At the Conservative Party Conference 2022 on Monday, newly-appointed Secretary of State for Digital, Culture, Media and Sport (DCMS) Michelle Donelan said the General Data Protection Regulation (GDPR) was “limiting the potential of our businesses”.
Donelan’s speech promised a new regime “co-authored” with business. But after years in data protection limbo, do UK businesses, civil society groups and individuals want more change and uncertainty?
Data Protection in Limbo
Data protection pervades into practically every aspect of life—from the digital economy that brings billions per year into the economy to the rules that restrain excessive police surveillance.
Various iterations of the UK government have been clear that the country’s data protection law will change. But for all the talk of “unleashing innovation” and “cutting red tape”, it remains unclear how the law will change and what the consequences will be.
Donelan’s speech disparaged the GDPR much like other politicians have done before—even appearing to associate the law with “shortages of electricians and plumbers”. The minister promised a new data protection regime focused on “growth and common sense”.
But the announcement has caused fresh uncertainty for businesses that were preparing for the passing of the Data Protection and Digital Information Bill (DPDIB), a draft GDPR reform bill published this summer and still due a second reading in Parliament.
Donelan’s Unclear Vision
Donelan’s conference speech criticised the GDPR as a source of “red tape” and set out a somewhat vague vision of “a truly bespoke British system of data protection”.
The GDPR, the minister claimed, was a “mainly one-size-fits-all” law that tied businesses in knots with “clunky bureaucracy”. Donelan cited a 2020 survey suggesting that half of businesses felt the GDPR had led to “excessive caution” among staff handling personal data.
In place of the current regime, Donelan announced that her department would “co-design with business a new system of data protection” that would ditch the “needless regulations and business-stifling elements” of the GDPR.
The new legislation would draw the “best bits” from other data protection regimes worldwide to create a “tailored, business-friendly British system of data protection”.
Donelan was keen to reassure listeners that her plans did not involve “another wave of legislation on business”.
“Businesses won’t have to wrap their heads around complicated legislation,” she said. “This is about simplification.”
But some would argue that any legal change brings uncertainty, and such change would come at a time when most businesses are becoming more comfortable with the data protection status quo.
Years of Uncertainty
Yesterday’s conference speech came after years of uncertainty for data protection professionals following the Brexit vote in 2016.
In an April 2018 blog post, Dominic Cummings—the Brexit campaigner who later became chief advisor to Prime Minister Boris Johnson—said leaving the EU enabled the UK to “bin… idiotic laws” such as the “horrific” GDPR.
After Cummings was appointed chief advisor to the prime minister in mid-2019, a series of DCMS press releases and data-intensive project proposals suggested the government might share his vision of a GDPR-free Britain.
Cummings’ views on European data protection legislation may have influenced the UK’s National Data strategy, launched in September 2020 by then-DCMS Secretary Oliver Dowden, which promised to “kickstart (a) data revolution”.
At that stage, though, businesses and civil society groups could still only guess how the GDPR might be reformed.
But the assumption was that regulation would be liberalised, with Dowden stating in March 2021 that he planned to focus “less on the burdens of the rules imposed on individual businesses”.
Adequacy in the Balance
Another early source of uncertainty for the UK came throughout the Brexit process, and concerned whether the country would obtain an “adequacy decision” from the European Commission.
Failing to be recognised as an “adequate” data protection jurisdiction would have seen a sharp increase in levels of bureaucracy, as EU organisations would have been required to agree to contractual and technical safeguards before sharing data with organisations in the UK.
The UK received a last-minute transitional agreement from the EU as part of the Brexit withdrawal package—ensuring that data transfer mechanisms didn’t fall off a cliff at the end of 2020, when the UK’s formal withdrawal from the EU was complete.
There was little consensus regarding the likelihood that the UK would receive adequacy. While the UK’s data protection regime was closer to the EU’s than any other country in the world, there was some nervousness around the issues of politics and national security.
Some businesses prepared for the worst, drafting “standard contractual clauses” that would be ready to implement if the Commission’s decision went against the UK.
But in June 2021—following resolutions from the European Parliament urging the Commission not to grant adequacy, and some clear misgivings from the European Data Protection Board—a draft adequacy decision was published and eventually approved.
The decision was heavily caveated, however. A “sunset clause” meant that adequacy would need to be reviewed in four years, and any major amendments to the UK’s data protection regime would bring this review forward.
So while adequacy brought some relief for UK businesses operating in the EU, observers kept a watchful eye on the government’s reform plans, knowing that any sharp departure from EU standards could trigger a blow to their ability to do business in Europe.
The TIGRR Report
The public got a glimpse of the UK’s possible data protection future in June 2021, with the publication of a report from the Taskforce on Innovation, Growth and Regulatory Reform (“TIGRR report”), penned by three Conservative MPs.
The TIGRR report recommended several reforms to the UK’s legal framework, partly based on faulty assertions, such as the idea that the GDPR centred around something called “citizen-owned data”, and dubious statistics, including a claim that a person’s email address was “worth $89”.
While non-binding, the TIGRR report was apparently well-received by then-Prime Minister Boris Johnson, who was photographed grinning while reading the document in his office.
This left businesses speculating as to which of the report’s recommendations might come to pass.
Would the government implement new laws to support “data trusts” as an alternative to consent? Would the GDPR’s rules on automated decision-making be scrapped? Could the GDPR be replaced entirely by a “UK Framework of Citizen Data Rights”?
Data: A New Direction?
The first substantial set of proposals for reforming the GDPR came in September 2021, with the launch of the DCMS consultation, Data: A New Direction. The consultation listed more than 70 possible changes to the UK’s data protection, privacy and freedom of information framework.
The potential changes could have been fairly radical, or fairly moderate, depending on which ideas were adopted following the consultation.
Some of the more significant proposals included enabling controllers to rely on “legitimate interests” for online tracking, reinstating the freedom to charge individuals to access their personal data, and removing the GDPR’s rules around automated decision-making.
The consultation also sought views on proposals to make certain provisions that are currently mandatory in some circumstances voluntary—such as conducting data protection impact assessments, appointing a data protection officer and engaging in “prior consultation” with the regulator.
Data Protection and Digital Information Bill
Data protection watchers allowed themselves to breathe a small sigh of relief with the publication of the Data Protection and Digital Information Bill (DPDIB), which implemented many of the consultation’s proposals by amending existing legislation, including the UK GDPR.
The bill sought to allow organisations to set up a “privacy management programme”, with “senior responsible individuals” overseeing data protection, rather than the data protection officers currently mandated by the GDPR in certain circumstances.
Some of the consultation’s more radical proposals, such as the reintroduction of fees for subject access requests and the abolition of rights over automated decision-making, were absent or watered down in the bill as it was presented to Parliament.
But alas, the government fell into chaos shortly before the scheduled second-reading of the bill—which had been tabled for 5th September—with Boris Johnson resigning and the DPDIB being kicked into the long grass.
Back to Square One?
While the DPDIB has not been formally withdrawn from Parliament, the appointment of new DCMS secretary Michelle Donelan has plunged the sector into uncertainty once more.
The DPDIB was far from perfect. Civil society groups objected to provisions supposedly weakening protections around AI decision-making and access to data. Lawyers from Handley Gill scrutinising the text noticed formatting and numbering errors.
But the bill at least provided some guidance on what UK data protection might look like in the future.
The bill had provisions, schedules, and articles—actual proposed legal rules that businesses could use to plan and mitigate risk.
Donelan’s announcement suggests that the bill will now be re-drafted. The data protection community may need to wait months or even years before the path forward becomes clear.