New plans for a GDPR replacement have divided Britain’s tech sector
The UK has finally unveiled plans for its GDPR replacement: the Data Protection and Digital Information Bill (DPDIB). Introduced in Parliament last week, the bill aims to boost economic growth while protecting privacy.
The proposed rules promise to reduce paperwork, slash costs, foster trade, and (please, Lord) cut down on cookie pop-ups. They also controversially claim to produce savings of more than £4 billion over 10 years (more on that later).
The shadow of the UK’s withdrawal from the EU looms large over the plans. In its pitch for the bill, the government pledges to unleash an elusive Brexit dividend.
“Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain,” said Technology Minister Michelle Donelan in a statement. “No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR.”
That’s the plan, at least — but it’s already proved divisive.
Cutting red tape
Data-driven trade makes a massive contribution to the UK’s coffers. In 2021, it generated an estimated £259 billion and 85% of British service exports.
The DPDIB envisions further rewards from simplified legal requirements.
“Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next-generation technologies, create jobs, and boost our economy,” said Donelan.
All data regulations have to balance protecting people and promoting innovation. Under the GDPR, many companies became frustrated with the bureaucratic burdens. The DPDIB aims to tip the scales back towards business benefits.
“It was essential to clarify confusion and simplify administrative burdens.
Chris Combemale, CEO of the Data and Marketing Association (DMA), collaborated with the government on the new rules. He expects the bill to provide “a catalyst for innovation,” while maintaining the privacy protections needed for consumer trust.
“It was essential for the bill to safeguard the key ethical principles of existing laws, while clarifying areas of confusion and simplifying onerous administrative burdens on small businesses,” Combemale tells TNW via email.
The lighter regulatory load is proving popular. Businesses have welcomed the simplified requirements for recordkeeping, processing personal data, and automated decision-making, as well as the ability to reject data access requests that are “vexatious or excessive.” Praise has also been heaped on the new framework for digital IDs, extra resources for the UK’s data watchdog, and increased fines for nuisance calls and texts.
Chris Vaughan of Tanium, an endpoint security company, says the new rules are more straightforward than the GDPR.
“One major benefit brought by the new law is the reduction in business costs that GDPR creates — made even more welcome as organisations continue to struggle in the current economic landscape,” Vaughan tells TNW.
Relaxing rules, however, can also increase risks.
Critics warn that the new laws will endanger citizens. Upwards of 30 civil society groups have called for the bill to be dropped over concerns it will weaken data protection and harm marginalised groups.
Colin Hayhurst from Mojeek, a privacy-based search engine, is particularly troubled by the reduced accountability for “low-risk” data processing. He also worries that the bill is legislating too many complex issues at once.
“My concern is that critical issues around innovations like AI will simply not get enough scrutiny or thought,” says Hayhurst. “It’s worth noting that the EU considers AI regulation such a complicated and important subject that it has an entirely separate bill dedicated to the matter.”
Hayhurst is particularly struck by the implications for AI in research. The new bill gives commercial organisations the same freedoms as academics for any data processing for research “that can reasonably be described as scientific.”
This could create big opportunities for businesses building AI with data collection. But it could provide even more power to large companies with research arms, such as Google’s DeepMind and Meta’s FAIR.
“Big tech companies with research groups can continue to harvest and use all the personal data they have, to train AI in their research activities,” says Hayhurst. “All of this comes with risk; and unfortunately, this risk is overwhelmingly going to be shouldered by those whose data is fed into the machine, rather than the companies themselves.”
To mitigate the risk, rules on responses to data access requests could be tightened — particularly when the data creates profit. A one-month deadline for replies may be appropriate for small companies, but not for global corporations with warehouses full of supercomputers.
“There is an irony that companies are able to make it incredibly easy for themselves to collect data on a person and then very difficult for the person who owns the data to find out what data a company holds on them!” says Hayhurst. “This is one area where a ‘one size fits all’ approach doesn’t deliver for consumers.”
The digital economy
Despite his misgivings, Hayhurst acknowledges that the government has responded to feedback. Notably, a proposal to drop the balancing test for a “limited, generic, but exhaustive list of activities” has not made it into the final text. However, concerns remain that businesses will be held to lower ethical standards.
Critics are particularly wary of the reduced requirements for oversight, recording, and user control of data processing. There is also extra room for data processing without an individual’s consent. These changes could leave the public both more at risk and less confident in the digital economy.
“The government is selling out personal privacy for business benefits.
“If businesses aren’t aware of how much data is being collected, what for, and the implications of its use, how can they expect consumers to trust them with such information?” asks Angel Maldonado, CEO of e-commerce firm Empathy.
Michael Queenan, CEO and co-founder of Nephos Technologies, takes the criticisms a step further.
“The government has decided to sell out personal data privacy for business benefit and innovation,” Queenan tells TNW. “Why else would it remove important, already adopted, global data protection steps?”
One motivation may be the potential savings. As previously mentioned, the reforms are predicted to unlock £4.7 billion for the UK economy. But evidence for this claim is hard to find.
The government references the figure with a link, which has been broken since we first saw the announcement. The source can be found via the Wayback Machine, but the estimate it links was published back in July 2022 — when a different version of the bill was introduced. Critics suspect that the £4.7 billion estimate has little basis in reality.
“Contrary to saving businesses billions, the bill could result in higher compliance costs and administrative burdens for businesses that operate in multiple jurisdictions,” says Shaun Hurst, Principal Regulatory Advisor at regtech firm Smarsh.
Divergences from the GDPR are a recurring theme in pitches for the DPDIB. The government has emphasised the benefits of these deviations, but they also threaten data transfers with the EU.
The UK currently has EU data adequacy status, which protects the flow of data between both jurisdictions. MEPs, however, have taken issue with Britain’s planned reforms. If they decide that the new bill doesn’t meet the requisite standards, the adequacy agreement could be lost.
As a result, companies selling in both the UK and EU would have to comply with two sets of laws. Tech giants may be reluctant to develop product and policy variations for a new regime, while domestic firms could consider relocating to the union.
“Being released from red tape will only be a benefit if business continues to be able to work with European citizens and their data across borders by taking advantage of the adequacy ruling that has applied to the UK since Brexit,” says Amanda Brock, CEO at OpenUK, a non-profit that represents open technology.
The government has, however, publicly stressed the importance of maintaining data adequacy. Some privacy experts are also confident that the new measures will fulfil the EU’s requirements. Yet even if the UK retains data adequacy, firms that trade in the EU must meet the GDPR standards. Consequently, the main beneficiaries of the new regime may be companies that only operate in the UK market.
“I think these so-called ‘savings’ will never materialise for most businesses,” says Farhad Divecha, founder of AccuraCast, a London-based digital marketing agency. “If you have visitors from Europe or do business with Europe, you still have to comply with GDPR. So if anything, we’ll end up having more complicated requirements that differ for your customer base in the UK versus in Europe.”
Nonetheless, the departure from the GDPR could have positive global outcomes. Ilia Kolochenko, the founder of security firm ImmuniWeb and a member of Europol’s Data Protection Experts Network, hopes the bill can influence the EU’s rules.
He fears that businesses are struggling with GDPR fatigue, inconsistent enforcement across member states, and the growing costs of formalistic compliance.
“European companies would gain a significant competitive advantage on the global market if European GDPR goes through a similar set of improvements and simplifications,” says Kolochenko.
“If the trend of overregulation persists, we will probably see massive and deliberate non-compliance, as costs and penalties for non-major infringements will likely be much less important than costs of a holistic implementation of the mushrooming EU cybersecurity regulations and directives.”
It’s a valiant call for balance, but one that’s unlikely to gain consensus approval — just like every other argument on data protection. Despite these deep divisions, there’s surely at least one thing on which we all can agree: “DPDIB” is a hideous acronym.