As the legal, business and political communities continue to consider the implications and likely outcomes of the UK’s government’s proposal for a so-called ‘Brexit Freedoms Bill’ (and associated policy paper on ‘The benefits of Brexit’), a few reflections are offered here on the direction of travel indicated. Whilst the contents of the actual bill remain unclear, some potentially troubling questions emerge from the initial rhetoric.
Data, tech and the regulatory landscape
Although the full wording of the bill has not yet been published, the government’s press release proclaimed that “[t]hese reforms will cut £1 billion of red tape for UK businesses, ease regulatory burdens and contribute to the government’s mission to unite and level up the country.”
At first blush, there appears to be some tension between the aim of cutting red tape (which implies a lighter regulatory burden) and another objective stated of “transform[ing] the UK into the best regulated economy in the world” with a “high-standards regulatory framework.” Scepticism has also been raised on this £1 billion headline figure (as well as the risks that cutting “red tape” can involve).
Of particular note for readers of this blog, the Prime Minister commented that the proposals would be “pro-growth” and give businesses “the confidence to innovate, invest and create jobs” in areas like cyber technology, artificial intelligence, and gene editing.
In the field referred to as “Data and AI” specifically, the bill aims to facilitate the UK “moving in a faster, more agile way to regulate new digital markets and AI and creating a more proportionate and less burdensome data rights regime compared to the EU’s GDPR.” When placed in the context of the rhetoric of the press release as a whole, it is difficult to isolate concrete legal proposals from political grandstanding. Indeed, the language used here raises several questions, including:
- Are the proposed regulatory changes for “new digital markets and AI” solely related to personal data legislation, or would these concern other issues (such as the reforms proposed to software and AI in a medical context, or legal areas like financial regulation or tax)?
- Does this imply a rowing back from the data privacy protections for data subjects which the UK GDPR contains (in alignment with the EU version)?
- Would there be a significant actual effect on the compliance standards used by international businesses, for whom the GDPR is often a ‘gold standard’ anyway?
- How would such changes be perceived internationally, most notably by the EU in the context of an adequacy decision for the UK’s data protection regime?
On a more general note, there are concerns from within the legal community and beyond with the proposed mechanism for achieving these stated goals. The government notes that “under current rules, reforming and repealing this pipeline of outdated EU law would take several years because of the need for primary legislation for many changes, even if minor and technical.” As a result, the government proposes that “[t]he Bill will make it easier to amend or remove outdated ‘retained EU law’.”
The implication is that the draft legislation may give ministers powers to remove, amend or add legislation as statutory instruments. Given approximately 3,500 statutory instruments are made each year already (with many not subject to parliamentary scrutiny and a tiny fraction actually not being approved), there may be concerns at the scope of these proposed powers.
Indeed, this ambition is somewhat difficult to reconcile with the aim for Brexit to increase the role of the UK parliament in legislating: this contrasts with the press release's introductory remarks that many EU laws did not receive “sufficient scrutiny in our democratic institutions” and the comment by the Attorney General that the “legacy EU rules” in question “often had limited meaningful parliamentary scrutiny”.
Given the breadth of both the legislative reforms suggested and the powers which could be used to effect them, the draft bill itself will need very careful scrutiny once published in order (among other things) to safeguard the rights of data subjects and, more generally, the role of Parliament as the UK’s legislature.