Government’s proposed changes to UK GDPR should be next to go

New chancellor Jeremy Hunt has begun to scrap part of the disastrous economic measures proposed in the mini-Budget in response to backlash from the markets, businesses and consumers. As the British government reverses some of its ill-thought proposals, it would also be wise to reverse course on its current plans to water down data rights, which will promote data discrimination.

At the 2022 Conservative Party Conference, new Secretary of State for DCMS Michelle Donelan announced vague plans for a new data regime. But after a punishing year of political and economic chaos, UK businesses and individuals should not be asked to handle further uncertainty, uninsurable business risks, and economic damage. Going further down the deregulatory road may seem tempting in the name of “economic growth”, but will deliver the opposite.

The most recent version of the government’s Data Protection and Digital Information Bill aka the ‘Data Discrimination Bill’ included a host of concerning changes to UK GDPR. The bill threatened to politicise the Information Commissioner’s Office, weaken data subject rights, and remove critical protections around automated decision-making. These changes, which we argue will unleash a wave of increased data discrimination against vulnerable groups, also endanger the UK’s adequacy decision with the EU.

The UK’s adequacy decision is up for review by the EU in 2025, and the Commission has warned it won’t hesitate to review adequacy privileges earlier if the UK government makes significant changes to domestic data protection. Adequacy can also be challenged by EU citizens through the EU courts. The scale of the changes (especially issues like lightly-policed global data transfers, the undermining of the ICO, and wide-ranging government schemes like the Immigration Exemption that can easily be used against EU citizens) would be very likely to worry those courts. Such proposals stand at the heart of the UK’s current data protection plans.

If EU-UK adequacy was lost, businesses would encounter increased compliance costs estimated at £1-1.6 billion, alongside further red tape and bureaucratic headaches. Even without loss of adequacy, many of these businesses would need to navigate and comply with two vastly different data protection regimes. Only a small number of abusive companies based on intrusive personal data surveillance would benefit from these changes, while the British economy would suffer from a wider loss of trust between customers and business. This is hardly an economic panacea.

The Data Discrimination Bill has been put on hold as the government reassesses its approach. ORG urges the government to recognise the potentially damaging consequences of its proposed changes and ensure that civil society and business concerns about EU adequacy and data rights are prioritised.