On 3rd October 2022, during the Conservative Party Conference, Michelle Donelan, the new Secretary for State for Digital, Culture, Media and Sport (DCMS), made a speech announcing a plan to replace the UK GDPR with a new “British data protection system”. Just as we are all getting to grips with the (relatively new) UK GDPR, do we want more change and uncertainty? How did we get here? Let’s recap.
In July the Government, led by Boris Johnson (remember him?), published the Data Protection and Digital Information Bill. This was supposed to be the next step in its much publicised plans to reform the UK Data Protection regime following Brexit (remember that?).
In the Government’s response to the September 2021 data protection reform consultation (“Data: A New Direction”) it said it intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” To achieve this, the new Bill proposed amendments to existing UK data protection legislation in particular the UK GDPR. On further analysis, the bill was more a “tinkering” with GDPR rather than a wholesale change; although the government projected it would yield savings for businesses of £1billion over ten years. (Key provisions of the bill are summarised in our blog post here.)
Following the Bill, we had a new Prime Minister. Nadine Dorries at the DCMS was replaced by Michelle Donelan. The new bill’s passage in Parliament was suspended with a promise to re-introduce it. Now it seems that we could have a new piece of legislation altogether.
The headline of Donelan’s speech was that the Truss Government would replace GDPR with “our own business- and consumer-friendly British data protection system”. She says it will be “co-design[ed] with business …” But the devil is in the detail or lack thereof.
Donelan’s speech also contained the usual compulsory myths about GDPR and tired data protection law cliches (the old ones are the best!). She regurgitated complaints highlighted by Oliver Dowden, when he was at the DCMS:
“We’ve even had churches write to the department, pleading for us to do something, so that they can send newsletters out to their communities without worrying about breaching data rules.”
And plumbers and electricians are also finding GDPR a problem:
“No longer will our businesses be shackled by unnecessary red tape. At the moment, even though we have shortages of electricians and plumbers, GDPR ties them in knots with clunky bureaucracy.”
So that’s why my electrician doesn’t turn up. He is busy drafting a GDPR compliant privacy notice!
Donelan even claimed that “researchers at Oxford University estimated that it has directly caused businesses to lose over 8% of their profits.” This is selective quoting at best. (Andy Crow has done a great post on this.)
Will this “growth” focused reform of UK data protection rules risk the UK’s adequacy status with the EU? It depends on the final text of the law “co-designed” by business. ; )
7th Nov 2022 Update: Today we hear that the EU is not impressed. A key European Union lawmaker has described meetings with the U.K. government over the country’s data protection reform plans as “appalling.” Italian MEP Fulvio Martusciello from the center-right European People’s Party said his impression from the visit was that Britain is “giving in on privacy in exchange for business gain.”
Data protection practitioners should not burn their UK GDPR Handbook just yet! If you have been following the events of the last few days, you might suspect that we may have a new Prime Minister soon and/or a General Election. This will mean that the pause button on data protection reform could be pressed again. To repeat the phrase of the past year, “We live in uncertain times!”
This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop.
Are you an experienced GDPR Practitioner wanting to take your skills to the next level? Our Advanced Certificate in GDPR Practice starts on 21st November.