Out-Law News 4 min. read
06 Oct 2022, 3:17 pm
Businesses can expect the UK government to propose amendments to the Data Protection and Digital Information Bill, or even to scrap the Bill and restart the process of reform altogether, once MPs return to parliament, a data protection law expert has said.
Kathryn Wynn of Pinsent Masons was commenting after Michelle Donelan, the recently appointed secretary of state for digital, culture, media and sport in the UK, pledged to deliver a simplified “business and consumer-friendly, British data protection system”. Donelan said the UK “can be the bridge across the Atlantic and operate as the world’s data hub”.
The introduction of a ‘GDRP-lite’ for non-data heavy SMEs or more extensive carve-outs for GDPR might be a better option than wholesale reform of the GDPR
In a speech at the Conservative party conference in Birmingham earlier this week, Donelan criticised the current data protection legislation in place in the UK, describing the UK General Data Protection Regulation (GDPR) specifically as being a “regulatory minefield” that is particularly difficult for smaller organisations and businesses to navigate. She said it was “just not right” that those smaller organisations are “forced to follow the same one-size-fits-all approach as a multinational corporation” in the main.
Donelan said: “Our plan will protect consumer privacy and keep their data safe, whilst retaining our data adequacy so businesses can trade freely. And I can promise … that it will be simpler and clearer for businesses to navigate.”
“No longer will our businesses be shackled by unnecessary red tape. At the moment, even though we have shortages of electricians and plumbers, GDPR ties them in knots with clunky bureaucracy. In its place, we will co-design with business a new system of data protection. We will look to those countries who achieve data adequacy without having GDPR, like Israel, Japan, South Korea, Canada and New Zealand,” she said.
“Our new data protection plan will focus on growth and common sense, helping to prevent losses from cyber attacks and data breaches, while protecting data privacy. This will allow us to reduce the needless regulations and business-stifling elements, while taking the best bits from others around the world to form a truly bespoke, British system of data protection,” Donelan said.
“This is not another wave of legislation on business. Businesses won’t have to wrap their heads around complicated legislation – this is about simplification,” she said, pledging to involve businesses “right from the start in the design of a tailored, business-friendly British system of data protection”.
That new system, she said, would protect consumers, protect data adequacy, increase trade, increase productivity and avoid “the pitfalls of a one-size-fits-all system”.
Reform of UK data protection law was on the agenda of the Boris Johnson-led Conservative government. In July, a new UK Data Protection and Digital Information Bill was introduced into parliament, with significant changes proposed to the current framework. However, a second reading of the Bill was postponed last month “to allow ministers to consider the legislation further”, with the postponement following the announcement of the election of Liz Truss to the leadership of the Conservative party.
Kathryn Wynn of Pinsent Masons said: “The new digital secretary’s comments that businesses will be involved in co-designing a new British system of data protection from the start suggest that the government will withdraw the Data Protection and Digital Information Bill currently before parliament, or at least bring forward significant amendments to the Bill as it stands. The existing Bill is the product of lengthy consultation, so restarting this process from scratch seems unlikely – particularly as the government has ambitious short-term growth targets and appears keen to pursue reforms at speed.”
“The current draft of the Bill is as complex and ‘one size fits all’ as the regime in force at the moment so, based on Donelan’s comments, more significant carve-outs for small organisations look likely to be proposed,” she said.
One specific example of small organisations facing challenges under the GDPR that Donelan cited in her speech was that of churches seeking to distribute newsletters but worried about ‘data rules’. Wynn said the current Bill before parliament does not fully address the perceived issue.
“While the current Bill proposes a limited relaxation of the direct marketing rules to allow non-commercial organisations to rely on the so-called ‘soft opt-in’ exemption to conduct electronic direct marketing, which would include an e-newsletter, achieving a valid marketing permission under the soft opt-in exemption would still require a careful application of the data rules. Therefore, one option that the government may be considering is the explicit exclusion of the promotion of ‘aims and ideals’ from the definition of direct marketing altogether,” Wynn said
“Donelan’s focus appears to be on establishing a new data protection law framework that is simpler and less burdensome for small business. The introduction of a ‘GDRP-lite’ for non-data heavy SMEs or more extensive carve-outs for GDPR might be a better option than wholesale reform of the GDPR. We also believe there is scope for the Information Commissioner’s Office (ICO) to publish more guidance to help organisations that engage in limited, low risk data processing, but which do not have the resource to engage or employ data protection expertise to navigate the GDPR and dispel some of the myths that often create the perception that the GDPR is much more restrictive than it is in realty,” she said.
Stephanie Paton, also of Pinsent Masons, who specialises in data protection in the employment context, said major reforms to UK data protection rules could have a big impact on how employers process employment-related information. She said: “Further, the ICO’s work to update its long-awaited post GDPR employment practices code may also be derailed. This is due to the fact that the ICO’s consultation exercise that it carried out to inform that update was based on the GDPR. Any re-setting of the current reforms would only prolong the uncertainty for employers.”
The standard for data protection adopted by British organisations is not set by legislation alone – it must align with consumers’ expectations around the ethical use of their personal data
Wynn said, however, that businesses will welcome the fact that there appears to be a renewed commitment from the new incumbents in government to data adequacy.
“The GDPR is the gold-standard for data protection globally, and businesses trading in Europe will remain subject to its requirements regardless of what changes the UK government made to domestic legislation,” she said. “A data adequacy decision from the European Commission is therefore a pre-requisite for bolstering international trade.”
“In pursuing a bespoke new data protection regime in the UK, the government must tread a fine line between reducing what it considers are unnecessary burdens for business under the GDPR framework and implementing changes that others consider diminish data protection standards, as this would put at risk an adequacy decision,” Wynn said.
“Further, the standard for data protection adopted by British organisations is not set by legislation alone – it must align with consumers’ expectations around the ethical use of their personal data, particularly where the value of the personal data to that organisation could outweigh the perceived value of the service received by the consumer,” Wynn said.
06 Sep 2022
20 Jul 2022