Jon Belcher, specialist data protection lawyer at Excello Law, examines the government’s aim and its recent consultation and argues that, while the current data protection law is far from perfect, reducing compliance obligations will weaken individuals’ data rights.
Brussels has warned that it will sever the adequacy decision granted to the UK if the UK government’s proposed data protection reforms pose a threat to EU citizens’ privacy. The EU’s robust response came in the wake of the announcement of plans to overhaul the UK’s data protection regime.
Last August, the then Secretary of State for Digital, Culture, Media and Sport (DCMS) Oliver Dowden said, “Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy.” Mr Dowden spoke of “reforming our own data laws so that they’re based on common sense, not box-ticking”. The details of the government’s proposals have now been set out in a substantial consultation document.
The government aims to create a series of “data adequacy partnerships” with states around the world to facilitate trade by minimising data protection compliance barriers. The government hopes to reach such agreements with nations including the United States, Australia, South Korea, Singapore, Dubai and Colombia. The DCMS promises that high data protection standards will be maintained while making it easier for businesses to transfer personal data outside the UK.
Reforms to the UK’s data protection regime have long been talked up by pro-Brexit politicians. The GDPR is often seen as overly complex, burdensome and bureaucratic. Easing some of its requirements would be seen as a much-needed Brexit win for these politicians.
At the end of the Brexit transition period, the European Commission granted an “adequacy decision” to the UK, as regards its data protection regime. This allows the unrestricted transfer of personal data from the EU to the UK. This is crucial for many UK businesses. Any significant move away from existing GDPR standards could come with a significant economic cost.
The EU remains the UK’s most important trading partner. The 2019 figures are the most relevant since that was the last normal trading year before the disruption caused by the coronavirus pandemic. In that year, exports to the EU of £72 billion accounted for 43% of the UK’s total exports. Services accounted for 43% of this figure. By comparison, the UK’s next largest export market was the US, which accounted for 19% of exports. Clearly, it would be unwise to risk disrupting the free flow of data with the EU in return for a slightly simplified data protection regime.
There is no guarantee the proposed measures will reduce compliance costs in practice. The introduction of GDPR in 2018 involved a major adjustment for organisations in the UK in terms of their data protection policies and procedures. That has now been done. Most businesses now have satisfactory systems in place and the requirements are widely understood.
Changing the goalposts once again, just a few years later, would cause a new wave of disruption. Many UK businesses are still adjusting to the new paperwork required for EU trade since earlier this year. It may be best to simply leave well enough alone.
While the government is no doubt right to say that cookie banners are frustrating and the GDPR is not perfect, any drive to reduce compliance obligations will inevitably weaken individuals’ data rights and protections. Such moves could meet with a backlash from privacy campaigners. Public anxiety about data protection has been heightened by high profile ransomware attacks.
A key motivation for changing the UK’s data protection regime given the government’s document which analyses the impact of the proposed changes. It states that “Data has become a driving force of the modern economy, at the forefront of technological and scientific progress, driving scientific discovery and new goods and services. The UK direct data market – consisting of value added from the generation, storage, processing and analysis of digitised data – has been estimated to be worth over £15 billion annually.” The paper argues that reforms should aim to achieve “a pro-growth and trusted regulatory regime for data protection.” Post-Brexit, the government wants the UK to benefit from this global growth industry.
Some of the suggested measures set out in the consultation document include removing the requirements to appoint a dedicated Data Protection Officer and undertake data protection impact assessments, as well as changing the data breach reporting requirement to only apply when there is a “material risk” to individuals, instead of a “risk”, as is now the case. Other changes might be popular with businesses, but unpopular with the public, such as the proposal to allow charges for data subject access requests.
Overall, the consultation paper promises a “regulatory regime will be clearer and more suited to an agile, technology-driven economy. Regulatory requirements will be focused on the outcomes that must be achieved, rather than prescribing how they are achieved.” While many businesses would prefer a lighter touch, less prescriptive regime, the EU will likely regard such changes as a significant watering down of its high standards, which could jeopardise the UK’s adequacy decision.
Multinational businesses are likely to continue to apply the EU’s data protection rules. Indeed, the rest of the world is increasingly looking at the GDPR as an international standard. For example, in recent weeks China has created a new data protection regime that echoes aspects of the GDPR. Similar trends are also happening in other jurisdictions.
Any changes to the UK’s data protection regimes will need to be measured and incremental. A major shift away from GDPR standards could prove costly. The government will need to tread carefully when balancing risk and opportunity.