Brexit replacement for GDPR draws mixed response

The Government has revealed more details about how its Brexit-era plan to replace Europe’s flagship privacy law will reduce the load of consent ‘pop-up’ boxes on publishers’ websites and save businesses “billions”.

Technology Secretary Michele Donelan introduced the Data Protection and Digital Information Bill (DPDI) today, which would create a new UK version of the European Union’s General Data Protection Regulation (GDPR).

The new bill seeks to create a more business-friendly framework than GDPR by allowing businesses more flexibility in how they comply with the new data laws, while also ensuring the new regime maintains data adequacy with the EU.

The bill was first introduced last summer and paused in September 2022 so ministers could engage with business leaders and data experts on its design. Full text of the new bill has not yet been released.

Currently, the UK still retains an identical version of the EU’s GDPR law despite no longer being an EU member state. The new legislation is being billed by the Government as “common-sense-led” that seeks to “reduce the costs and burdens” associated with GDPR for businesses, remove barriers to international trade and cut the number of repetitive data collection consent pop-ups people see online.

Additional impacts of the bill would include reducing the amount of paperwork organisations need to complete to demonstrate compliance, providing organisations with greater confidence about when they can process personal data without consent, and clarifying the circumstances when robust safeguards apply to automated decision-making.

DPDI will also remove a GDPR stipulation for all businesses to keep data processing records; only companies engaging in “high risk” activities, such as working with health data, will still have to comply.

A Government impact assessment expects the reforms to unlock £4.7bn in savings for the UK economy over the next 10 years while still retaining enough data protection standards so that businesses can continue to trade freely with global partners, including the EU.

‘Our new laws release British business from unnecessary red tape’

Announcing the bill, Donelan said it would ensure “that a vitally important data protection regime is tailored to the UK’s own needs and our customs.”

She added: “Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR. Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy.”

The proposed bill will further establish a framework for the use of secure digital verification services, which allow people to prove their identity digitally if they choose to do so. It also seeks to strengthen the Information Commissioner’s Office (ICO) through the creation of a statutory board with a chair and chief executive, so it can better support organisations to comply with data regulation.

It is unclear whether Europe will consider the new legislation as being sufficiently in-line with GDPR to facilitate the continued flow of data between the 27-member bloc and the UK. In November, a visiting delegation of EU lawmakers reacted negatively to the development of the DPDI bill and their poor reception by UK regulators. French MEP Gwendoline Delbos-Corfield called the developments “appalling”, and noted “weakness of the ICO”.

“It was all about growth and innovation and nothing about human rights,” she told Politico. “I never heard them say, Protecting data is a fundamental right. Even in Hungary they say this.”

Digital rights non-profit the Open Rights Group has previously warned the bill will make it more difficult for individuals to exercise their rights to privacy.

‘Still work to do’

Initial reaction to the bill from the media and advertising industry was mixed. Chris Combemale, CEO of the Data & Marketing Association (DMA), which collaborated with the Government on drafting the legislation, said the DMA is “confident that the bill should act as a catalyst for innovation and growth, while maintaining robust privacy protections across the UK – an essential balance which will build consumer trust in the digital economy.”

Konrad Shek, director of policy research at the Advertising Association said the body “broadly welcomes the introduction of the new version of the DPDI Bill and what has been achieved to date, with the added clarity to the use of legitimate interest, especially with regard to direct marketing; the inclusion of commercial research under research provisions; and reduction of overall paper requirements.”

Shek, however, hopes there will be further opportunities to work with Government and amend the bill, citing a desire to adjust areas linked to non-intrusive cookies, such as increased clarity and flexibility over audience measurement and for ad performance.

Rob Newman, director of public affairs at ISBA, added: “At first glance, the bill represents a useful relaxation of some burdensome obligations, and welcome clarity on ‘legitimate interest’; but there is still work to do to enable advertising measurement and analytics to be carried out.”

On the other hand, Christie Dennehy-Neil, head of policy & regulatory affairs at IAB UK, expressed concern about how future changes to cookie consent mechanisms will be developed and implemented under the new bill.

Currently, the bill contains an expanded range of exemptions to consent for cookies, with the goal of reducing consent banners especially for ecommerce and charity websites that do not take advertising.

“Appropriate checks and balances need to be in place to ensure that such changes will actually improve the user experience, avoid the risk of negative impacts on competition in the market, and protect the viability of the ad-funded business model our open web relies on,” she said.

Dennehy-Neil further urged the Government to extend cookie consent exemptions to advertising measurement and analytics, which she described as “necessary, non-intrusive functions”.

“This would achieve the risk-based and proportionate approach to cookie consent that the Government wants. In its current form, the bill doesn’t make the most of this opportunity for meaningful change.”