A new report from cybersecurity company ESET found that the UK ranks second highest in average GDPR fine value ($10 million), despite issuing the lowest number (five) of GDPR fines in the EU. Spain issued the highest number of fines (273), while Luxembourg issued the highest value fines. The report found that more than 650…
On October 3, the UK’s newest Secretary of State for Digital, Culture, Media and Sport, Michelle Donelan, affirmed the UK government’s intention to move away from the European Union’s General Data Protection Regulation (GDPR).
The UK government has already proposed legislation, the Data Protection and Digital Information Bill (“Data Reform Bill”), to replace the GDPR. According to the UK, the Data Reform Bill would offer “the same high data protection standards” while giving organizations “more flexibility to determine how they meet these standards.” This flexibility would purportedly come from “a clampdown on bureaucracy, red tape and pointless paperwork” which the UK government feels is commonly incurred under the GDPR.
The main changes from the proposed Data Reform Bill include:
- Small businesses will no longer be required to appoint a Data Protection Officer (“DPO”) or undertake data protection impact assessments (“DPIAs”).
- Increased fines would be assessed for “nuisance calls and texts and other serious data breaches under the UK’s existing Privacy and Electronic Communications Regulations (PECR).”
- A new opt-out model for the consent for cookies (defined by the UK as “the data points which allow sites to remember information about an individual’s visit) would be established which would “heavily reduce the need for users to click through consent banners on every website they visit – meaning that people will see far fewer of the frustrating boxes online.”
- Clear framework of the objectives of the Information Commissioner Office (ICO) would be established and, in conjunction, the ICO will appoint a chair, chief executive, and a board “to make sure it remains an internationally renowned regulator.”
- The scope of scientific research will be more clearly defined to “give scientists clarity about when they can obtain user consent to collect or use data for broad research purposes.”
- According to previous digital secretary Nadine Dorries, under the proposed Data Reform Bill UK businesses and researchers would be able to more easily “unlock the power of data to grow the economy and improve society” whilst retaining the UK’s “global gold standard for data protection.” In addition, those outside of the EU would benefit by being able to conduct their business with the UK without “being held back by a lack of clarity and cumbersome EU legislation.”
The second reading of this proposed bill before Parliament, which was scheduled for September 5, was canceled after Liz Truss was appointed as the new Conservative party leader and prime minister. Following this appointment, Dorries’s replacement, Donelan, indicated at the Conference that the enactment of the Data Reform Bill was currently being paused as the UK would “be replacing GDPR with our own business and consumer-friendly, British data protection system[.]”
At this time, there have been no details disclosed about this system. However, according to a statement by Donelan in Forbes, this system would be simpler and clearer for businesses to navigate, without being “shackled by lots of unnecessary red tape.”
Many commenters have taken issue with this claim by Donelan. According to Labour MP Chris Bryant, the creation of this system is likely to create more red tape as “UK companies will still have to abide by GDPR if they want any online business in the European Union (as other non-EU companies already do).” As such, Bryant claims, “UK divergence will simply mean UK double costs[.]”
This concern has been echoed by several industry stakeholders quoted by Computer Weekly. According to Anthony Drake, director of technology advisory for ISG, the purported mutual benefit of this system to both businesses and consumers is “more of a headline generator than anything meaningful for business[,]” as “[t]he introduction of new, competing regulations will do little to lessen the burden of red tape.”
Despite these concerns, Donelan rejects these concerns. Reportedly, the UK will be looking “ to those countries who achieve data adequacy without having GDPR, like Israel, Japan, South Korea, Canada and New Zealand.” Donelan stated that the UK will be “involving [businesses] right from the very beginning, starting in the design so that together we can create a tailored, business friendly system—one that protects the consumer, protects data adequacy, increases the trade and that also is a good data protection system that enables us to create an increased productivity and enables us to avoid the pitfalls of a one-size-fits-all system[.]”
In addition to the lack of clarity on how the reformed data protection regime might operate, the UK government also has not indicated when it might be implemented. According to a statement by Natalie Cramp, Chief Executive Officer (CEO) of data science firm Profusion, “We could see the Conservatives passing this legislation in 2024, a Labour government confirming that GDPR will remain, or an entirely different approach which may not be finalized until 2025 or beyond.” As such, affected businesses should continue to monitor the progress of the new system and the UK government’s official statements surrounding its enactment.
* * * * * * *
For ADCG’s news updates discussing Biden signs Executive Order to facilitate transatlantic data transfers; Study finds flaws in deidentification methods; Australia reveals new privacy pules; and Philippines moves to register SIM cards, click here.
This week’s breach report covers breaches of the following companies: Singtel, Toyota, State Bar of Georgia, and Mativ Holdings, Inc. Click here to find out more.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes: