Data Digest: UK GDPR Overhaul


There has been big waves in the UK regarding data protection yesterday; the government revealed two significant announcements that may drastically change the UK’s privacy posture in the years to come. Here’s a quick rundown of the announcements and what they might mean for the future of the UK’s data protection and privacy laws.

Culture & Digital Secretary Oliver Dowden wants to overhaul UK GDPR to increase ‘trade and innovation’ post-Brexit.

The UK government announced that it intends to overhaul the UK General Data Protection Regulation (GDPR), following on from a recent statement by Oliver Dowden claiming that “we do not need to copy and paste the EU’s rule book.” 

The government have laid out their agenda in a statement released yesterday, announcing their intention to use data to “drive growth and create jobs while keeping high data protection standards.”

Whilst specific policy changes and actions have not been confirmed, Dowden has stated he wishes to do away with cookie consent banners upon entering websites. This raises the question of whether consent will be a priority for the UK data protection regime in the future.

It should be noted that consent for cookies is a provision under the Privacy and Electronic Communications Regulations (PECR) and not GDPR, which either suggests a misinterpretation of GDPR law or a potential thorough examination of all UK privacy and data protection related legislation.

Until recently, many major US companies such as the LA Times simply barred access to their websites by UK and EU visitors rather than becoming GDPR compatible. Suppose the UK is too heavy-handed in their modifications to data protection laws and regulations. In that case, there may be similar holdups for external visitors to UK-hosted sites during the transition.

Changes to the UK GDPR also have the potential to undermine the recent EU/UK Adequacy decision, which allows for the free transfer of data between countries with compatible and comparable data protection standards. The UK plans on rolling out its own adequacy scheme that prioritises South Korea, Australia, the US, Colombia and Singapore.

The EU/UK Adequacy decision is up for review in 2025, where it will be decided whether the UK retains its adequacy status. Until then, the European Commission has stated they will “continue to monitor the legal situation in the UK and could intervene at any point if the UK deviates from the level of protection currently in place.”

There is no mention of preservation of privacy rights in the statements currently released by the government; instead, the plan seems focused on driving business and economic objectives.

It remains to be seen exactly how these changes will be implemented but expect the data landscape in the UK to shift in the coming months.

John Edwards is set to take over from Elizabeth Denham as the UK’s next Information Commissioner.

The government have announced their frontrunner for the next Information Commissioner, New Zealand’s Privacy Commissioner John Edwards.

Edwards is expected to step into the role in October this year, following a brief extension to Elizabeth Denham’s 5-year tenure. The date to watch is September 9th, where he will stand before the select committee for Digital, Culture, Media and Sport for pre-appointment scrutiny.

Edwards has previously hinted at a willingness to take on Big Tech, as in the past he described Facebook “as morally bankrupt pathological liars who enable genocide (Myanmar), [and] facilitate foreign undermining of democratic institutions” in a deleted tweet. As he is set to join at a critical junction for UK data protection, it will be interesting to see if this sentiment will translate into action. Either way, Edwards is in an unenviable position – steering the UK through this tumultuous conversation around privacy and data protection is no easy task.  

As both announcements regarding the future of the ICO and the UK GDPR occurred in quick succession, it can be assumed that Edwards will be responsible for the new data protection regime. This sentiment is shared by Elizabeth Denham, who stated that Edwards would be expected to “implement any changes Parliament decides.”

Analysis: Best of Both Worlds?

There are two broad directions that the UK could go down here. On the one hand, many believe GDPR is too restrictive and overbearing, particularly for SMEs. Many in this camp see it as a leftover relic of the EU that is part of the ‘Brussels red tape’ problem that inspired many Leave voters. In this view, a UK data protection overhaul would be a win for Brexit and UK sovereignty, allowing for increased trade and innovation.

The other camp pertains that the UK should tread carefully with any changes to data protection laws; the EU adequacy agreement isn’t even three months old. The government is already ‘poking the bear’ and testing the boundaries of this agreement. It seems clear that the UK would like to achieve the best of both worlds – retaining its EU adequacy status whilst also implementing its own adequacy scheme for international data transfers.

The ‘Data Law Shake-up’ may turn out to be a ‘have our cake and eat it too’ scenario – the United States are one of the targets for a possible UK adequacy agreement. However, their federal data protection laws have recently been deemed incompatible with EU standards, as exemplified in the Schrems II decision in 2020. An adequacy agreement with America would require either US data protection laws to become stronger or the UKs to become more relaxed. Whatever happens, a US-UK data transfer partnership will be a legal minefield to navigate.

The government have so far only announced their intentions to come. With no concrete policy to examine yet, it is too early to say what this may mean for the future of the UK. Still, the populist rhetoric focusing on cookies suggests that the conditions of consent that underpin the entire basis of GDPR may be under fire in the name of convenience.

Whatever direction the UK decides to take, the government should tread carefully as not to tip the balance of data protection and data innovation too far in either direction.

Official Government statements: