Data protection reforms ‘must protect adequacy arrangement with the EU’

Proposed changes to UK data protection law must not put the flow of data between the UK and the EU at risk, IT experts have warned.

As part of the Queen’s Speech, the Government announced plans to reform “highly complex” data laws inherited from the EU with a new, post-Brexit, Data Reform Bill.

Ministers said the new Bill would streamline data protection rules and cut red tape, aiding businesses and the economy.

But industry experts from BCS, the Charted Institute for IT, have called for any changes to protect the UK’s existing data adequacy arrangement with the EU – where the bloc recognises the UK’s data protection standards post-Brexit as matching those of the EU and therefore allows the continued flow of data between the two.

A wide range of businesses and sectors rely on the transfer of personal data with the EU in order to run their businesses and carry out their services, and the loss of this seamless flow could have a substantial impact.

“Any material deviation the UK adopts in relation to data protection does risk its adequacy status so I hope there will be a detailed and objective analysis undertaken to assess whether the benefits from the UK’s data reform outweigh the risks of not continuing to have an adequacy status,” Dr Sam De Silva, chairman of BCS’s law specialist group said.

He added that the overall aim of the Government’s proposals was “not surprising” and generally followed a previously published consultation paper on the issue.

Under the Government’s plans – which have not yet been published in full – the existing General Data Protection Regulation (GDPR) and Data Protection Act would be reformed, with the removal of cookie consent banners on websites said to be among the proposed changes.

“However, of course, the devil will be in the detail – which we do not have sight of yet,” Dr De Silva said, adding that the cookie consent banner reform specifically might not have a drastic impact of the UK-EU data relationship.

“If that detail reveals that the web cookie consent banners are to be removed, whilst that appears radical, organisations would still be required to comply with the UK GDPR principles on lawfulness, fairness and transparency when using cookies or similar technologies,” he said.