On October 3, 2022, the former Minister of State for Digital, Culture, Media, and Sport (‘DCMS’) Michelle Donelan announced at the British Conservative Party’s yearly conference in Birmingham that Britain will replace the UK GDPR. The UK’s data protection community was plunged into uncertainty with this announcement that suggested UK plc would be starting from scratch on GDPR reform.
The EU General Data Protection Regulation, GDPR, is implemented in the UK through the Data Protection Act 2018 and the UK GDPR. The EU’s GDPR framework has been maintained in the UK post- Brexit as the UK GDPR. However, the UK has the independence to keep this framework under review.
What could the new legislation look like?
It is not clear as of present what this will entail. However, Donelan has stated that it will be “business and consumer-friendly”. Additionally stating it would be easier for businesses to navigate. Donelan noted that the DCMS will collaborate with businesses in designing the legislation. Countries that have achieved adequacy without having the GDPR, such as Japan, South Korea, Canada, and New Zealand will automatically be recognised by the UK as suitable and safe in the transferring of personal data between countries.
Implications for businesses
It is indispensable that during business between UK and EU companies that compliance with data protection laws is respected on both sides. The price that businesses could pay for non-compliance has been an estimated £1-1.6 billion.
Any modifications of UK legislation will be constrained by the need to offer a new regime that the EU deems adequate. Currently, the UK has an EU adequacy ruling that allows the free flow of personal data from the EU to the UK. The effect of an adequacy decision is that personal data can flow from the EU, and the EEA, to the UK without any further safeguard being necessary. The European Commission continuously monitors developments in third countries to assess whether their regulations provide the same standards of protection of personal data as per the GDPR. A new domestic law in the UK could mean that the EU Commission may revisit its adequacy ruling for the UK. Consequently, leading to a blockage of data transfers between the UK and the EU.
If new data protection laws were to diverge significantly from the GDPR, this could create complications for companies requiring them to comply with a greater variety of data protection regimes. From a business perspective, UK companies that have customers in the EU would still be required to comply with the EU GDPR. Due to the uncertainty of differences between proposed UK legislation from EU legislation, concern has arisen regarding a vastly different system.
UK businesses that have customers in the EU will still have to comply with the EU GDPR. If the new UK regime should significantly differ from the existing laws, businesses will have to adapt once again to changing data protection rules.
The key question is, can the UK maintain EU adequacy if UK law is reformed?
Particular issues which have been identified are:
The UK’s proposed “risk-based” adequacy regime, and whether the UK might deem certain countries as adequate whilst the EU does not. For example, the UK recently signed a data access agreement with the US which the EU does not have. This raises the risk that EU data imported into the UK under the UK’s adequacy could then be onward transferred from the UK to countries the EU does not consider adequate.
Other considerations include simplifying the test for anonymisation under the new proposals. The current is the process of rendering data into a form which does not identify individuals involves an analysis of possible data subject identification and re-identification. This will be controversial. No doubt there will be concerns around whether data that the UK considers anonymous is instead considered pseudonymous by the EU, i.e., the data is presented in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.
Key takeaways
It is important that any changes to the UK domestic legislation are not done rashly. Rather with a step-by-step process and a precautionary view of any consequences. Such changes must be considerate of any legal and practical consequences for UK companies acting within the European market.
Companies and businesses operating globally will still have an obligation to comply with differing global data protection regimes. Therefore, a degree of adaptability will be required to adjust current policies and practices.
HewardMills is well placed to support on these requirements. Our diverse team expertise stands ready to assist clients in navigating the different data protection laws in multiple jurisdictions.
