At the Tory Party conference last week, the UK digital secretary Michelle Donelan announced that the Government planned to replace the UK GDPR with a new data protection legislation. Under the guise of ‘reducing red-tape’, Donelan announced that the GDPR would be replaced with a ‘business and consumer friendly British data protection system’ that would ‘focus on growth and common sense’ to create a ‘truly bespoke, British system of data protection’.
Cutting through the buzz-words and political ‘phrases of the day’, the Government’s plans represent a potentially major change for UK businesses.
This change may not be a positive one.
In this article we will look at some potential effects of this proposed restructure of the UK GDPR.
Revocation of adequacy status
The most significant potential effect of this change is the revocation of the UK’s adequacy status.
The UK GDPR has been applicable to all businesses processing UK citizen data since its inception in the Data Protection Act 2018. This legislation is a carbon-copy of the EU GDPR, which also came into effect in 2018. As a consequence of these similarities, the European Commission granted the UK a preliminary adequacy decision, which was then confirmed in 2021.
Adequacy decisions permit the free-transfer of personal data between EU member states and these ’adequate’ territories. Some other example adequate territories include New Zealand, the Faroe Islands, Japan, and Israel. A full list can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en .
However, adequacy decisions are not lifetime. Indeed, the Commission’s UK adequacy decision includes a ‘sunset clause’. This means that the adequacy decision will automatically expire in 2025. After this date, the UK adequacy decision might be renewed, however, only if the UK continues to ensure an adequate level of data protection. Up until the renewal data, the Commission will continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place. Should the UK’s data protection environment significantly change, the EU commission is likely to review the applicability of our adequacy decision, and potentially revoke it.
Should this be revoked, all UK-EU data transfers will face further significant changes.
Renegotiation of UK-EU contracts
The revocation of the UK’s adequacy decision would end the free transfers of personal data that hitherto had been permitted between the UK and EU member states. This would mean that the UK would be termed a ‘Third Country’ and any transfers between the UK and EU member states would now be ‘restricted transfers’.
All contractual agreements that permit these transfers would now require the inclusion of protective measures, most likely Standard Contractual Clauses (SCCs). SCCs are a set of contractual clauses defined by the EU commission that must be included (in full) in any third country-EU contracts. The current EU SCCs can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
Any contracts without these would be classified as illegal transfers of data.
Segregation of data or adoption of EU requirements as a baseline
One further effect of the removal of the UK GDPR could be the necessary segregation of UK and EU citizen data. As different legislation will apply to each, UK businesses may be required to identify and segregate these different personal data sets to ensure that the appropriate rights are offered to each set. As this is likely to be too difficult and/or time consuming, most businesses may choose to employ EU GDPR requirements as a baseline. This would make the removal of the UK GDPR a moot point.
For example: Should the UK government remove the GDPR’s cookie requirements (as has been indicated), UK businesses will still be required to adhere to EU cookie requirements if they are offering goods or services to the EU or EU citizens. This will require businesses to either segregate EU and UK data, or apply EU cookie requirements as the baseline to ensure that EU data subjects rights are being met.
All of these effects are likely be a time consuming and potentially expensive exercises for UK businesses. Rather than remove ‘red-tape’, greater restrictions and requirements would be placed on UK businesses. Businesses wishing to operate within the EU could be faced with significant cost increases due to additional red tape or even decide the additional burden is not worth it. This is business contraction, not growth.
Data Subject Welfare
On an ethical level, the removal of the UK GDPR would have a significant effect on our online safety as data subjects.
The UK GDPR provides various protections and rights to UK data subjects that aim to mitigate against potential threats to our rights and freedoms. Functional elements of the legislation, such as the 8 rights of a data subject and 7 fundamental principles, have been implemented to enable this. These provide data subjects with the ability to hold to account businesses that are not respecting their right to privacy and encourage the prioritisation of user data safety.
No business or government has proven to be ‘above the law’ in this regard. Most major tech firms have been issued significant fines for failing to comply, and the US government has seen its Privacy-Shield transfer agreement with the EU struck down over failure to protect EU citizen data from US security agencies.
Should the UK GDPR be repealed, these protections are likely to be greatly diminished. It would appear that the ‘freedoms’ of UK businesses are being prioritised at the extent of UK citizens rights.
Many commentators have viewed the Government’s announcement as part of a wider push to change the current discourse surrounding the economic effects of their tax cuts. Nevertheless, the plans represent (at the very least) a significant change to all UK businesses and UK data subjects. Change of this magnitude should not be taken lightly and the fear is that, in its haste, the UK government has not considered the significant risks that such a change poses.
Whilst no prospective bill has been released to the public, the narrative surrounding of the government’s approach does not bode well for the future of UK data privacy.
Only time will tell if a new ‘British system’ will generate growth or confusion.