The UK’s new post-Brexit data legislation could face further delays after a Department for Culture, Media and Sport (DCMS) official confirmed further consultation into the Data Protection and Digital Information Bill, which is set to replace the EU’s GDPR.

The adequacy agreement with the EU, which allows data to flow between Britain and Europe, will be “at the heart” of the finalised bill, Owen Rowland, deputy director for domestic data protection policy at the DCMS, said. This news will be welcomed by businesses, with DCMS secretary Michelle Donelan having previously indicated more radical reforms could be on the cards. Such a move may have put the adequacy agreement at risk.

Loss of data adequacy with the European Union could cost millions in lost exports every year. (Photo by Ivan Marc/Shutterstock)

Rowland told a Westminster Forum event on data in the UK on Monday that “data adequacy with the EU is at the heart of the approach we are taking going forward”.

But he confirmed further consultation on the Data Protection and Digital Information Bill will be held in the coming weeks, which could delay its return to parliament. He said ministers “need space to work with all groups to check we go as far as we can to enable growth and innovation while protecting high standards and maintaining our parallel policy objective of looking after EU adequacy and doing so as quickly as possible”.

DCMS published the new bill in July, saying it was designed to “update and simplify” the data protection framework in the UK and take advantage of no longer being in the EU. Though details appeared to have been finalised, work on it was “paused” last month when it was about to have its second reading in the House of Commons. The brakes were applied following Liz Truss’s appointment as prime minister, with a DCMS insider telling Tech Monitor this was to allow new ministers time to consider its contents.

Donelan then used her speech at the Conservative Party Conference to suggest changes to the bill were likely to be made. “I am announcing that we will be replacing GDPR with our own business and consumer-friendly, British data protection system,” she said, adding that she would work with businesses to draw up the new rules.

Why is the UK’s EU data adequacy agreement important?

The more the UK diverges from GDPR, the more likely its adequacy agreement with the EU could be undermined. The process ensures that third-party countries wishing to share data with EU-based companies and organisations have an “essentially equivalent” level of data protection to GDPR.

When the UK and EU reached an adequacy agreement last year, the EU included a “sunset clause”, which allows Brussels to terminate the agreement after four years. The European Commission is also monitoring data laws in the UK, and can withdraw the adequacy decision at any time if Britain “deviates from the level of protection currently in place”.

Any withdrawal of adequacy would cause problems for businesses which operate in the UK and Europe and share data between teams, while business leaders have also expressed fears about the costs involved in changing to a significantly different data regime.

For its part, the UK government has always maintained that the Data Protection Bill would meet the adequacy requirement, as the EU doesn’t require an exact replication of GDPR, rather an equivalent level of protection of the data being held, however, questions remained, particularly around any updates or amendments that might be made.

Speaking during the Westminster Forum event, which was held virtually, Rowland said the goal was that any company or organisation wishing to follow GDPR would be in compliance with new UK data laws. “If you want to stick with what you are doing in terms of EU compliance then you can do so and still be consistent with what will be required in the UK, but for a lot of businesses there is a lot to be gained by complying with the UK context,” he declared. He added that “in terms of compliance you can follow EU legislation and be compliant with the UK legislation”.

He said the aim of the UK legislation was to trigger growth and take a risk-based approach to data regulation that was more pro-business while maintaining high standards of data protection.

Data Protection Bill: more changes on the way?

It is unclear exactly how different the final bill will be from the one presented to parliament earlier this year as it is currently being reviewed by officials, ministers and professionals ahead of a new public consultation in the coming weeks.

The initial consultation on the bill caused controversy, with civil rights groups saying they were excluded and describing the process as “rigged” and potentially unlawful.

Maintaining adequacy has likely become a key priority for DCMS after estimates revealed the cost of losing that status would be £190m and £460m in one-off costs and an annual cost of between £210m-£410m in lost export revenue.

“There are ongoing discussions with the EU commission, and we will continue to update them on our future plans,” Rowland explained when asked about whether the EU expressed concern about any future amendments or changes to the bill. “We are confident we are taking a considered and careful approach while being ambitious in ways we can safely make the regime more pro-growth.

“We didn’t feel there were any red lights flashing when we introduced the bill. We are really keen to keep talking to them, particularly when we have ministerial decisions when we want to go further and will assess adequacy risks in an ongoing way and in all areas.”

He said personal data rights would also be central to the new legislation, with people being given an opt-out over smart data uses among other protections.

“The heart of any system that wants to use data to drive innovation and growth has to be trust and accountability,” he said. “Gaining trust in this future British data protection regime is vital. In terms of smart data, sharing information is voluntary and the new regime will continue to facilitate opting out for individuals in a simple way.”

Simplifying the opt-out process

Rowland said the government plans to simplify the process for opting out of data sharing.

Cassie Smith, head of legal, trust and ethics at the National Institute for Health Data Science told the event that opt-outs are important for building trust, and something already widely available in the health data sector but they should come with an explanation of the benefits of sharing data.

“I do think opt-outs are part of the solution to enabling public trust,” she said. “This needs to be coupled with true information on pros and cons. In the health space if you opt out of having data shared it doesn’t tell you the benefits you could be enabling in terms of research. If we have wider use of opt-out for data we have to communicate pros and cons on both sides.”

Emily Keaney, director of legislative reform at the Information Commissioner’s Office (ICO), told delegates that the ICO is closely monitoring the development of the legislation to ensure individuals have confidence in its application.

“It is vitally important to maintain public trust, not just helping individuals feel confident their data is protected but also as it allows them to be happy sharing data and in turn participate in the wider digital economy, drive growth and drive innovation,” she said.

A DCMS spokesperson said: “As we have said previously, the second reading of the Data Protection and Digital Information Bill was postponed to allow new ministers to consider the legislation. We will continue to engage with businesses and civil society to ensure the regime works for all, but this won’t take the form of another formal public consultation and will not affect the timeline of the Bill.”

Read more: Liz Truss phone hack highlights Whitehall’s shadow IT problem