At the Conservative Party Conference, the Secretary of State for Digital Culture, Media and Sport confirmed that new UK privacy regulations will soon be introduced as the EU rules of GDPR are scrapped.
Why it matters
This change will affect the majority of the UK businesses in the UK which are currently subject to GDPR. It further may call into question adequacy decision granted by the European Commission to the UK and jeopardise international data transfers between the UK and the EEA
Michelle Donelan announced on the 3rd of October that the UK Government plans to bring in an entirely new UK law concerning data protection, effectively replacing the UK GDPR which has been in place since the UK had left the European Union. The changes proposed in this announcement follow pausing by the Government of the legislative process for the new Data Protection and Digital Information Bill, which has been in motion since July this year. There is a possibility that it would be scrapped altogether as it is guilty of providing one size fits all approach to businesses just like the UK GDPR.
Donelan claims that this replacement law will cut the ‘EU red-tape’ by simplifying the process, while still protecting ‘consumer privacy’.
However, the UK enjoys an EU adequacy decision as to the standards of protection of personal data, which allows the free movement of data from the EU to the UK. A condition of this decision is the EU Commission’s continuous monitoring of any change in UK law, as the UK is constantly assessed to determine if it provides ‘essential equivalence’. This means that the UK will be heavily scrutinised if it decides to distance itself from the GDPR.
Therefore, on the face of it the Government is proposing a less rigorous system of data protection rules in comparison with the EU; however it could have a negative impact if it means that firms are unable to exchange data with the EU due to new data protection standards which could be deemed inadequate by the European Commission . Such businesses will therefore still have to comply with EU GDPR even after the introduction and establishment of the new UK law. This could ironically counter the Government’s idea of simplification and cutting the red tape, as it could subject the businesses to two distinct legal regimes.
Businesses in the UK have been subject to the GDPR for 4 years now investing time and capital into ensuring their own compliance. A new system of laws and regulation is likely to spark opposition to yet another system of rules which, as most of Brexit consequences so far, may be adding to the red tape instead of getting rid of it.
Who it affects
This affects all businesses processing personal data and trading in the UK, the EU and EEA.