Press release

New data laws to boost British business, protect consumers and seize the benefits of Brexit

Data Reform Bill will increase financial penalties for those pestering people with nuisance calls and minimise number of annoying cookie pop-ups people see on the internet.

London Tech Week graphic
  • Plans outlined as part of London Tech Week include proposals to replace unnecessary paperwork to deliver around £1 billion in business savings

  • Will give researchers more flexibility to conduct life-saving scientific research and deliver major breakthroughs to improve people’s lives

Tougher fines for firms hounding people with nuisance calls and a clampdown on bureaucracy, red tape and pointless paperwork are part of reforms to transform the UK’s data laws for the digital age and seize the benefits of Brexit.

Data fuels innovation in every area of the global economy. For consumers, data powers the everyday apps they use to get around, shop online and manage finances. It helps public and private sector organisations make better decisions so they can trade, manufacture and deliver public services more effectively. It was used efficiently and responsibly in the nation’s fight against COVID-19 to model and ultimately control the spread of the virus.

Data-driven trade generated nearly three quarters of the UK’s total service exports and generated an estimated £234 billion for the economy in 2019.

To round off London Tech Week, the government is publishing its response to a consultation which aims to harness the power of data to help British businesses trade abroad, boost the UK’s position as a science and technology superpower, and improve people’s everyday lives.

It sets out how the Data Reform Bill announced in this year’s Queen’s Speech will strengthen the UK’s high data protection standards while reducing burdens on businesses to deliver around £1 billion in cost savings that they can use to grow their business, boosting the economy.

The plans will modernise the Information Commissioner’s Office, the data regulator, so it can better help businesses comply with the law. It will also gain tougher powers to crack down on nuisance calls.

As well as empowering the UK to strike new data partnerships, the reforms will fuel the responsible use of data for innovation by providing clearer definitions on how consent is obtained for research.

Digital Secretary Nadine Dorries said:

Today is an important step in cementing post-Brexit Britain’s position as a science and tech superpower. Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection.

Outside of the EU we can ensure people can control their personal  data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation.

John Edwards, UK Information Commissioner, said:

I share and support the ambition of these reforms.

I am pleased to see the government has taken our concerns about independence on board. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.

We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the Bill.

Further information

Reducing burdens on businesses

Since the European Union’s highly complex General Data Protection Regulation (GDPR) was implemented in the UK four years ago, many organisations have been held back from using data as dynamically as they could.

A lack of clarity in the legislation has led to an over-reliance on ‘box-ticking’ to seek consent from individuals to process their personal data to avoid non-compliance. Its largely one-size-fits-all approach, regardless of the relative risk of an individual organisation’s data processing activities, puts disproportionate burdens on small businesses including startups and scaleups.

The government’s new data protection rules will be focused on outcomes to reduce unnecessary burdens on businesses.

This bill will remove the UK GDPR’s prescriptive requirements giving organisations little flexibility about how they manage data risks - including the need for certain organisations, such as small businesses, to have a Data Protection Officer (DPO) and to undertake lengthy impact assessments.

It means a small business such as an independent pharmacist won’t have to recruit an independent DPO to fulfil the requirements of UK GDPR, provided they can manage risks effectively themselves, and they will not have to fill out unnecessary forms where the risk is low.

Organisations will still be required to have a privacy management programme to ensure they are accountable for how they process personal data. The same high data protection standards will remain but organisations will have more flexibility to determine how they meet these standards.

Analysis by the Department for Digital, Culture, Media and Sport (DCMS) shows the reforms will create more than £1 billion in business savings over ten years by reducing these burdens on all businesses.

Protecting consumers from nuisance calls and unnecessary cookies

The new Bill will increase fines for nuisance calls and texts and other serious data breaches under the UK’s existing Privacy and Electronic Communications Regulations (PECR), which aim to prevent companies contacting people for marketing purposes without consent.

The fines will increase from the current maximum of £500,000 and be brought in line with current UK GDPR penalties which are up to four per cent global turnover or £17.5 million, whichever is greater.

PECR rules will also be updated to cut down on ‘user consent’ pop-ups and banners - the irritating boxes users currently see on every website - when browsing the internet.

Currently, users have to give their consent for cookies (the data points which allow sites to remember information about an individual’s visit) to be collected. To do so users have to opt in to cookie collection every time they visit a new site.

The government’s new opt-out model for cookies will heavily reduce the need for users to click through consent banners on every website they visit - meaning that people will see far fewer of the frustrating boxes online.

Under the new rules internet users will be better enabled to set an overall approach to how their data is collected and used online - for example via their internet browser settings.

Before the legislative changes are commenced, the government will work with the industry and the regulator to ensure technology is effective and readily available so people can set their online cookie preferences to opt out via automated means. This will help web users to retain choice and control over how their data is used.

Modernising the Information Commissioner’s Office

The ICO will be modernised to have a chair, chief executive and a board to make sure it remains an internationally renowned regulator. The change will introduce a wider set of skills to support robust decision-making and broaden the legal responsibility underpinning the ICO’s work, which currently sits solely with the role of Information Commissioner.

The ICO will have new objectives which will give Parliament and the public better ability to hold the regulator to account. Currently, UK GDPR does not provide the ICO with a clear framework of objectives and duties. It is instead obliged to fulfil a long list of tasks. Clearer objectives to prioritise its activities against and a more modern governance framework will better equip the ICO to fulfil its role and bring it in line with the best practice of other regulators.

Strategic objectives will be set out in the Bill. They will underline the importance of the regulator continuing to uphold data rights and encouraging the responsible use of personal data, but will have greater emphasis on taking into account growth, innovation and competition.

The reforms will introduce a new way for how the ICO develops statutory codes and guidance, which share best practices for organisations using, sharing or storing personal data in specific instances, such as protecting children’s data online.

The ICO will be required to set up a panel of experts in relevant fields when developing each piece of statutory guidance. The Secretary of State will also need to approve ICO statutory codes and guidance before they are presented to Parliament. This will bring the ICO in line with other UK regulators, such as the Electoral Commission and strengthen the accountability of the privacy watchdog when it makes legal rules.

Enabling the innovative use of data

The reforms will further cement the UK’s position as a science superpower by simplifying the legal requirements around research so that scientists are not needlessly impeded from using data to innovate and make major breakthroughs.

The Data Reform Bill will more clearly define the scope of scientific research and give scientists clarity about when they can obtain user consent to collect or use data for broad research purposes.

This removes the need for them to have the ultimate purpose of their research project finalised before collecting data. For example, scientists will be able to rely on the consent a person has given for their data to be used for ‘cancer research’ as opposed to a particular cancer study.

It will enable more groundbreaking research such as the work carried out by researchers from Moorfields Eye Hospital and the University College London Institute of Ophthalmology who made a breakthrough in patient care using AI technology. The researchers successfully trained machine learning technology on thousands of historic de-personalised eye scans to identify signs of eye disease and recommend how patients should be referred for care. This new way of using data has the potential to revolutionise the way professionals carry out eye tests.

Empowering international trade

The UK is committed to maintaining high data protection standards and continuing the free flow of personal data between like-minded countries. The data reforms will support the UK government’s ambitions to strike new data partnerships with important economies and improve international data transfers which a number of technologies rely on, such as GPS navigation, smart home technology and content streaming services.

The government’s International Data Transfer Expert Council, made up of global experts on data, will play a major role helping the UK unlock the benefits of free and secure cross-border data flows.

The group, which combines world-leading academics, organisations such as the World Economic Forum and the Future of Privacy Forum alongside digital industry figures including Google, Mastercard and Microsoft, will be empowered to remove barriers to data flows and ensure services from smart devices to online banking can be provided more reliably, cheaply and securely.

The government continues to work closely with international partners on data adequacy deals with priority countries, including the United States, Australia, the Republic of Korea and Singapore.

Published 17 June 2022