On 1 January 2021, following the end of the Brexit transition period, the UK’s data protection laws were changed. Out went the EU’s General Data Protection Regulation, and in came the UK’s very own version of the GDPR.
Changes were also made to the Data Protection Act 2018. But these were mainly technical. The rights and obligations remained largely the same. Until now.
The UK government has recently dropped some strong hints that substantial change may be on its way. In a comment piece in the Financial Times, the Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden, argued for a new approach to data protection in the UK. He wants data protection to be focused more on the positive benefits of using data rather than seeing it solely as about risks and harms. And in a speech reported by Sky News, Dowden is quoted as saying that the UK should have a “more pro-growth, more pro-public policy approach” to data protection.
What does all of this mean in practice? It isn’t entirely clear what a ‘more pro-growth’ approach would look like, although the tone of Dowden’s comments certainly suggests that the government is seeking to reduce some of the more onerous requirements that data protection law places on businesses. This could mean reducing or even removing completely some of the accountability obligations, such as the requirements to appoint data protection officers, keep detailed records of processing activities and carry out data protection impact assessments. Whilst there is no doubt these can be costly for some businesses, other businesses are already exempt from these requirements. Other potential changes could include broadening the circumstances in which personal data can be used, narrowing some individual rights and widening exemptions to the rules to allow greater innovation in the use of data.
There are opportunities here. Our data protection laws are far from perfect and there is much that could be improved. The obligations are overly complex and difficult to interpret, the language is technical and the laws are very widely misunderstood. Not for nothing has the Information Commissioner needed to publish a series of blogs about ‘GDPR myths’, trying to combat fake news about data protection which continue to flourish due to this lack of understanding.
One option may be to remove small and medium sized businesses entirely from compliance with certain data protection obligations. Although this may be superficially attractive to allow new and growing businesses to innovate, it is arguably more costly in the longer term (not to mention far riskier) to bolt on data protection compliance to a mature business, rather than building it in from the start.
So the government will need to tread very carefully in making any changes. Whatever amendments are proposed, these should not put at risk the European Commission’s intention to grant the UK the ‘adequacy’ decision it requires to continue the free flow of data between the EU and the UK, which is crucial to so many businesses in the UK. For this reason, it is unlikely that the government will radically alter the rights of individuals, such as right to be told about how their data is processed and the right of access, or the enforcement regime currently operated by the Information Commissioner. Any major relaxation of the data export rules will also risk undermining the prospects of an adequacy decision.
Another potential risk for making wholesale changes is that UK businesses which operate in the European Union or which sell to customers within Europe will continue to need to comply with the EU’s GDPR. Currently, UK law is very closely aligned to the EU’s GDPR, and so this requirement to comply with two different legal regimes is actually relatively straightforward. However, if the UK government chooses to make significant changes, a large number of businesses will need to adapt their activities in order to comply with both the EU’s and the UK’s (potentially very different) data protection laws. This is likely to add to, rather than reduce, the compliance burden.
In my December column, I made some predictions about what 2021 may bring to the world of data protection. In light of these developments, it appears I was right to mention the possibility of changes to the UK’s data protection laws, although perhaps I was wrong to say “don’t expect to see a significant shakeup”. Businesses will await the government’s detailed proposals with interest.