UK to Relax EU Data-Protection to Cut Business Costs

The UK unveiled plans to relax some data protection requirements under the European Union’s General Data Protection Regulation, a move that was cautiously welcomed by businesses but criticized by privacy groups.

(Bloomberg) — The UK unveiled plans to relax some data protection requirements under the European Union’s General Data Protection Regulation, a move that was cautiously welcomed by businesses but criticized by privacy groups. 

Legislation first introduced last summer as a way for British firms to save costs by reducing compliance burdens was revised after consulting with businesses and data protection stakeholders, the Department for Science, Innovation and Technology said.

The government estimated that reforms in the Data Protection and Digital Information Bill could save companies more than £4 billion ($4.73 billion) over 10 years. 

“Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy,” cabinet minister Michelle Donelan said in a press release. 

The bill includes reforms that would make it easier for companies in the UK to mine user data for research and development. It would also remove the need for companies to hire a dedicated data protection officer and provide more clarity on when companies can process personal data without consent. The draft legislation also sets an intention to reduce cookie pop-ups and create fines for nuisance marketing calls, but lacks detail on how that would be implemented. 

Businesses that operate in the rest of Europe will still need to adhere to the EU’s GDPR.

‘Attractive in Principle’

Julian David, chief executive officer of industry association TechUK, welcomed the shift away from a one-size-fits-all implementation of GDPR. Increased clarity on when companies can use data for research is likely to attract innovative companies to the UK, he said. However, businesses need more clarity on how to reduce cookie pop-ups and prevent nuisance calls, which could create an additional expense, he added.

Martin Sloan, a partner at Brodies LLP, a law firm specializing in data protection, said that the more flexible framework “might sound attractive in principle” but is unlikely to make a significant difference to multinational businesses.

Data protection consultant Jen Persson agreed. “Doing business with our biggest market on our doorstep means being aligned with the GDPR,” she said, warning that it could mean “business chaos if they create a duplicate data protection regime for the UK only.”

Lukasz Olejnik, a data protection consultant and former adviser to the European Data Protection Supervisor, questioned whether the reforms would deliver billions in cost savings. He said that companies dislike “frequent changes or the need to cope with multiple regimes” since they can incur additional costs.

Open Rights Group and 25 other civil society organizations, including Privacy International and Big Brother Watch, called on the bill to be scrapped, arguing it would weaken data protection rights in the UK, particularly as businesses develop AI-powered tools that automate decision-making. 

“As the use of flawed and biased decision-making algorithms increases across every sector, data protection is particularly important for protecting the rights of marginalized groups,” said Open Rights Group’s Abigail Burke. 

(Corrects spelling of Lukasz Olejnik’s name in 10th paragraph.)

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.