Where now for GDPR?
Where now for GDPR?
With the new Government there is renewed talk as to how the UK can maximise the benefits of Brexit by deciding on the appropriate balance between the desire to liberalise regulations and the need to have minimum regulatory standards. In this regard, the GDPR has attracted some comment – the UK Government has already suggested that it regards the GDPR as too bureaucratic and that there is a smarter way of guaranteeing UK citizens’ privacy rights. The problem the UK Government has is that there are three audiences: businesses; the public; and the EU. At present GDPR is still UK law. The EU has granted the UK an “adequacy decision”, which means that data can be transferred UK-EU with minimal paperwork. To the extent that the UK moves away from GDPR, the EU can withdraw this adequacy status.
Last summer the then Johnson administration set out its proposals; I reference these as the 2022 proposals. The 2022 proposals appeared to reflect that:
data-driven trade generated £234 billion for the UK in 2019;
two years’ ago a report estimated that the aggregate cost to UK firms of no adequacy decision could be between £1 billion and £1.6 billion; and
the proposed changes in the 2022 proposals would save UK businesses £1 billion.
The new Truss administration has withdrawn a second reading of the UK Data Protection and Digital Information Bill from House of Commons business “to allow ministers to consider the legislation further”. Ironically, by going back to the drawing board to implement a more decisive break from GDPR by default the UK retains GDPR which neither administrations wanted. Michelle Donelan, the new Culture secretary has the same objectives for GDPR reform as her predecessor, Nadine Dorries.
It will be interesting to see the extent to which the new Government is prepared to risk the EU adequacy decision. The 2022 proposals in my opinion struck a sensible balance, did not jeopardise adequacy and included measures which the European Data Protection Board could in the future adopt. The uncontroversial aspects of the 2022 proposals, such as reforming the cookie consents and imposing greater penalties on businesses that make nuisance calls, will not impact on adequacy as they are regulated by the Privacy and Electronic Communications Regulations and not the GDPR. The requirement that business take a risk-based approach to internal data risk assessments and compliance are entirely consistent with the approach set out in the GDPR and does not affect adequacy.
Looking ahead, there are two reforms that will identify where the UK Government has got to deciding the value, to the UK, of the EU adequacy decision:
the 2022 proposals envisaged an International Data Transfer Expert Council, which would assist the UK agreeing data transfer deals on a global basis. The EU has granted adequacy status to 14 countries and these include the three British Crown Dependencies and the Faroe Islands. If the UK grants adequacy to countries that the EU is not prepared to, then there will be a danger that data is transferred to a country the UK regards as adequate but the EU does not – a Trojan Horse. Even if the EU is happy with the internal privacy regulations of the UK, if the EU does not agree with the approach taken by the UK regarding adequacy that could lead to the withdrawal of adequacy for the UK; and
the UK Government has long advocated that the post Brexit UK can maximise AI technology. The 2022 proposals include separate proposals re AI. It is unclear as to the extent this direction of travel will meet the requirements of Article 22.
At the time of writing, the Government has more pressing concerns than GDPR, but the regulations will almost certainly have a role to play in its desired bonfire of EU “red tape”.
