GDPR is dead in the UK. But what is replacing it?
The UK’s departure from Europe has necessitated widespread legal reforms as part of which the UK General Data Protection Regulation (GDPR) was placed under review. It was set to be replaced by the Data Reform Bill, currently undergoing its second reading in the House of Commons, but this has now been put on pause, leading to speculation that we may see UK GDPR watered down still further.
The Data Reform Bill is seen as an evolution of rather than a drastic departure from the original legislation. Prior to the announcement on 3 October, the results of a recent consultation published in June suggested the reforms would be moderate. This is largely because the UK needs to maintain its hard-won data adequacy status which is up for review by the EU in 2025. But in hitting the pause button, questions are now being raised over whether the UK will still prioritise the status which allows data to flow across the EU.
A mistake?
A departure from EU GDPR in any form is regarded by many as a mistake. There are concerns this will see the UK move away from what has come to be seen as the ‘gold standard’ in data privacy regulations which other countries sought to emulate. And that too drastic a move will see businesses have to struggle with more bureaucracy and compliance hurdle as they attempt to meet the demands of different regimes.
The Data Reform Bill in its current incarnation aimed to simplify corporate privacy programs by dropping the requirements for a Data Protection Officer (DPO), Data Protection Impact Assessments (DPIAs) or Records of Processing Activities (ROPAs). Someone will still need to be in charge of the program, and inventories maintained, but by reducing the formal reporting structures it was hoped this would create more flexibility, thereby reducing processing costs.
Or greater flexibility?
Greater leniency was also expected with regards to the reasons for processing. Currently, organisations need to provide a legal basis and justify using a balancing test if legitimate interest is used for all purposes for processing a subject’s data. The balancing test has been removed for a number of purposes like public interest, safeguarding national security, public security and defence, responding to emergencies, and detecting investigating or preventing crime. Plus, it was expected that there would be changes made to the Data Subject Access Request (DSAR) process to make it easier for organisations to decline these. Previously they had to be unfounded and excessive but it’s likely the rejection of those deemed vexatious and excessive will also be allowed.
The amendment of the DSAR process is something of a two-edged sword. While it should make it easier for businesses to defend themselves against unfounded DSARs and the weaponisation of these requests, those lodging a DSAR will need to first try and resolve any complaint with the data controller before approaching the ICO. This could cause subjects’ significant frustration as they are effectively losing access to the regulator.
The reuse of data (ie for a reason other than the original purpose it was intended for) has always been permitted under certain circumstances, but the Bill promises to clarify these, paving the way for the use of data for research, archival and statistical (RAS) purposes or taxation, for instance.
The Data Reform Bill also clarifies the situation over cookies. Under the reforms, consent will longer be required for statistical or functionality/preference cookies and further clarify "strictly necessary cookies" , much to the relief of businesses and users alike. How cookies are used falls under the remit of the Privacy and Electronic Communications Regulations (PECR) and so the Bill will also see this amended both in this respect and with regards to the fines that can be imposed. These are expected to be increased/brought into line with those levied under GDPR - 17 million gbp or 4% of global turn over.
However, while larger PECR fines may seem daunting, it’s worth noting that the ICO has made clear it intends to restrict its focus going forward to major cases of non-compliance (in July it stated that it will take a more lenient approach to public sector organisations as part of it three-year strategy, with more emphasis on sharing good practice).
The Digital Reform Bill seems to be dispensing with many of the formalities of GDPR which means it will allow businesses to devise a Data Privacy Program to suit them. Controllers that are currently in compliance with GDPR will see their obligations increase but they can expect to see some initial costs associated with reviewing and removing mandatory requirements, assigning responsibility and working out how they self-police their processes.
Pros and cons
Yet, while the regulations are likely to become easier to comply with, with outcome-based processing replacing formal record keeping, maintaining high standards of data processing will still be a must. Without EU GDPR’s guard rails, there could well be a slipping of standards and at the very least significant confusion. The changes may also make it harder to maintain a consistent universal approach to privacy. Companies operating in other jurisdictions will need to consider what impact the new changes will have on their international privacy programs.
It remains to be seen how UK controllers will reconcile their processing of data for subjects in the EU with those for subjects in the UK. EU GDPR, due to its extraterritoriality, creates the obligation to process EU residents’ data in compliance with the EU’s GDPR. It is unlikely controllers in the UK will abandon the best practices they developed thus far, especially those operating in international spaces.