UK pauses data reform bill to rethink how to replace GDPR

The U.K. government has confirmed another pause to draft digital legislation under new prime minister Liz Truss’ reshuffled cabinet — saying the data reform bill it had introduced in recent months is on hold while ministers take another look.

The paused bill contained a package of amendments to the U.K.’s data protection regime, which remains based on a pan-European Union framework — tweaking rules for personal data processing in areas like consent for online tracking; data for scientific research; public sector data use and sharing; and easing certain regulations for small businesses, as well as mooting changes to the data regulator itself — with the government projecting it would yield savings for businesses of over £1BN over ten years.

However that reform is now on pause as the Truss-led government rethinks.

The fresh-in-post secretary of state for digital, Michelle Donelan, gave over the first chunk of her Conservative Party conference speech Monday to a headline-grabbing (but under-explained) announcement that it would be “replacing” the General Data Protection Regulation (GDPR) — a law the U.K. had (in her words) “inherited” from the European Union.

In its place the government would install what she framed as “our own business- and consumer-friendly British data protection system”.

This rebooted reform approach entails the government taking aim at bureaucratic EU “red tape” that Donelan claimed is responsible for current U.K. rules being a disproportionate burden for small businesses as a result of a “one-size-fits-all” approach in the GDPR. (So much like the claims the government previously made for the now paused data reform package.)

She also suggested that “simplification” of the U.K.’s data protection regime would help unlock economic growth by boosting businesses’ profits.

This new plan for the U.K. to create its own “truly bespoke” privacy rules rather than keeping the current set — which grease trade with the EU by enabling people’s data to flow freely from the bloc into the U.K. — would not itself result in increased bureaucracy, she further claimed.

“Consumer privacy” and “data privacy” (whatever that means) would also be protected and consumer data kept safe, was her conference pledge.

“Our plan will protect consumer privacy and keep their data safe while retaining our data adequacy so that businesses can of course trade freely,” she said. “I can promise to you here today… that it will be simpler, it will be clearer for businesses to navigate — no longer will our businesses be shackled by lots of unnecessary red tape.”

How exactly the government plans to simplify data protection rules under this new iteration of a post-Brexit data reform isn’t yet clear.

But to back up her claim that reduced red tape can unlock economic growth Donelan cited a working paper penned by researchers based at Oxford University — suggesting they found the GDPR “caps” businesses profits by 8%.

“Our new data protection plan will focus on growth and common sense, helping to prevent losses from cyber attacks and data breaches, while protecting data privacy,” she went on. “This will allow us to reduce the needless regulations and business stifling elements, while taking the best bits from others around the world to form a truly bespoke, British system of data protection.”

The January 2022 research paper her speech referenced describes the 8% reduction in profits as an estimate; caveats itself as a “work in progress”; and advises caution in interpreting its findings — positing, for example, that negative effects on business performance which the paper links to the GDPR “may partly reflect temporary adjustment costs, meaning that its effects might taper-off in the future”.

But Donelan didn’t dwell on such details — choosing instead to point to a survey of businesses conducted by her Department of Digital, Culture, Media and Sport (DCMS) which she said had found half the respondents reported “excessive caution” amongst staff when handling people’s data.

She also regurgitated complaints highlighted by one of her predecessors at DCMS about churches being concerned they can’t send newsletters without falling foul of the law — pronouncing the situation “mad”.

Conservative Party conference attendees lapped it all up, offering plenty of applause to podium talk of GDPR being replaced.

Top-line talk of the government ‘replacing GDPR’ certainly sounds calculated to seem radical — yet Donelan’s talk of slashing EU red tape just recirculates the same tired clichés that were being attached to the last data reform plan that this rehashed iteration of the government has decided to put on pause in order to whip up its supporters into a new deregulatory frenzy.

Perpetual reboot?

The U.K. government has been flirting with reworking domestic data protection for years — ever since the 2016 EU referendum vote which resulted in a narrow win for leave (ohhai Brexit) — triggering talk of a deregulatory “bonus” for the U.K. to tap. But years later they’re still talking about tapping this ‘Brexit bonus’ so finding it is certainly proving a sweating toil.

Readers with a long memory may remember an early period in the post-referendum years when another Donelan predecessor at DCMS described the GDPR as “a decent piece of legislation”. Scroll on through several years of increasingly fervent Brexiters being empowered inside the Conservative Party (thanks to former leader Boris Johnson) and there was a sharp tacking away from talk of decent EU rules — and toward deregulation.

The (paused) data reform bill was the culmination of the Brexiter government’s thinking on data protection under Johnson. (The Data Protection and Digital Information Bill, as it was known, was introduced by yet another Donelan predecessor at DCMS for anyone trying to keep count.)

The current secretary of state for digital’s speech did not even name-check this bill in her speech — a bill Truss’ government inherited from Johnson’s government — but a departmental source confirmed the bill has been paused to allow ministers time to consider (or, well, reconsider) the legislation.

Last month, changes to another piece of draft digital policy that Truss also inherited from Johnson were confirmed by Donelan — who said the government would be tweaking the content moderation focused Online Safety Bill to address free speech concerns. That bill had reached the report stage and was due to have its third reading. But there are now concerns the delay caused by the Truss-triggered rethink could see it running out of parliamentary time altogether once it’s brought back to parliament (and so crashing out entirely).

Given there is only around two years left (tops) before a general election must be called, the government’s pause to rethink the data reform bill could also trip from rethink delay to permanent freeze — if, for example, the Conservative Party fails to win another term in office (as current opinion polls suggest). Or if the reworking is complex and requires more parliamentary scrutiny time than they end up having.

The data reform bill was only set out in the Queen’s speech in May — with certain planned measures, such as a switch to an opt-out model for most online tracking, further fleshed out by Johnson’s government in June ahead of the bill being presented (and before he was deposed as party leader by his own MPs and replaced by Truss).

Right up to becoming the U.K.’s new prime minister last month, Truss had been serving in the cabinet where these draft bills were being discussed. So she had been giving all this stuff her backing until she got empowered to press the pause button.

Despite her previous (tacit) backing for the ‘Johnsonian’ data reform, it’s unclear how much of the paused bill — which had only had a first parliamentary reading — will survive the Truss-Donelan red pen.

In her speech today, Donelan said the government will work with businesses to “co-design” legislation, suggesting the rethink is more sweeping than a few minor tweaks.

“I will be involving them [businesses] right from the very beginning, starting in the design so that together we can create a tailored, business friendly system — one that protects the consumer, protects data adequacy, increases the trade and that also is a good data protection system that enables us to create an increased productivity and enables us to avoid the pitfalls of a one-size fits all system,” she said, before segueing into a fittingly stuttering autocue read-out of the eternal Brexiter rallying cry: “It is truly time that we seize this post-Brexit opportunity — that we unleash the future growth potential of our British business.”

A question of (in)adequacy

One major concern for U.K. businesses will be whether a ‘growth’ focused reform of domestic data protection rules — one that’s “co-designed” by business — risks the country’s so-called adequacy status with the EU.

Adequacy in this context refers to the June 2021 decision by the Commission which keeps data flowing smoothly from the EU to the U.K. (despite Brexit) — without the need for each and every business to have bespoke legal arrangements for each and every data flow.

Adequacy is critical for ‘business as usual’ for U.K. services businesses with customers in the EU. (The bill to U.K. businesses for loss of the coveted status is estimated by one analysis to stand at between £1BN and £1.6BN — purely on compliance costs, so not stuff like loss of business itself.) This means that any move by the U.K. government which jeopardizes adequacy risks wiping out any claimed upside from deregulating privacy, before you even factor in the cost to U.K. business of a loss of domestic consumer trust if data protections are ripped up…

In her speech, Donelan claimed the reforms the government will shape will ensure the U.K.’s adequacy status is protected — saying ministers would look to draw inspiration from other countries with data protection regimes that have managed to achieve EU adequacy (naming Israel, Japan, South Korea, Canada and New Zealand specifically), while simultaneously claiming the end result would not be a foreign cut-and-paste job but a “truly bespoke” set of “British” rules.

However she also talked about the government’s vision for the U.K. as being “the bridge across the Atlantic” — and operating as “the world’s data hub”. And if that was a reference to sharing data with the U.S. it’s worth noting that American does not have EU adequacy — so any moves to ‘unleash’ U.K. economic growth by passing data on EU citizens that’s flowed to the U.K. onward to the U.S. it would look risky indeed for adequacy.

The U.K.’s adequacy status is not fixed — and is up for full review by the EU in 2025. But the Commission has also warned it won’t hesitate to pull the plug at any time if the governments bends domestic data protection away from ‘essential equivalence’ with the GDPR — which is the standard required to achieve EU adequacy.

So the bottom line is there is little room for deregulatory manoeuver here. Not if you want to actually maintain adequacy. And especially, therefore, for a government that claims to be so laser focused on “growth” — since the loss of adequacy would absolutely be bad for growth.

The U.K.’s information commissioner, John Edwards — who heads up the ICO (but was previously New Zealand’s privacy commissioner) — followed Donelan’s conference speech by having his office put out a statement that could be read as welcoming or a warning.

“We are pleased to hear the government’s commitment to protecting people’s privacy, preserving adequacy and simplifying data protection law,” it read, studiously avoiding Donelan’s watering down to “consumer privacy”. “We look forward to seeing further details, and stand ready to provide our advice and insight,” the ICO added.

Edwards has previously suggested there isn’t a need for a radical replacement of the U.K.’s GDPR-based regime — telling U.K. lawmakers only last year at a parliamentary hearing ahead of his confirmation as information commissioner that there is plenty of scope to make improvements under the current regime — including if you want to achieve economic gains — without indulging in risky regulatory divergence.

“I don’t believe that policymakers and businesses and governments are faced with a choice of share [data] or keep faith with data protection,” he also told the committee hearing. “Data protection laws and privacy laws would not be necessary if it wasn’t necessary to share information. These are two sides of the same coin.”

Whether the government will heed the privacy advice of its own information commissioner remains to be seen. Truly we live in mad times.

Under the earlier (shelved) data reform plan, the government had said it planned to “modernize” the ICO — and some of the proposed changes tacked closer to ‘wreck’ as they looked set to politicize the regulator (and undermine its independence) by having the secretary of state approve its statutory codes and guidance — a proposal that digital rights group the ORG slammed as set to “codify cronyism into law”.

Donelan’s talk of replacing the GDPR with a regime of “consumer privacy” and data protection co-designed by business — yet one that somehow maintains EU adequacy — smacks of magical thinking by design and default.

Or else this is pure charade: A cynical effort to spin whatever minor changes can be eked out while still cleaving to the EU’s standard as some sort of major Brexit boon to tout to voters (and toss to the deregulatory radicals consuming the Tory party from the inside).

As ever, the devil will be in the details of any legislation it drafts. Details which — like much of the U.K. government’s policy since Brexit — have reverted to an unsteady state of flux as ideological obsession throws up endless barriers to actually getting stuff done.