What risks does replacing the GDPR hold for UK IT contractors and their clients?
On October 3rd 2022, during the Conservative Party’s annual conference in Birmingham, the digital and culture secretary Michelle Donelan announced the UK government’s intention to replace the GDPR with a “business and consumer-friendly British data protection system.”
Those listening to her speech heard that the government’s aim is to establish a data protection system that is simpler and more transparent than the General Data Protection Regulation – to “reduce the needless regulations and business-stifling elements, while taking the best bits from others around the world to form a bespoke British system of data protection.”
An opaque announcement
Indeed, one of the main criticisms from the Conservative Party towards the GDPR is the bureaucratic ‘red tape’ representing a disproportionate burden on small businesses (“GDPR ties them in knots”). Donelan also suggested that a simplification would unlock economic growth by increasing businesses’ profitability.
Potentially unnerving to IT contractors, data specialists, and the organisations these types of professionals serve, the details of how the government intends to streamline data protection rules remain unclear, writes Maude Lindfelt and Evane Alexandre, both of information law firm Gerrish Legal.
The Information Commissioner’s Office welcomed the initiative and stated they are “pleased to hear the government’s commitment to protecting people’s privacy, preserving adequacy and simplifying data protection law.” The ICO also said it looks ‘forward to seeing further details, and stands ready to provide advice and insight.’
But businesses and other professionals in the technology sector have expressed two main concerns:
1. Adding a new set of data privacy obligations would ultimately result in a more complicated system for larger companies
Developing a system that is both business and consumer-friendly is a complex task, so there is a risk that the outcome may not be simpler.
Moreover, even if the project turns out to be successful in reducing the burden for smaller companies, larger ones – particularly those operating outside the UK -- would then have to comply with both the new UK regulation and the EU GDPR -- the latter being applicable to businesses inside and outside the EU that process personal data of EU data subjects or offer them goods or services (even online targeting or monitoring).
So a new system would likely risk adding more compliance issues and be more onerous for the businesses concerned. Therefore, if the UK wishes to flourish in the tech space and digital services sector, it should adhere to the GDPR, rather than attempt to deviate from it.
2. The lack of an adequacy decision would complicate cross-border data transfers
The lack of an ‘adequacy decision’ could increase the complexity for companies in the UK and the EU hoping to collaborate by sharing data across geographical boundaries. Indeed, one major concern for UK businesses will be whether a reform of domestic data protection legislation will jeopardise the country’s adequacy status with the EU.
As a reminder, following Brexit, the UK became a ‘third country’ under the GDPR, resulting in personal data transfers between the EU and the UK only being permitted if the level of data protection in the UK is equal to that of the EU. With an adequacy decision under the GDPR, the European Commission validated that the UK's data protection regime has been deemed sufficient to protect EU personal data.
Therefore, if the new regulation deviated so significantly from the existing system that the EU Commission could no longer be considered a territory offering an adequate level of protection, it could invalidate the adequacy decision that was granted to the UK post-Brexit.
This would be extremely difficult for businesses sharing data across borders, imposing another barrier to larger companies.
The Shrems II case looks like a warning
An illustration of these difficulties can already be seen in the US, following the Shrems II decision, which invalidated the EU-US privacy shield in 2020. Unable to rely on this safeguard mechanism , businesses in the US have had to leverage a variety of methods to conduct cross-border data transfers – including the use of Standard Contractual Clauses (SCCs); a set of contractual terms and conditions between the send and receiver of personal data, Transfer Impact Assessments (TIAs) to analyse the impact and security implications of cross-border transfers, and the set-up of other ‘supplementary measures’ (e.g. encryption or pseudonymization among others). This all adds to cost increases and results in more red tape for companies.
When can a new data protection system to replace GDPR be expected?
The UK government has announced another suspension in drafting digital laws under new prime minister Liz Truss, indicating the data reform bill previously introduced is on hold while ministers reassess it.
Considering there is a maximum of two years left prior to the next general election, the government's halt to reconsider the data reform bill might also lead to a permanent freeze -- suppose, for example, the Conservative Party fails to secure re-election, as present polls indicate; or if the reworking necessitates more parliamentary scrutiny-effort or time than they possess.
In other words, the adoption of new UK data privacy still seems far off and looks unlikely to succeed.
What steps can IT contractors take to prepare?
Finally though, if you wish to prepare your business for any contingency, here are a three steps you absolutely can take:
1. Map your data transfers and ensure that data transferred is adequate, relevant and limited to what is necessary regarding the purposes for which it is transferred and processed in the third country.
2. Identify the supplementary measures to be adopted in order to raise the degree of protection to that offered by the EU.
3. In accordance with the accountability process, re-evaluate the level of protection provided to the data and monitor developments which affect it.
