The government’s recent announcement that it will ‘replace’ GDPR and pause the Data Reform Bill, has raised fresh questions about the UK’s EU data equivalence, according to a leading tech and data lawyer.
Dr Sam De Silva, Chair of BCS, The Chartered Institute for IT’s Law specialist group and partner at international law firm CMS, warned that UK business may find themselves having to potentially ‘comply with two regulatory regimes’ following the legislation.
Dr De Silva said: “At the moment, the UK has the benefit of an EU adequacy decision that allows the free flow of personal data from the EU to the UK. However, that adequacy decision requires the EU Commission to continuously monitor developments in UK law in order to assess whether the UK still provides ‘essential equivalence’.
More from Tech
- Reddit Is Now “Expert Advice” According To Google – And Your SEO Strategy Needs To Catch Up
- What Are The Updated Rules Around EU And UK Tech Licensing?
- Building A UK Broadband Accessibility Index: What The Data Reveals About Fibre Rollout
- The Inventor Of The Roomba Thinks The Next Big Thing In Robotics Is Feelings
- The Industry That Gave Us Doom Scrolling Wants To Save Us From It – Experts Discuss Whether That’s Possible
- Should Your Doctor Have To Disclose When They Used AI To Help Diagnose You?
- Studies Show A Link Between High Screen Time And Neural Impairments: Is The Issue The Screen Itself, Or What Screen Time Replaces?
- How To Choose The Right Antivirus Software For Your Needs
“What this means is that significant deviation from the GDPR will risk the UK losing its adequacy. Interestingly, DCMS Secretary of State, Michelle Donelan, made it clear in her recent speech that the intention is that the UK would retain its adequacy decision. It’s not clear how practical that is if the Government is aiming to fundamentally move away from the GDPR.”
He added: “We need more detail on what this means in practice. One interpretation is there are no plans to retain any aspect of the GDPR in UK law, and therefore the Data Reform Bill (currently paused) is now defunct – the reason being was the Bill appeared to only modify the GDPR in certain areas.
“It appears that the Government wants a ‘light touch’ approach to regulation, but it’s not clear what that would mean in practice. For example, would the UK law still ‘look and feel’ like the GDPR in substance and structure i.e. different obligations for controllers and processors, specific individual rights and accountability requirements?
“Or will the Government propose something completely new? Most UK businesses have been working with the GDPR for over four years and most have invested significant time and money establishing and operating their compliance programs. Of course, UK businesses that have customers in the EU will still have to comply with the EU GDPR notwithstanding what the new UK law is in place. The risk for UK businesses is that they will have to comply with two regulatory regimes. I expect that most businesses will continue to apply the stricter rules anyway.”
Dr De Silva said that lost profits are often cited by the Government (based on an Oxford University report) as a reason to remove GDPR – but urged caution in that conclusion for three reasons (as mentioned by the authors of that report):
- The negative impacts on firm performance we observe may partly reflect temporary adjustment costs.
- If the GDPR gradually becomes a global standard as more countries adopt similar regulations, companies targeting EU companies will become less disadvantaged over time.
- Any calculated estimates appear to be silent on its aggregate welfare effects, which are likely to account for potential benefits to citizens concerned with data protection.
