In what feels like a political lifetime ago, but in fact was a mere matter of weeks, on 3 October 2022 the Secretary of State for Digital, Culture, Media and Sport (“DCMS”) - who has been re-appointed in the new Cabinet - announced the then Government's plan to replace the GDPR. Then on Monday (31 October 2022), Owen Rowland, Deputy Director for domestic data protection policy at DCMS, told delegates at a Westminster Forum data event that “data adequacy with the EU is at the heart of the approach we are taking going forward”. The change in tone is notable, far less inflammatory (no longer the desire to “unburden” the UK); now more considered (the “heart” being to retain EU adequacy). Further consultation on the Data Protection and Digital Information Bill is now expected and this in turn means a delay in the Bill’s return to Parliament. Although this won't affect the general public in directly the same way and in fact they may not care, in light of the ongoing cost of living crisis and increasingly complex political situation, it may well overhaul how UK businesses handle their personal data.
So how did we end up here?
Despite the continuity of the DCMS Secretary of State, three different Prime Ministers in less than three months has led to some confusion as to the UK’s data reform plans. On 3 October 2022, in typical ministerial fashion, the Secretary of State's speech at the Conservative party conference said a lot about what was wrong with the GDPR without giving much away as to what they plan to do about it.
Whilst emphasising the UK's status as a "newly independent nation free from EU bureaucracy" and noting that "it is time we seize this post Brexit opportunity", the Secretary of State criticised:
- how the "inherited" GDPR and its "bureaucratic nature" is limiting the potential of UK businesses;
- the "significant" amount of "unnecessary red tape";
- the 'one-size-fits-all' approach of the GDPR which they suggest had caused excessive caution by those handling data; and
- how the issues above have a particular impact on smaller organisations who may not have the resources to comply in the same way as larger corporations.
Instead of the "regulatory minefield" created by the GDPR, the Government will replace it with a tailored "business and consumer-friendly, British data protection system". The Secretary of State highlighted they will co-design the new system with business and look to the countries who have achieved EU data adequacy (including Israel, Japan, South Korea, Canada, and New Zealand) to do so.
The plans were vague to say the least, including statements such as "we can be the bridge across the Atlantic and operate as the world's data hub" and "our new data protection plan will focus on growth and common sense", but the Secretary of State did at least note that they will keep consumers' data safe and retain the EU's data adequacy decisions for the UK.
A thread of continuity may well be found in (i) the final comment about the plan to retain the EU’s data adequacy decisions for the UK and the latest statement putting this very idea at the “heart of the approach” and (ii) the UK-US Joint Statement: New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy announced on 7 October 2022 may well be a nod to the bridge across the Atlantic (see our article here).
What happens now?
Since the initial announcement we've also had a new Prime Minister, Rishi Sunak, appointed. Luckily for the Secretary of State, who the new PM re-appointed, he shares a desire to replace the GDPR. During the Conservative leadership contest this summer, Rishi Sunak wrote an article which among other things explained that removing the burdens of the GDPR would be a top priority from day one. He too referred to the creation of "the most dynamic data protection regime in the world" and highlighted how he felt the "EU's Byzantine rules are preventing British tech companies from innovating and public services from sharing data to prevent crime". He concluded his thoughts on the issue by stating that "any internet user can see, GDPR – with all its bureaucratic box-ticking – is clearly not working and needs to be replaced". Although this is equally as vague, its likely despite the current rather confused stance that we are going to see at least some changes at some point to the UK’s data regime.
The Secretary of State had promised that "it will be simpler and clearer for businesses to navigate" but it's unclear quite what the former or new Government plan to change. With the newly stated clear intention to retain the UK's data adequacy decision from the EU, it's difficult to imagine a system that is fundamentally different from the GDPR. It was confirmed that the Government will look to the 'best bits' of other jurisdictions, but the creation of something which is consumer and business friendly - which are naturally at odds with each other - will likely be a lengthy process. Add to this another consultation period and it looks as though we will be into the new year before we have any further clarity. In some good news Owen Rowland did confirm “If you want to stick with what you are doing in terms of EU compliance then you can do so and still be consistent with what will be required in the UK, but for a lot of businesses there is a lot to be gained by complying with the UK context.”
The GDPR took over six years to create and implement. We may not have to work directly with the EU Commission and Member States now (although we inevitably will in order to retain data adequacy) but to create a simple system, which retains data adequacy, is business and consumer friendly, and ensures consumers' personal data is protected certainly doesn't sound like a quick process. If done properly, it may be a while before we see any substantive proposals, although it's too early to say how the new Government will approach this. While we have moved on from the rhetoric about bonfires of EU legislation, the headlines are still promising a new “business and consumer-friendly, British data protection system” but it is not time to start ripping up policies and procedures just yet as it looks like the status quo is here for the foreseeable future.
"we will be replacing GDPR with our own business and consumer-friendly, British data protection system. Our plan will protect consumer privacy and keep their data safe, whilst retaining our data adequacy so businesses can trade freely" Michelle Donelan, 3 October 2022 "data adequacy with the EU is at the heart of the approach we are taking going forward" Owen Rowland, 31 October 2022