In the midst of the news of screeching U-turns on tax rates yesterday you would be forgiven for having missed Michelle Donelan's announcement at the Conservative Party Conference that the UK Government plans to "replace" the GDPR with a new UK data protection law. This comes a few weeks after the Government announced a pause on the legislative process for the proposed Data Protection and Digital Information Bill (DP Bill).
Whilst there are scant details at this stage, a few initial thoughts come to mind:
1. Whilst the DP Bill sought merely to amend the GDPR in certain areas (e.g. research), it sounds from this announcement like there are no plans to retain any aspect of the GDPR in UK law, and therefore that the DP Bill is now dead on arrival.
2. Michelle Donelan's speech said the UK would develop a "truly bespoke" law which cuts "EU red-tape" through "simplification" but which still "protects consumer privacy". This is obviously not very much to go on but I think it is reasonable to assume that this Conservative government will be looking to deploy a lighter touch to data protection regulation.
3. If that is correct it will be significant to see whether the new UK law will still look to mirror the GDPR in substance and structure (e.g. different obligations for controllers and processors, specific individual rights and accountability requirements), or whether it will propose something new. UK businesses have been working with the GDPR for over four years and have spent significant time and money setting up and running their compliance programs. As a result, you would expect them to be putting the Government under significant pressure to avoid any radical departure from these core principles.
4. Furthermore, UK businesses that have customers in the EU will still have to comply with the GDPR even once this new UK law is in place. There is therefore clearly a risk that the proposed "simplification" will result in such businesses having to comply with two regulatory regimes. In those circumstances, businesses will continue to apply the stricter rules (likely to be the GDPR) anyway.
5. The EU will also have a close eye on any changes. The UK currently enjoys an EU adequacy decision that allows personal data to flow freely from the EU to the UK. That adequacy decision requires the EU Commission to continuously monitor developments in UK law in order to assess whether the UK still provides "essential equivalence", and therefore any move away from the GDPR by the UK will be heavily scrutinised. Michelle Donelan made clear in her speech that the UK would retain its adequacy decision but that outcome is far from certain.
Once we see the draft legislation we will know more. Watch this space!
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2024-04-23-08-13-08-767-66276d94160531884bcc6d78.PNG)
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2024-04-22-17-51-00-028-6626a3848171a252db383eac.jpg)
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2024-04-22-13-56-20-008-66266c848171a252db37ac58.jpg)