Since the UK left the European Union (EU), there has been talk of reforming the data protection regime currently in place in the UK, inherited from the EU. GDPR (General Data Protection Regulation) became an acronym that caused concern among many in the run-up to its implementation and continues to be seen as a “problem” by some. Even some non-Brexit people would probably be happy to see the back of this for the UK.
However, it is only in the last 18 months that we see any signs of tangible reform measures. The Data Protection and Digital Information Bill, which was introduced to Parliament in July this year, is the result of a major consultation carried out by the Department for Digital, Culture, Media and Sport (DCMS) last year. The introduction of the bill for debate in the last week before the summer recess was an indication of how important the government (as it was at the time) viewed the UK data protection regime.
However, since this introduction, data protection reform in the UK has been somewhat halting. The bill was scheduled for a second reading on September 5, which, as it turned out, was to be the day Liz Truss was officially elected leader of the Conservative Party. In a business statement the same day, the government confirmed that the second reading would not take place as planned “to give ministers time to consider the bill further”.
The bill has already moved to the committee stage after the leadership election, so it’s back on track, although the time frame for its implementation, if the bill does indeed remain as it is, is a bit unclear.
There was also more uncertainty in early October when Michelle Donnellan, the new Secretary of State for Digital, Culture, Media and Sport, discussed data protection in her Conservative Party conference speech, saying: “We will replace GDPR with our UK’s own business and consumer friendly data protection system. Businesses will no longer be shackled by a lot of unnecessary red tape.”
Donelan also said it would work with business to “co-design” the legislation, implying a more substantial “start from scratch” approach rather than simply revising previously introduced legislation.
The intention behind the bill, in its original and current form, was already to update and simplify the UK’s data protection framework to “reduce burdens on organisations, while maintaining high data protection standards”. One might wonder why Donnellan and her team needed extra time to “review and revise.” The idea was that the reform would represent “an evolution rather than a revolution”. Yet, if the proposed bill remains in its current form, that appears to be the case.
But any more sweeping changes or significant departures from the GDPR risk jeopardizing the UK’s adequacy with the EU. There is a danger that the “review and revision” mentioned by Donelan will go further and lead to a regime that is no longer “substantially equivalent” to that of the EU.
If that were the case, we would be facing more of the “revolution” that the previous government wanted to avoid. While this may satisfy Brexiteers keen to see drastic changes marking the UK’s exit from the ‘union’, the cost to businesses would be impressive – at a time when the economy is already struggling.
Another fly in the ointment, so to speak, is the UK’s proposed assessment of the adequacy of the new US data privacy framework, a framework for securely sending data from the UK to US organisations. In the same week as the Conservative Party conference – in fact, the same day that US President Biden signed the infamous executive order – Donnellan met with US Commerce Secretary Gina Raimondo to discuss “a range of digital issues”, with the UK’s adequacy an evaluation of the US data privacy framework is at the center of the discussion.
The government should be similarly wary of any grandiose moves to announce an adequacy decision in favor of the US ahead of the EU assessment, the outcome of which is expected in the coming weeks.
If the EU authorities find that the UK’s reform measures make its regime no longer “substantially equivalent”, the adequacy decision will lapse, as will the free flow of data between the UK and the EU. Why are we so concerned about the UK’s state of adequacy and the free flow of data, you might ask. Well, the value to the economy is estimated at between £1 billion and £1.6 billion. It is therefore hardly surprising that the government recognized that the cost to the economy of losing adequacy status would outweigh any benefits of the reform.
Interestingly, although the UK adequacy decision is not scheduled for review until 2024, there are rumors that Brussels MPs are coming to London in November to scrutinize the UK’s proposed data reforms and their effect on the adequacy of the United Kingdom. The risk is real – and the UK government needs to be alert to it.
Sarah Pierce is a partner and head of UK data privacy at Hunton Andrews Kurth. She has extensive experience working with large technology companies and helping them manage global privacy and information security risks and compliance issues.