Is it time for GDPR 2.0?

Five years on from the arrival of GDPR, the UK is weighing up post-Brexit divergence as a chance to refresh the data protection rules. What might that mean for compliance?
Andras Vas Bd7gnnwjbku Unsplash

The information superhighway slows for no one. Data and capital have crossed borders with greater ease than people for decades. But try to move the personal data of Europeans outside the EU and you’ll be in serious trouble. 

As the gold standard for data privacy, the General Data Protection Regulation (GDPR) undoubtedly has teeth. For instance, in May, Meta’s EU base in Ireland was fined €1.2bn by the European Data Protection Board (EDPB) for breaching the flagship data protection law. Andrea Jelinek, the chair of the EDPB, alleged that Meta had engaged in “systematic, repetitive and continuous” transfers of personal user data from the EU to the US. To date, it’s the biggest fine levied under GDPR.

The UK adopted GDPR in 2018. In the five years since then, British businesses have become fully aligned with those on the Continent regarding data regulation. You’ll have noticed the pop-ups asking you to “accept cookies” or to “opt in” to a company’s data privacy policy when you visit their website. That’s GDPR in action: nominally putting your data in your hands, and giving you the choice to share it online if you so please. 

What’s wrong with GDPR as it stands?

That said, the mechanism is clunky. Plenty of sites don’t have a ‘no’ button immediately available, making it easier to click ‘yes’ without fully being aware of the consequences, and the demands on the compliance side are far from negligible, especially when dealing with large amounts of personally identifiable data. 

Various other issues have also arisen, with complaints ranging from the fact that GDPR takes a ‘one-size-fits-all’ approach – its provisions not being tailored to different sizes of business, sectors or data use cases – to broader concerns that it overburdens those businesses designated as data controllers.

Europe should double down… GDPR empowers people in a way no other privacy law does

In the past few years, then, there have been murmurs of the UK taking advantage of Brexit to create its own, distinct data protection regulation. The goal: to cut red tape and empower British businesses via a new and improved policy. The fear: deviating from a global gold standard, diluting personal protections and hurting consumer confidence.

Proposals for a new UK-wide data protection bill are working their way through parliament. The secretary of state for science, technology and innovation, Michelle Donelan, introduced the Data Protection and Digital Information Bill in March. The announcement promised a “common-sense-led” law that would reduce “costs and burdens” to British businesses.

According to a government spokesperson, modernisation is the prime focus of this bill. “Our new Data Protection Bill seizes a post-Brexit opportunity to bring our data rules into the current decade, delivering £4.7bn for the UK as a result,” they say. “The new regime will reduce burdens on businesses, boost the economy and unlock innovation across the UK, all while building on our already high standards for the protection of personal data.”

What issues will GDPR 2.0 face?

One of the key challenges in refreshing GDPR, however, will be achieving so-called EU data adequacy, which allows EU data to flow freely to a third-party country. This would ensure there are no trade fall-outs with European partners, which could otherwise prove incredibly costly to British businesses. As evidenced by high-profile GDPR-related fines, the US does not have EU data adequacy. 

But legal analysis of the government’s new bill has found several areas of potential divergence from GDPR, including the possibility of commercial enterprises being exempted from some data protection requirements if the data is being used for purposes that could “reasonably be described as scientific”. That would indicate an attempt – albeit a risky one – to empower businesses and researchers by avoiding one-size-fits-all red tape. 

Does the UK government have the wrong idea?

On the other side of the Channel, however, some are asking whether GDPR needs to get stricter, not more flexible.

“Europe should double down on its flagship data protection law,” says Townsend Feehan, CEO of IAB Europe, an association representing digital advertisers and marketers across the continent. “GDPR empowers people in a way no other privacy law does. However, five years on, we are at risk of having choices taken out of people’s hands and placed into powerful aggregators such as web browsers and operating system manufacturers.”

Even among businesses required to comply with GDPR, there seems to be little appetite for any loosening of the rules or lifting of the compliance burden. That’s because giving consumers control, via pop-ups and clear privacy policies, can be a positive thing, and because complying with GDPR has improved businesses’ data practices generally. 

Alex Laurie is senior vice-president of global sales engineering at identity verification software provider ForgeRock. He acknowledges that while the implementation of GDPR hasn’t always been straightforward, “what it has unequivocally achieved is a new level of trust among consumers”.

“What we’d expect to see next,” he says, “is even more control being given back to consumers, who should get to decide which information is shared with what providers, instead of mass-sharing all of their personal data.”

Is ‘privacy by design’ the future?

Scott McKinnon, field CISO for EMEA at US cloud company VMware, suggests that the focus for future regulation should be on encouraging a more holistic “privacy by design” approach. This means “not only evaluating a company’s adherence to the law, but also its effectiveness in safeguarding individuals’ privacy”.

”By adopting this approach,” he explains, “businesses will be incentivised to prioritise privacy protection, rather than solely focusing on meeting regulatory requirements.”

Whether the UK government’s new bill achieves the right balance of enshrining personal data protections while also alleviating burdens for businesses remains to be seen. Either way, after five years of GDPR, the UK is undoubtedly moving into a new era of data protection.