Is this goodbye to the UK GDPR

DCMS Minister Michelle Donelan's announcement this week that the government intended to replace the GDPR came as a surprise to most. She stated "We will be replacing GDPR with our own business- and consumer-friendly British data protection system… it will be simpler, it will be clearer, for businesses to navigate. No longer will our businesses be shackled by lots of unnecessary red tape… . In its place, we will co-design with business a new system of data protection. We will look to those countries who achieve data adequacy without having GDPR, like Israel, Japan, South Korea, Canada and New Zealand."

To understand why this statement came as a surprise to data protection practitioners, we need to take a few steps back: one of the final acts of Boris Johnson' government before the parliamentary summer recess was to publish the Data Protection and Digital Information Bill ("Bill"). This proposed overhaul of UK data protection law had been a few years in the making and came off the back of an in-depth public consultation. The timing was unexpected: it was released just a few days before Parliament's summer recess started and as part of Boris Johnson's handover, he should have only be proceeding with "essential business" and should not have been moving forward with "new action of a continuing or long-term chapter".

The text of that Bill did not, in our view, live up to some of the hype which preceded its publication. Rather than a radical overhaul of UK data protection law, the Bill merely amended certain provisions of the UK GDPR, seeking to soften some of the prescriptive requirements. We discussed these changes with a group of DPOs and market representatives who were invited to an Ashurst roundtable discussion on 8 September 2022 . The overwhelming consensus was that the draft would achieve very little in practical changes. For further information on the key changes proposed in that Bill and our discussions at that Roundtable, please see here.

Two notable events then happened in September: (i) the Bill's passage through Parliament was paused “to allow ministers to consider the legislation further”; and (ii) Business Secretary Jacob Rees-Mogg announced the Retained EU Law (Reform and Revocation) Bill ("Reform and Revocation Bill").

The Reform and Revocation Bill would amend the European Union (Withdrawal) Act 2018, which was the basis for the incorporation of EU law, notably the GDPR, in the UK post Brexit and would effectively revoke any EU-derived subordinate legislation and any retained direct EU legislation unless specifically listed under retained law. The question was therefore, would the GDPR make the list? And does Donelan's announcement on Monday give us an indication that any new law would no longer be based on the GDPR? If it does, what does this mean for UK adequacy and the free flow of data from the EU?

There are broadly two options as to the fate of the GDPR in the UK.

Option One – The UK does away with the UK GDPR and rewrites UK data protection laws completely

This would appear to be the vision of the new government, but we think the reality of doing this would be fraught with difficulty. The previous government's Data Protection and Digital Information Bill had sought to "seize the benefits of Brexit” by updating and simplifying the UK’s data protection framework and removing the red tape and administrative burden on businesses. See our analysis here as to why businesses did not believe that Bill would have reduced the administrative burden. In fact, the general consensus from many of our clients with Pan-European operations is that any substantial divergence from the EU could potentially increase the costs of compliance.

Option Two: The Bill is kept in its substantive form

Although they may be loathed to admit it, the vision of the previous government and the latest announcement from DCMS on data protection law were aligned. They both sought to cast off the shackles of EU data protection laws and form a new and more business friendly regime. The sub text from Donelan's announcement appears to be that she does not think that the Bill delivered on that original promise under Boris Johnson.

If the Bill were to continue through Parliament in its substantive form, then it would be very hard to argue that this Bill has "replaced the GDPR". The Bill does not replace existing UK data protection legislation and instead amends the UK GDPR and DPA 2018.

It is worth noting however, that the Bill was a result of an in-depth consultation by DCMS over the last 12 months. We do not know yet whether DCMS intend to consult again.

The elephant in the room remains how DCMS will achieve a rewrite that will keep the EU happy that personal data is sufficiently protected when on UK shores and protect the UK's adequacy determination.