Science, Innovation and Technology Secretary Michelle Donelan said a more agile approach to managing data and privacy issues is needed to meet the challenges of the ongoing “technology revolution”, and is committed to continuing its “open door policy” with industry.
Speaking at a data protection event organized by the International Association of Privacy Professionals (IAPP), Donelan highlighted the benefits of the UK government’s proposed data regime, which was presented to Parliament the day before as the Data Protection and Digital Information Bill (DPDI).
Noting that the bill had been co-designed with industry from the very beginning, Donelan said “industry engagement is my main focus” and that she will announce more opportunities for exchange and collaboration of expertise and ideas between government and the private sector in the coming years. month.
“As part of this openness with industry, I will continue my open door policy that I have always followed as minister, where new ideas and concerns are always welcome,” she said. “Data protection laws have changed absolutely dramatically. [over the past two decades]. But this change has been incremental, piece by piece, building on best practices and constantly improving on what has come before – our data bill represents the next step.
Donelan noted, however, that the data bill is not just about industry and that prior to the bill’s release, “many commentators made the mistake of assuming that business prosperity and privacy of individuals is a zero-sum game”.
She added: “I don’t see this as a compromise at all. Successful businesses need knowledgeable consumers who are clear about what is happening to their data and who need to be confident that it will be treated with transparency, integrity and, of course, accountability.
The current “one-size-fits-all, top-down approach” to Data protectionsaid Donelan, focuses too much on “ticking boxes” and has also led to “public disillusionment and confusion” that ultimately damaged trust and support for regulations such as the DPDI bill.
“Outdated protection and privacy certainly doesn’t work unless the public and businesses buy into it and agree it’s proportionate, and they agree with its goals,” she said. . “For too long, data privacy protections have been something to be circumvented, dismissed or not really understood or valued.
“We want people to comply with our new data protection bill because they see and understand the benefits for themselves and their businesses, not because they are afraid of coercive action or annoying pop-ups – that’s why it’s really important that we make it simple.
However, she also noted the need for “real deterrence” to ensure data security in the UK, adding that the Information Commissioner’s Office (ICO) will be empowered under the DPDI bill to impose fines up to 35 times the current limit.
“We are also modernizing the Office of the Information Commissioner as a whole, ensuring that it has the capabilities and powers it needs, the freedom to allocate its resources and greater accountability both to Parliament and of course the public,” she said. “The results of all of this will be hugely positive for the British public and our country.”
Reactions to the bill
While the full effects of the bill in practice are not yet understood, with the full text only released on March 8, reactions so far have been mixed.
Alistair Dent, chief strategy officer at data science consultancy Profusion, said there was a lot to like about the announcement of the bill, particularly regarding the certainty it will bring to businesses. British.
However, he noted that a key question is whether the bill will live up to its goal of ensuring companies can continue to send personal data overseas through existing international transfer mechanisms.
“This is very important for UK businesses, as the lack of compatibility with, for example, the GDPR will mean that businesses that process EU citizens’ data will have to comply with both legislations, which will significantly increase costs,” he added. said.
“This bill is obviously at a very early stage and many areas still need to be clarified, including how it will be properly implemented. We must remember that, despite its flaws, GDPR has really helped to improve online privacy and increase corporate accountability. The government is very keen to be seen as cutting red tape and using “common sense” in crafting its rules, but this must not come at the expense of protecting people online. »
Georgina Graham, data and technology lawyer at law firm Osborne Clark, said: “Companies will be delighted to see the new measures designed to reduce red tape and increase compliance flexibility – for example , treatment records have become an administrative burden for many people. businesses, so this proposed change could actually save businesses time and money. Conversely, consumers will likely be pleased to see increased fines for nuisance calls and texts.
She added that with the EU-UK data adequacy decision due for review in 2024, “the UK government will need to be aware of the risks of too much divergence from the GDPR of the EU” if he wants companies to continue sending data to Europe. .
Commenting on the bill at the same IAPP event but on a different panel, former information commissioner Elizabeth Denham said: ‘The UK is walking this very fine line to make sure we maintain the fit, and that’s what businesses in the UK want.
She added, however, that she does not believe the changes to the UK’s data protection regime are substantial and would prefer to see the UK join other countries outside the EU with “full support for a new way” to regulate data protection.
During the same panel, Max Schremsan Austrian lawyer who has challenged the legality of various international data transfer mechanisms since the early 2010s, said data reforms in the UK mean the country is no longer relevant from a European perspective when it’s about challenging bad data protection practices.
“If we sue a company, we’ll sue a UK company in Europe, we’ll go straight to Europe, it’s just not relevant anymore from a litigation perspective,” he said.
Michael Queenan, co-founder and CEO of UK data company Nephos Technologies, said the UK government had “decided to sell personal data privacy for the benefit of business and innovation” with the bill.
“When you remove regulations, compliance becomes cheaper, but at what cost? This needs to be addressed collectively to truly encourage business growth, drive innovation and protect our data,” he said.
“The new DSIT is in principle a good step, but it has work to do. Currently, promises are made without adequate funding or tools to keep them. Also, anyone who trades with other countries, including EU countries, will still need to comply with their data laws in order to use the data of citizens of that country, so I’m not sure how they can claim that it facilitates international trade.”