A new UK GDPR. But how new will it be?

9th March 2021 Commercial Litigation

With the Information Commissioner, Elizabeth Denham, leaving her role in the Autumn much is being made of the possibility of change to the data protection rules governing UK business. This is particularly prompted by comments made by the Culture Secretary to the Financial Times and picked up elsewhere. In some quarters this has been breathlessly reported as a veritable bonfire of onerous data protection rules leading to a brave new post-Brexit data free-for-all for UK business.

In fact, I would suggest that change is likely to be relatively small and more in the details than in the broad strokes. First, the comments made the Culture Secretary are much less significant than might be perceived. He merely said that we were not bound by the EU rulebook. This could encompass a range of options from the relatively modest changes that have been made to the GDPR already to a wholesale replacement with new legislation. I suspect it will be the former rather than the latter. In fact, the ICO has already embarked on some changes as it looks to produce more of its own guidance rather than relying on guidance generated by the EDPB, the European central data protection body. The fact that a lot of this guidance will probably look the same as that generated by the EDPB says as much about the fact that there are only so many ways to do data privacy as it does about the fact that the ICO is grossly under-resourced.

Second, as I have indicated the ICO, in common with many European data protection regulators has nowhere near the right level of resources to manage an entire data protection regime alone. This is implicitly recognised in the Withdrawal legislation and the amendments made to the GDPR. As at the date of departure we cease to be bound by guidance from EU bodies and future decision of the CJEU. However, it is open to UK courts to continue to have regard to this guidance and these decisions. The reality is that they will continue to do so as they will have little choice in the matter. They will have very little else to go on. In practice, business will also have little choice but to continue to have regard to the guidance issued by the EDPB and this will end up being reflected in court decisions in the UK as the Courts will themselves be influenced by usual business practices. Finally, the reality is that the ICO will be influenced by that guidance as well, not least because data is an international business and has fostered an increasingly international approach to its regulation.

Third, as I have just pointed out, data is an international business. The UK might seek to do its own thing but ant UK business that deals with EU nationals will have to comply with the EU GDPR regardless of what the UK does and will continue to need to have a GDPR representative in the EU. So if the UK diverges too far from the EU it will add significant cost to businesses that deal with EU customers and they will have to consider if they would be better served by moving out of the UK and processing data under EU rules. In addition, other jurisdictions have or are moving to GDPR-like regimes. California has passed privacy legislation which firms outside California must comply with if they wish to handle data from Californian citizens. India, a particular darling of the current government, is working towards its own data privacy legislation which has a strong GDPR flavour. For the UK to do something totally different would be of far less value to business as they would then need to comply with more than one data regime. In addition, the data adequacy arrangement that the EU has approved in draft form relies on the UK having a data regime that is similar in nature to that of the EU. The more we seek to diverge from this then the greater the risk that the data adequacy decision will be challenged. The ongoing nightmare of EU-US data adequacy decisions and the various Schrems cases should be a salutary lesson of the risks of relying on a data adequacy decision that might be overturned by the EU courts at any moment.

The fact is that the UK is likely to remain closely allied to the GDPR. Not just because of the reasons I have set out above but rather because it is a regime we have considerable time and energy invested in and business would be better served by not having to move to another new data regime. The ICO will likely create its own guidance on a lot of areas that the EDPB currently covers. In doing so a degree of modest divergence is possible and is likely. The GDPR always relied heavily on guidance, as befits a complex and fast-moving subject, and this allows for considerable latitude for the UK to diverge from the EU in a modest way. A replacement regime is something that Parliament and the ICO, never mind business, is likely to find too much to swallow given the inevitable complexity and detail involved in such legislation.

UK business should continue to invest in the GDPR and keep its eyes closely on the ICO and the development of its post-Brexit guidance. However, many businesses will also want to keep their eyes on the EDPB as well to ensure that they are properly serving the data requirements of their EU clients.

We're Social

David Smith is a Partner located in Londonin our Commercial Litigation department

View other posts by David Smith

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest