By John M. Benjamin and Helen Ryan
On Monday, 3 October 2022, the new Secretary of State for Digital, Culture, Media and Sport (DCMS) Michelle Donelan announced that the United Kingdom would be replacing the General Data Protection Regulation (GDPR) with its own business and consumer-friendly system.
In her speech, Donelan claimed that GDPR was “limiting the potential of [UK] businesses” and stated, “it is time we seize this post-Brexit opportunity fully and unleash the full growth potential of British business.” Donelan further called for a “bespoke, British system of data protection” to ensure that the UK breaks free of EU bureaucracy.
This is part of the current government’s desire to break free from the EU and provide what it believes to be a more attractive business environment. One of the pillars of this growth strategy is to attract companies that are heavily involved in data sciences, which it sees as an important part of a vibrant gig economy.
Notably, the announcement is likely to affect the Data Protection and Digital Information Bill. The Bill contains a slew of amendments to the UK’s current data laws and regulations but its second reading in Parliament will be paused and possibly withdrawn while the government re-evaluates its stance on data protection.
Since coming into effect on 25 May 2018, the GDPR has been a target for the UK government in an attempt to distance itself from the EU; however, this is not without its risks and the announcement has sparked fresh uncertainty for businesses and controversy amongst privacy activists. Further, ensuring continuous data flow between the EU and the UK was one of the central parts of the EU Withdrawal Agreement and was heavily fought over particularly due to the closeness of the UK Intelligence services with its counterparts elsewhere in the world. The new system would force businesses to comply with multiple data protection regimes, thus increasing the administrative and financial burdens for businesses rather than curbing it. This is likely to be viewed by multi-national organisations as an unwelcome burden for little practical benefit.
Privacy activists see it as a way of eroding the fundamental human rights of UK based individuals.
Whilst Donelan claims that the new system will free businesses from “lots of unnecessary red tape”, a complete departure from EU GDPR standards could harm the UK’s ‘adequacy status’ granted by the EU and complicate the way UK’s businesses operate in Europe.
‘Adequacy status’ refers to the 2021 decision by the EU which has determined that the UK provides adequate protection for personal data collected and transferred from the EU to the UK under EU GDPR. The benefit of the status is that there is no need for businesses to put in place bespoke agreements for personal data flows to the UK.
Thus, ‘adequacy status’ is viewed by many as vital for UK businesses as it ensures economic and financial growth. The Chair of the Standards and Privileges Committee, Chris Bryant MP echoed this concern stating, “UK companies will still have to abide by GDPR if they want any online business in the European Union (as other non-EU companies already do).”
The UK’s adequacy status will be up for review by the EU in 2025, but the EU has made it clear that it can revoke the status at any time if the UK government skews domestic data protection away from ‘essential equivalence’ with GDPR.
Therefore, if the UK wishes to ensure economic and financial growth, it must take a nuanced approach to its redrafting of its data protection laws. The government has cited Israel, Japan, South Korea, Canada and New Zealand as model countries that the UK will base its system on as they have achieved data adequacy without having GDPR. This is promising as it suggests that the UK government does not intend to take an irrevocable step from essential equivalence with GDPR.
Ultimately, the true impact of the new UK data protection system remains ambiguous. Whilst the UK government plans to promote flexibility for businesses and reduce its regulatory burden, many issues remain surrounding the practical effectiveness of deregulation and indeed the benefit to individuals.
However, the government’s vision of the UK becoming a “bridge across the Atlantic” and the “world’s data hub” suggests that the new data protection system will promote economic growth and enable the UK to cement itself as a key global player for data protection.
For More Information
If you have any questions about this blog, please contact John M. Benjamin, Christian Beaumont, any of the attorneys in our Intellectual Property Practice Group or the attorney in the firm with whom you are in regular contact.