The General Data Protection Regulation (known to everyone as the GDPR) is probably the most famous piece of legislation to come from the EU. It was and is incredibly ambitious in its scope, and shapes the way we engage with organisations both online and in the real world. When the UK formally withdrew from the EU, GDPR became retained EU law and continued to apply as before. The government have recently announced that they want to reform data protection legislation, but substantial deregulation might be an unrealistic ambition.
It was unsurprising that in the immediate aftermath of “Brexit” the data protection regime in the UK remained substantially unchanged. One of the consequences of leaving the EU was that the UK became a “third country” for the purposes of data protection. To prevent an interruption of data flows between the UK and member states it needed to demonstrate to the European Commission that it had adequate safeguards in place to protect personal data. Mirroring the EU’s data protection regime was the easiest way for the UK to do this. On 28 June 2021 the European Commission adopted an adequacy decision in respect of the UK, which allowed personal data to continue to flow freely between the UK and the bloc.
When announcing the appointment of a new Information Commissioner last week, the Digital Secretary Oliver Dowden told the Telegraph that the UK was changing tact on data protection, and looking for a break from the EU approach. He described reform of data protection rules as "one of the big prizes of leaving" the EU and stated that data should be regulated in “as light a touch way as possible”. His talk on reform was light in detail. He referenced changing the rules on cookie pop-ups, (which are regulated by the Privacy and Electronic Communications Regulations) and gave little else away.
If Mr Dowden’s comments are more than just posturing, he may face considerable challenges and opposition. The EU’s adequacy decision on data protection is time limited and will expire in four years. It can be revisited sooner if the European Commission feels that the UK has changed their regime to erode protections. Substantial changes to the way privacy is protected in the UK could lead to uncertainty about whether the EU will renew their adequacy decision, the suspension of it, or even its repeal. If the EU’s adequacy decision expires or is repealed organisations would face a new domestic regime that is less onerous, and a process for sharing data internationally that is more cumbersome.
In our interconnected world people may not favour making that trade off. Internationally minded organisations would need to look again at how to maintain their flows of data. Organisations that have a UK focus may not have to make the same compromises, but could begrudge having to look again at data protection compliance. GDPR had a seismic impact on the way data protection is dealt with in the UK, presented an organisational challenge to many different bodies, and to some extent is still in the process of bedding in.
Further information
Should you have any questions about any of the issues covered in this blog, please contact Fred Allen or contact any member of our public law team.
About the Author
Fred Allen is a senior associate within the Public Law Department and International Crime Group. He has worked on a range of public law challenges and matters including public inquiries, inquests, judicial review proceedings and tribunal appeals.
Join the conversation
