continues to ensure an adequate level of data protection.
Yet, in spite of the potential ticking time bomb, people do not think that the EU and UK will come to a disagreement on this matter.
"Yes, we will likely remain adequate,” said Edward Machin, a partner at Ropes & Gray. “It is largely a political consideration, and both the European Commission and the UK government are keen to avoid opening that can of worms.”
He said that the UK has taken a “GDPR-lite approach” with the legislation.
“It is close enough to be defensible but also different enough to give support to the notion of cutting red tape, so it can be spun as a Brexit dividend,” he said.
According to John Timmons, a partner at White & Case, this bill represents tweaks, not a massive divergence. “For example, some of the differences will be welcomed from a practical sense, such as the approach to complaint handling,” he said.
Broadly, the law and principles are still consistent with the GDPR, he pointed out. “This is deliberate, as it seems unlikely that anyone wants to see material divergence between the UK and EU on this.”
“There appears to be a willingness to make this work for businesses in the UK and EU, and avoid a situation where businesses with a footprint in each have to do something markedly different to comply with data protection law in both jurisdictions,” he said.
What is changing?
The changes that the bill introduces are varied. For example, the role of the data protection officer is being done away with and will be replaced with that of a senior responsible individual.
“Most of the core requirements of the GDPR are still there, but what the UK has done is take a more business friendly approach with the winding down of obligations for most organisations to keep records of processing, removing the requirement for a data protection officer, and broadening requirements for scientific research,” said Machin.
Hewson also pointed out that the bill makes changes to the definition of personal data and tightens up on whether someone is "identifiable".
“This is one element that could raise questions for the UK's adequacy decisions from the EU, as it could narrow the meaning of personal data,” she cautioned.
The new legislation also relaxes the currently strict rules regarding website cookies.
Once this regulation gets royal assent, then website operators will be able to place certain types of statistical, security and location cookies without the need for obtaining current consents from users.
There will also be reforms made to the role of the UK’s data protection regulator. Here, the government intends to abolish the UK Information Commissioner’s Office (ICO) in its current form.
The bill instead creates an "Information Commission" in its place, which will assume the current regulator’s responsibilities.
“Reforms to ICO do leave questions over whether it will be sufficiently independent,” said Hewson.
However, she continued that the substance of reforms have “never been as dramatic as headlines would have you think”, suggesting that they “are not a major cause for concern”.
There are also areas where the law is actually becoming tougher than it is currently.
For example, it outlines plans for fines for nuisance calls and texts being increased to up to either 4 percent of global turnover or £17.5m, whichever is greater.
Digital identity
Sources have suggested to VIXIO that proposals that make way for a form of digital identity are perhaps the most significant about this bill.
It sets out the possibility of a cross-sector, reusable digital identity framework. This will provide equivalence between digital and paper forms of identity, access to government data attributes for certified identity providers and the UK’s certification regime.
“The bill goes beyond the GDPR, specifically addressing digital identity verification services and also data sharing between consumers and businesses,” said Timmons.
“This sets in motion a clear path, but as with all legislation, the devil will be in the detail, especially when it comes to the regulations and guidance issued by the Secretary of State.”
This will come more to the fore in the next few months as the bill is finalised, but there is now legislative momentum for these technologies, according to Machin.
“People are increasingly comfortable with the idea of having some form of digital ID, which can make life easier for verification providers, businesses and consumers alike."
This is a step change with the EU, which is currently legislating on a separate basis for a form of pan-EU digital identity.
"The bill recognises that commercial solutions for digital identity will benefit from a central trusted framework,” said Hewson. “Conversations around fraud and AI mean that it's important to have a system where there is a form of digital ID that can be trusted."
