New data protection regulations that will supposedly contribute £4.7bn to the UK economy between now and 2033 by giving organisations “greater flexibility” to protect personal data have had their second reading in the House of Commons, in the face of continuing industry calls not to diverge from the European Union (EU) General Data Protection Regulation (GDPR).
The government claims the revised Data Protection and Digital Information Bill – which was reintroduced to Parliament in March 2023 – will also reduce the number of cookie pop-up notifications and address the scourge of nuisance telephone calls experienced by ordinary consumers. It will also make it easier and quicker for people to verify their identity digitally by establishing a framework for trusted and secure digital verification services.
Critics of the proposals have previously been outspoken that the UK risks losing its hard-won data adequacy agreement with Brussels and diluting data protection regulation to the detriment of the personal security and privacy of everyone in the country. But the government has insisted that the bill will maintain current high standards of data protection and that it will be able to satisfy the EU that the UK can maintain adequacy.
It also said the legal changes will improve the country’s ability to strike other international data deals and ensure the security of those partnerships, allowing UK businesses to “seize billions of pounds of data trade” on a global basis, not just with their EU neighbours.
Speaking in the House of Commons on Monday 17 April, data and digital infrastructure minister Julia Lopez said: “The UK cannot step aside from the debate by simply rubber-stamping whatever iteration of the GDPR comes out of Brussels.
“We have in our hands a critical opportunity to take a new path and, in doing so, to lead the global conversation about how we can best use data as a force for good – a conversation in which using data more effectively and maintaining high data protection standards are seen not as contradictory but as mutually reinforcing objectives, because trust in this more effective system will build the confidence to share information.
“We start today not by kicking off a revolution, turning over the apple cart and causing a compliance headache for UK firms, but by beginning an evolution away from an inflexible one-size-fits-all regime and towards one that is risk-based and focused on innovation, flexibility and the needs of our citizens, scientists, public services and companies,” she said.
Lopez cited recently published research from YouGov that found a fifth of marketing professionals in the UK know “absolutely nothing” about the GDPR despite being bound by it.
“It is not just businesses,” she added. “The people whose privacy our laws are supposed to protect do not understand it either. Instead, they click away the thicket of cookie pop-ups just so they can see their screen.”
Red flags
The SNP’s Carol Monahan warned that in its current form the bill threatens to undermine privacy and data protection, and that by potentially moving away from the adequacy concept in the EU GDPR, it gives weight to the idea that different countries can maintain data protection standards in different but equally effective ways.
“The only way that we can properly maintain standards is by having a standard across the different trading partners, but the bill risks creating a scenario where the data of EU citizens could be passed through the UK to countries with which the EU does not have an agreement,” said Monahan.
“The changes are raising red flags in Europe. Many businesses have spoken out about the negative impacts of the bill’s proposals. Many of them will continue to set their controls to EU standards and operate on EU terms to ensure that they can continue to trade there,” said Monahan.
“According to conservative estimates, the loss of the adequacy agreement could cost £1.6bn in legal fees alone. That figure does not include the cost resulting from disruption of digital trade and investments,” she added.
Privacy experts react
Marjius Briedis, chief technology officer at NordVPN, said: “By seeking to put clear water between itself and Europe over GDPR rules, the government is putting the personal privacy of UK residents at risk. Relaxing some data restrictions may benefit smaller companies but ultimately it has the potential to allow a consolidation of power among tech giants who already hold a huge influence over our lives.
“Companies should be made more accountable when it comes to our information, but instead some of the government’s proposals reduce the need for transparency and could make it harder for people to find out how their data is being used.”
Briedis said he was additionally concerned that weakening key principles in the GDPR could make it easier for corporations to be negligent and open the door to ever-more massive data breaches.
“Millions of consumers are having their details legally collected and traded every day, so it’s vital that our data rights are prioritised. These plans, which tilt the balance in favour of advertisers and data brokers, may risk turning our individual freedoms into an afterthought,” he said.
Amanda Brock, CEO of OpenUK, was similarly unconvinced, saying that releasing UK businesses from red tape would only be beneficial if they can continue to work with EU citizens and their data across borders – as they currently can.
“The bill lightens the requirements of GDPR in a number of ways which could potentially be considered to make life easier for businesses. However, any business still dealing with the EU will still have to meet GDPR requirements, so it is questionable whether a distinct regime will actually give UK businesses real benefits,” said Brock.
“Changing the rules takes a risk with the adequacy ruling. For most businesses in a digital world, GDPR still has to be complied with. Setting it out so quickly after the Northern Ireland agreement has been reached is probably no surprise, but it’s definitely leaving UK business to the whim of the EU on the Adequacy ruling.”
She added: “If the EU confirms the new lighter UK rules are effectively equivalent, then they effectively undermine the need for their own requirements under GDPR. This is a no win situation.”