In recent weeks the future of data protection law in the UK has been not just hard to predict, but hard to keep up with.
Since Brexit, the UK has had its own version of the EU's GDPR, called, obviously enough, the "UK GDPR". Then, on 18 July, a Data Protection and Digital Information Bill was presented in Parliament – it proposed some significant (but possibly not hugely so) changes to the current regime, but it retained the UK GDPR. It was scheduled to have its second reading in the House of Commons on 5 September, but this was postponed "to allow Ministers to consider the legislation further".
Following this, on 22 September, the Retained EU Law (Revocation and Reform) Bill was introduced. This appeared to propose the "sunsetting" (i.e. the repeal) of multiple data and information laws, including the UK GDPR, by the end of 2023.
The next development, on the first day of the Conservative Party conference, is the announcement by the Culture Secretary, Michelle Donelan, that
we will be replacing GDPR with our own business and consumer-friendly data protection system… Many…smaller organisations and businesses only in fact employ a few people. They don't have the resources or money to negotiate the regulatory minefield that is GDPR. Yet right now, in the main, they're forced to follow this one-size-fits-all approach.
She also suggested that businesses had suffered from an 8% reduction in profit from GDPR. It is not immediately clear where this figure comes from, although some have suggested that an Oxford Martin School paper is the source. If that is the case, there are some questions to be asked: the paper contains some bold, and clearly wrong, statements about the law. These include that "websites are prohibited from sharing user data with third parties, without the consent from each user"; "companies that target EU residents are required to encrypt and anonymise any personal data it [sic] stores" and; "as users incur a cost when prompted to give consent to using their data, they might reduce online purchases, leading to lower sales". In fact, websites are not prohibited from sharing data without the consent from “users”; companies subject to GDPR are not required to anonymise personal data they store; and “users” do not have to consent to the use of their data, and even if they did it is far from clear how or why they would incur a cost.
Regardless of the economic thinking underpinning the developments in the statutory regime, it is possible that those developments all cohere. The Data Protection and Digital Information Bill, when it re-emerges, may, in fact, prove to be a Bill that removes reference to "GDPR" or "UK GDPR", whilst retaining core data principles in domestic law. However, business, just as nature, abhors a vacuum – business owners (and many data protection practitioners) will mostly be hoping that there is a clear route forward, so that the UK's future data protection regime can be approached with at least a degree of certainty.