That was then, this is now... for data protection reforms

This time last year, it appeared that the UK data protection reforms – hailed by Government ministers back in 2021 as business friendly laws based on common sense, not box-ticking – had all but vanished.

In fact, we had to wait another three months until the Data Protection & Digital Information Bill (No.2) arrived, to great fanfare, amid claims the revised proposals would “take the best elements of GDPR” but cut down on “pointless paperwork” and “reduce annoying cookies”.

Ministers said the Bill had been revised following “a co-design process with business leaders and data experts”, including Which?, the DMA, TechUK and the Information Commissioner’s Office.

Those looking for wholesale changes would be disappointed. In fact, most of the original measures affecting the marketing industry remained, including bigger fines for rogue telemarketers, a soft-opt in for charity emails, relaxing the online cookies law and a shake-up of the ICO.

And with it came claims of even greater money savings for business. Originally, ministers had said the new laws would save firms £1bn over ten years; a claim which was disputed by many data experts who insisted the shake-up would cost firms more, not less.

This was upgraded to £4.7bn in savings for the UK economy over the next ten years, but there there was little detail on how this would be achieved. In fact, data protection professionals claimed the figures had “very little foundation in reality”.

And, within hours, privacy groups had renewed their attack on the reforms, insisting the proposals would weaken consumers’ data rights and water down accountability.

The Open Rights Group took the lead, laying out its concerns in an open letter to Secretary of State for the new Department of Science, Innovation & Technology Michelle Donelan, signed by 26 civil society groups representing a range of sectors.

In what it branded “a misguided attempt to demonstrate the benefits of post-Brexit freedoms”, the group maintained the UK Government was setting the country on “a dangerous path to further economic instability and the erosion of fundamental rights”.

At the heart of the matter, the letter focused on several key areas of concern, including changes to data protection impact assessments that remove the requirement to consult with consumers who are affected by high risk processing as well as lowering the threshold for organisations to refuse a subject access request.

It also criticised new powers to create additional legitimate grounds for processing data and a new list of exemptions from the purpose limitation principle, as well as the shake-up of the ICO.

By April, when the Bill had its second reading in Parliament, MPs from all parties had expressed major concerns about the reforms, with many claiming the proposed legislation did not go far enough in protecting consumers and others expressing doubts over how it would affect businesses.

Even so, the Bill then passed to the committee stage, triggering further action from privacy groups who urged Brussels to rip up the UK’s data adequacy agreement immediately or EU consumers’ data protection rights would be under threat from a country that would be a “test lab” for experimental and abusive uses of data.

The DMA then waded in, calling on the Government to get the data reforms through Parliament “without hesitation”, citing a study which showed the vast majority of SMEs want UK GDPR overhauled because it is stunting their marketing operations.

The trade body, which originally opposed many elements of the Bill before it was asked to contribute to the revised version, maintained small business owners wanted and needed regulation that was fit for purpose to help the digital economy grow and evolve.

The study revealed that two thirds of SMEs supported updated and modernised data privacy regulation, while nearly a third claimed GDPR had caused them to get rid of a lot of their customer database.

However, there is now a new spanner in the works following the so-called “third reading” of the Bill in the House of Commons, which saw hundreds of last minute amendments rushed through “without proper scrutiny”.

The amendments, which faced heavy criticism, include changes to the rules on direct marketing in elections, meaning politicians only need a “soft opt-in”; a reduction in consumers’ rights over subject access requests, and, even more controversially, giving the Government extensive powers to access to the bank accounts of benefit claimants in an attempt to cut fraud.

In fact, Labour MP for Rhondda Sir Chris Bryant urged the House to re-commit the Bill to a public committee due to the huge number of amendments tabled at the 11th-hour.

His demands were voted down and the Bill was waved through but it now faces the prospect of long delays as the House of Lords is forced to scrutinise each amendment – all 240 of them.

As Bryant concluded: “I feel ashamed to say it, but I hope the Lords are able to do the line-by-line scrutiny that we have been prevented from doing today.”

This means the Bill is now likely to “ping-pong” between the Commons and Lords for months, and with a General Election due to be called some time next year, the Data Protection & Digital Information Bill (No.2) appears far from a done deal.

In the meantime, last year’s advice to marketers to “keep calm and carry on” would seem to be just as relevant for the coming year, too.