The UK has finally unveiled plans for GDPR’s replacement: the Data Protection and Digital Information Bill (DPDIB). The bill, introduced in parliament last week, aims to boost economic growth while protecting privacy.
The proposed rules pledge to reduce paperwork, reduce costs, promote commerce and (please, Lord) reduce cookie pop-ups. They also controversially claim to deliver savings of over £4bn over 10 years (more on that later).
The shadow of the UK’s withdrawal from the EU looms large over the plans. In its pitch for the bill, the government promises to release an elusive Brexit dividend.
“Our system will be easier to understand, easier to comply with and to take advantage of the many opportunities of Britain after Brexit,” Technology Minister Michelle Donelan said in a statement. “Our businesses and citizens no longer need to get caught up in the barrier-based European GDPR.”
At least that’s the plan, but it’s already proven divisive.
Reduce red tape
Discover the future of technology!
Visit us at TNW Conference 15 & 16 June in Amsterdam
Data-driven trading is a huge contributor to the UK’s treasury. In 2021, it generated an estimated £259 billion and 85% of UK service exports.
The DPDIB provides further benefits of simplified regulatory requirements.
“Our new laws free UK businesses from unnecessary red tape to unlock new discoveries, drive next-generation technologies, create jobs and boost our economy,” said Donelan.
All data regulations must strike a balance between protecting people and promoting innovation. Under the GDPR, many companies became frustrated with the bureaucratic burden. The DPDIB aims to tip the scales back to business benefits.
“It was essential to clear up confusion and simplify administrative burden.
Chris Combemale, CEO of the Data and Marketing Association (DMA), worked with the government on the new rules. He expects the bill to be “a catalyst for innovation” while maintaining the privacy protections necessary for consumer confidence.
“It was essential for the bill to protect key ethical principles of existing laws while clarifying ambiguities and simplifying heavy administrative burdens for small businesses,” Combemale tells TNW via email.
The lighter regulatory pressure is proving popular. Companies have welcomed the simplified version supplies for archiving, processing of personal data and automated decision-making as the ability to decline requests to access data that are “annoying or excessive.” There is also a lot of praise for the new framework for digital IDs, additional resources for the UK’s data watchdog, and increased fines for nuisance calling and texting.
Chris Vaughan van Taniuman endpoint security company, says the new rules are simpler than the GDPR.
“A major benefit of the new law is the reduction in operating costs that the GDPR brings – which is even more welcome as organizations continue to struggle in the current economic landscape,” Vaughan tells TNW.
However, relaxing rules can also increase risks.
Critics warn that the new laws will put citizens at risk. More than 30 civil society groups have called for the bill to be scrapped over concerns that it will weaken data protection and harm marginalized groups.
Colin Hayhurst van Mojeeka privacybased search engine, particularly suffers from the reduced liability for “low risk” data processing. He also worries that the bill addresses too many complex issues at once.
“My concern is that critical issues around innovations like AI just don’t get enough attention or get enough attention,” says Hayhurst. “It is worth noting that the EU considers AI regulation to be such a complex and important subject a completely separate invoice dedicated to the cause.”
Hayhurst is particularly struck by the implications for AI in research. The new bill gives commercial organizations the same freedoms as academics for any data processing for research “which can reasonably be described as scientific”.
This can create great opportunities for companies building AI with data collection. But it could give even more power to big companies with research arms, like Google’s DeepMind and Meta’s FAIR.
“Large technology companies with research groups can continue to collect and use whatever personal data they have to train AI in their research activities,” says Hayhurst. “All of this comes with risks; and unfortunately, this risk will largely be borne by those whose data is fed into the machine, rather than by the companies themselves.
To mitigate the risk, the rules for responding to data access requests can be tightened, especially when the data generates profit. A one-month response time may be appropriate for small businesses, but not for global corporations with warehouses full of supercomputers.
“It’s ironic that companies can make it incredibly easy for themselves to collect data on an individual and then very difficult for the person who owns the data to find out what data a company has on them!” says Hayhurst. “This is an area where a ‘one size fits all’ approach doesn’t work for the consumer.”
The digital economy
Despite his misgivings, Hayhurst acknowledges that the government has acted on feedback. In particular, a proposal to drop the balancing test for a “limited, generic, but exhaustive list of activities” did not make it into the final text. However, concerns remain that companies will be held to lower ethical standards.
Critics are especially wary of the reduced monitoring, record-keeping, and user-control requirements of data processing. There is also extra space for data processing without the consent of an individual. These changes can both make the public more at risk and less confident in the digital economy.
“The government sells personal privacy for business benefits.
“If companies don’t know how much data is being collected, for what and the implications of using it, how can they expect consumers to trust them with such information?” asks Angel Maldonado, CEO of e-commerce company Empathy.
Michael Queenan, CEO and co-founder of Nephos Technologiesthe criticism goes one step further.
“The government has decided to sell out the privacy of personal data for business advantage and innovation,” Queenan tells TNW. “Why else would it scrap important already-adopted global data protection steps?”
A possible driver may be the potential savings. As mentioned earlier, the reforms are predicted to free up £4.7 billion for the UK economy. But evidence for this claim is hard to come by.
The government refers to the figure with a linkwhich has been broken since we first saw the announcement. The source can be found via the Wayback Machine, but the estimate linking it was published in July 2022 – when another version of the bill was introduced. Critics suspect the £4.7 billion estimate has little basis in reality.
“As opposed to saving businesses billions, the law could lead to increased compliance costs and administrative burdens for companies operating in multiple jurisdictions,” said Shaun Hurst, Principal Regulatory Advisor at regtech firm Smarsh.
Deviations from the GDPR are a recurring theme in pitches for the DPDIB. The government has emphasized the benefits of these deviations, but also threatens data transfer with the EU.
The UK currently has EU data adequacy status, which protects the flow of data between both jurisdictions. MEPs, but taken issue with Britain’s planned reforms. If they decide that the new bill does not meet the required standards, the adequacy agreement may be lost.
As a result, companies sell in both the UK and the EU COmply with two sets of laws. Tech giants may be reluctant to develop product and policy variations for a new regime, while domestic companies might consider moving to unionize.
“Getting rid of red tape will only be an advantage if companies continue to be able to work across borders with European citizens and their data by using the adequacy regime that has applied to the UK since Brexit,” says Amanda Brock, CEO of OpenUKa non-profit organization that stands for open technology.
However, the government has publicly stressed the importance of maintaining data adequacy. Some privacy experts are also confident that the new measures will meet EU requirements. But even if the UK retains data adequacy, companies trading in the EU must comply with GDPR standards. Consequently, the main beneficiaries of the new regime may be companies operating only in the UK market.
“I think these so-called ‘savings’ will never materialize for most companies,” says Farhad Divecha, founder of AccuraCasta London-based digital marketing agency. “If you have visitors from Europe or do business with Europe, you still have to comply with the GDPR. So ultimately we’re going to have more complicated requirements that differ for your customer base in the UK versus in Europe.
Nevertheless, the departure from the GDPR can have positive consequences worldwide. Ilia Kolochenko, the founder of security company ImmuniWeb and a member of Europol’s Data Protection Experts Network, hopes the bill could have an impact on EU rules.
He fears companies are struggling with GDPR fatigue, inconsistent enforcement across member states and the increasing costs of formalistic compliance.
“European companies would gain a significant competitive advantage in the global market if the European GDPR goes through a similar series of improvements and simplifications,” says Kolochenko.
“If the trend of over-regulation continues, we are likely to see massive and deliberate non-compliance, as the costs and penalties for non-major breaches are likely to be much less significant than the cost of holistic implementation of the rapidly growing EU regulation and cybersecurity guidelines.”
It’s a bold call for balance, but it’s unlikely to win consensus approval – like any other data protection argument. Despite this deep division, there is certainly one thing we can all agree on: “DPDIB” is a horrible acronym.