UK to scrap parts of “irritating” GDPR: are the plans workable?

New post-Brexit blueprints risk the UK becoming a pariah state as its consumer data becomes incompatible with the rest of Europe. Will cutting cookie pop-ups be worth it, or will reducing complexity prove too complicated?

The UK government has outlined plans to roll back data protection obligations and cookie consent boxes in an attempt to boost business and research.

In a statement, the UK Department for Digital, Culture, Media and Sport said the planned Data Reform Bill will cut “burdens on businesses to deliver around £1bn in cost savings” over ten years.

However, the costs to UK businesses via potential new compliance costs and lost trade with international audiences due to data incompatibility could dwarf those gains.

For performance marketers, having to cater for two sets of rules across major territories could prove an additional resource burden in terms of targeting audiences.

‘Seize the benefits of Brexit’

The announcement criticised the EU’s “highly complex” General Data Protection Regulation and promised a “clampdown on bureaucracy, red tape and pointless paperwork” to “seize the benefits of Brexit.”

Key points of the plan:

  • SMEs will no longer be required to have a data protection officer and fill out “lengthy impact assessments.”

  • Internet users will be given the option to opt-out rather than needing to opt-in for the collection of tracking cookies

  • Increased fines for the perpetrators of nuisance calls and texts

  • Researchers will not need to be as specific about why they’re collecting data: they could rely on a previous consent, rather than getting a new approval for their particular study.

  • The government can exert more control over the country’s data watchdog, the Information Commissioner’s Office (ICO)

  • Google, Microsoft and Mastercard offer advice

    The government’s International Data Transfer Expert Council, made up of global experts on data, will play a major role in implementing the new laws if they are passed.

    The group, which combines academics, organisations such as the World Economic Forum and the Future of Privacy Forum alongside digital industry figures including Google, Mastercard and Microsoft, will be empowered to remove barriers to data flows and ensure services from smart devices to online banking can be provided more reliably, cheaply and securely.

    John Edwards, UK Information Commissioner, said: “Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.”

    Under the new government plans, Nadinne Dorries, DCMS Secretary of State, will now get to approve ICO statutory codes and guidance before they are presented to parliament.

    Digital Secretary Nadine Dorries said: “Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation.”

    Asking for browser-level compliance from the industry

    Explaining how the automatic opt-out for consumers would work, the government’s plan is to force web browsers and websites to make a browser-based ‘do-not-track’ signal become the standard.

    “In the future, the government intends to move to an opt-out model of consent for cookies placed by websites,” the consultation response states. “In practice, this would mean cookies could be set without seeking consent but the website must give the web user clear information about how to opt out.”

    “This would allow the government to realise its ambition to improve the user experience and remove the need for unnecessary cookie consent banners. The opt-out model would not apply to websites likely to be accessed by children.”

    Maintaining a free flow of data with Europe?

    As Britain diverges from the European Union the move risks jeopardising a key deal signed last year guaranteeing data flows between the UK and the continent, which has a clause allowing for regular reviews.

    The problem remains that the UK is planning to remove cookie pop-ups for UK people, of which there are just 80 million, while service operators will still have to use them for European people, of which there are 500 million.

    If the UK diverges too far from EU data protection rules, it risks being burdened with extra admin costs. Just the pure compliance costs of a loss of EU adequacy have been estimated at between £1bn and £1.6bn, which would wipe out any savings to businesses immediately.

    The assessment of the economic impacts if the UK is deemed a third country under EU data rules has been carried out by the New Economics Foundation (NEF) think tank and UCL’s European Institute research hub — with the researchers conducting interviews with more than 60 legal professionals, data protection officers, business representatives and academics from the UK and EU.

    The group estimates that the average compliance cost for an affected micro business will be £3,000; or £10,000 for a small business; £19,555 for a medium business; and £162,790 for a large business.

    In response, a DCMS spokeswoman said that “as the Commission itself has made clear, EU adequacy decisions do not require countries to have the same rules. Our view is that these reforms are fully compatible with maintaining the free flow of personal data from Europe.”

    Less choice for consumers, more leniency for law breakers?

    In a blog post reacting to the proposals, Mariano Delli Santi, Legal and Policy Officer at Open Rights Group, said: “According to what the Government have announced, individuals would lose protections against discrimination and abuses, only to get less choices in return. Dodgy businesses would get their licence to be malicious, reckless, and to launder your personal data oversea, far from your eyes and those of the Regulators. The cherry on the cake, the Information Commissioner’s Office (the Regulator) would be co opted by the same Government they should keep an eye on."

    Delli Santi added: “Finally, the (welcomed) support for binding privacy signals that would allow internet users to opt-out automatically via their browsers does not mitigate the fundamental erosion of individuals’ online privacy and right to choose, nor for the harms they would be exposed to because of the “do first-apologise later” approach the UK Data Reform Bill would unleash.”

    "Pushing the onus on technology providers, who have an inherent motivation to time scales in their favour"

    Commenting on the introduction of the bill, Farhad Divecha, MD and Founder of AccuraCast, said: "The implementation of the new data laws sounds very modern, as it is keeping up with proposed browser changes, and is consumer focused, as it is removing the need for annoying consent banners for UK visitors. It also talks about being internationally trade friendly too for businesses.”

    "This is good, but it's likely to draw criticism for a few reasons:

    • it's pushing the onus on technology providers, who have an inherent motivation to time scales in their favour

    • it's opening up potential loopholes where unscrupulous businesses can harvest all sorts of data under the umbrella of planned research

    • it's moving focus away from privacy, pushing it behind the scenes.

    “Most importantly, while moving away from pointless banners is attractive, international companies in the UK will be mindful that this could trigger cross-border data-sharing restrictions when moving their data to and from the EU. As a result, in reality, unless the EU also amends GDPR and moves to a more modern approach to privacy control, few of these changes will matter to businesses, unless they only cater to a UK audience."

    Seeking data partnerships further afield

    A ruling by the EU court in 2020 invalidated the EU-U.S. Privacy Shield transatlantic data transfer mechanism, which suggests the UK Data Reform Bill would suffer the same fate.

    The EU court also ruled that the most used alternative for international transfers (a legal tool called Standard Contractual Clauses, aka SCCs) must face proactive scrutiny from EU regulators when data is flowing to third countries where citizens’ information could be at risk.

    To try and offset any loss to European markets, the UK government looks set to woo countries further afield with less strict user data laws.

    In a statement, the government said it “continues to work closely with international partners on data adequacy deals with priority countries, including the United States, Australia, the Republic of Korea and Singapore.”

    The government has previously confirmed it will introduce the data reform bill in the current parliamentary session.