The government’s recent announcement that it will ‘replace’ GDPR and pause the Data Reform Bill, has raised fresh questions about the UK’s EU data equivalence, according to a leading tech and data lawyer.

Dr Sam De Silva, Chair of BCS, The Chartered Institute for IT’s Law specialist group and partner at international law firm CMS, warned that UK business may find themselves having to potentially ‘comply with two regulatory regimes’ following the legislation.

Dr De Silva said: “At the moment, the UK has the benefit of an EU adequacy decision that allows the free flow of personal data from the EU to the UK. However, that adequacy decision requires the EU Commission to continuously monitor developments in UK law in order to assess whether the UK still provides ‘essential equivalence’.

“What this means is that significant deviation from the GDPR will risk the UK losing its adequacy. Interestingly, DCMS Secretary of State, Michelle Donelan, made it clear in her recent speech that the intention is that the UK would retain its adequacy decision. It’s not clear how practical that is if the Government is aiming to fundamentally move away from the GDPR.”

He added: “We need more detail on what this means in practice. One interpretation is there are no plans to retain any aspect of the GDPR in UK law, and therefore the Data Reform Bill (currently paused) is now defunct - the reason being was the Bill appeared to only modify the GDPR in certain areas.

‘Light touch’ approach to regulation

“It appears that the Government wants a ‘light touch’ approach to regulation, but it’s not clear what that would mean in practice. For example, would the UK law still ‘look and feel’ like the GDPR in substance and structure i.e. different obligations for controllers and processors, specific individual rights and accountability requirements?

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

“Or will the Government propose something completely new? Most UK businesses have been working with the GDPR for over four years and most have invested significant time and money establishing and operating their compliance programs.

“Of course, UK businesses that have customers in the EU will still have to comply with the EU GDPR notwithstanding what the new UK law is in place. The risk for UK businesses is that they will have to comply with two regulatory regimes. I expect that most businesses will continue to apply the stricter rules anyway.”

Caution urged

Dr De Silva said that lost profits are often cited by the Government (based on an Oxford University report) as a reason to remove GDPR – but urged caution in that conclusion for three reasons (as mentioned by the authors of that report):

The negative impacts on firm performance we observe may partly reflect temporary adjustment costs.

If the GDPR gradually becomes a global standard as more countries adopt similar regulations, companies targeting EU companies will become less disadvantaged over time.

Any calculated estimates appear to be silent on its aggregate welfare effects, which are likely to account for potential benefits to citizens concerned with data protection.