Work on the Data Protection and Digital Information Bill, the proposed post-Brexit replacement for GDPR in the UK, has been paused to allow ministers to re-examine the legislation, Tech Monitor understands. The news comes as new digital secretary Michelle Donelan used her speech at the Conservative party conference to hint that changes could be made to the bill.
Donelan, who was appointed secretary for the Department for Digital, Culture, Media & Sport (DCMS) when Liz Truss took over as prime minister last month, used her speech at the conference in Birmingham on Monday to re-affirm the government’s commitment to move away from EU’s legislation and create a data regime that will be “simpler and clearer” for businesses to navigate.
“I am announcing that we will be replacing GDPR with our own business and consumer-friendly, British data protection system,” she told delegates. “Our plan will protect consumer privacy and keep their data safe, whilst retaining our data adequacy so businesses can trade freely.”
She went on to say: “Our new data protection plan will focus on growth and common sense, helping to prevent losses from cyberattacks and data breaches, while protecting data privacy. This will allow us to reduce the needless regulations and business-stifling elements, while taking the best bits from others around the world to form a truly bespoke, British system of data protection.”
Is the government starting again with the UK GDPR replacement?
Donelan’s remarks were somewhat confusing given that the government has already announced its replacement from GDPR, the Data Protection and Digital Information Bill, as part of the Queen’s Speech in June.
It had been due to have its second reading in Parliament on 5 September, the day the result of the Conservative leadership contest was announced, but that debate was cancelled after Truss was named the victor. The postponement came as a surprise, given that DCMS had released a statement less than 24 hours earlier saying the debate would go ahead as planned, with the then digital secretary Nadine Dorries describing the legislation as “one of Brexit’s biggest rewards”.
At the time a DCMS spokesperson said the bill would continue its journey through the House of Commons “in due course”, but a source in the department told Tech Monitor this week that the bill had been “paused” to allow new ministers time to consider its contents, and that further information would follow in the coming weeks and months.
In her speech, Donelan suggested that further consultation on the shape of the bill was likely, saying: “I will be involving [businesses] right from the start in the design of a tailored, business-friendly British system of data protection.”
DCMS has already carried out a full consultation on the bill, though this proved highly controversial, with civil rights groups saying it was “rigged” and that the department acted unlawfully by not taking their views into account.
Tech Monitor has contacted DCMS for clarity on the role of businesses in designing the new UK data laws.
Could Data Protection Bill changes put EU data adequacy agreement at risk?
Fears have been raised that a move by the UK away from GDPR could risk the data adequacy agreement with the EU. This was agreed last year and allows data to flow freely across the channel, and is vital for many British businesses which work with European customers.
Donelan reiterated that the government believes it can maintain data adequacy when the UK leaves GDPR behind. “We will look to those countries who achieve data adequacy without having GDPR, like Israel, Japan, South Korea, Canada and New Zealand,” she said in her speech at the conference.
However, any moves to make the Data Protection and Digital Information Bill more divergent from GDPR could put the agreement at risk. When the proposed new law was announced earlier this year, Pete Church, counsel in the data team at law firm Linklaters, said that because the government had moved away from “radical suggestions, such as replacing the GDPR with an entirely new framework of citizen data rights,” the adequacy agreement was likely to remain in place.
“This is good news for data flows between the EU and the UK, as these more modest reforms mean the EU Commission is less likely to revoke the UK’s adequacy finding, which would have caused significant disruption,” Church said.
If the new government decides to follow a different path, this may not be the case. The UK’s adequacy agreement with the EU includes a “sunset clause”, which allows Brussels to terminate the agreement after four years. The European Commission is also monitoring data laws in the UK, and can withdraw the adequacy decision at any time if Britain “deviates from the level of protection currently in place”.