On 3 October 2022, at the Conservative Party Conference, Michelle Donelan, the Secretary of State for Digital, Culture, Media and Sport, made a speech announcing that the UK Government intends to replace the UK GDPR with a new “British data protection system”. During her speech, Ms. Donelan suggested that the current data protection laws shackled businesses “by unnecessary red tape”; in particular, she referred to the impact it has on smaller organisations.
As a result of this announcement, we think it likely that the Data Protection and Digital Information Bill, which is awaiting its second reading, will be withdrawn.
There are no concrete details about what the “new” data protection laws will look like. Ms. Donelan said, “Our plan will protect consumer privacy and keep their data safe, whilst retaining our data adequacy so businesses can trade freely. And I can promise you here today, Conference, that it will be simpler and clearer for businesses to navigate.”
Following the speech, the UK’s regulator for data protection, the Information Commissioner’s Office, released a statement on Twitter saying, “We are pleased to hear the Government’s commitment to protecting people’s privacy, preserving adequacy and simplifying data protection law.”
On 28 June 2021, the European Commission adopted adequacy decisions in respect of the UK that allows personal data to flow freely between the UK and the EU, as the UK has been deemed to offer an equivalent level of protection to personal data to that in the EU. Any divergence will need to carefully navigate the waters of data protection to ensure that the UK’s adequacy decision is retained. For many organisations, it will be essential that the free-flowing sharing of personal data (including employee and customer data) between the EU and the UK remains intact.
The UK’s current adequacy decision status is expected to last until 27 June 2025. It is expected that the European Commission will begin to review this in 2024, at which time it will then make a decision whether to extend the adequacy decision for the UK for a further maximum period of up to another four years. If the UK does not receive such an extension, then the current decision will expire on 27 June 2025.
It should not be forgotten that the European Commission monitors developments in the UK on an ongoing basis to ensure that the UK continues to provide an adequate level of data protection, and so any material changes to our data protection laws are likely to bring the UK’s adequacy status under the microscope sooner than 2025.
For any organisation that relies on the UK’s adequacy decision with the EU, developments will need to be carefully monitored.