New legislation will replace GDPR, DCMS minister announces

The public political turbulence at the Conservative Party Conference has somewhat overshadowed the substantive policy announcements that have arisen throughout the past few days.

Many of these announcements are of significant importance, however, and the DCMS Secretary’s speech to the conference outlined the Government’s clear objective to replace GDPR with a new data protection framework.

“I am announcing that we will be replacing GDPR with our own business and consumer-friendly, British data protection system,” Donelan announced.

“Our plan will protect consumer privacy and keep their data safe, whilst retaining our data adequacy so businesses can trade freely.”

“Our new data protection plan will focus on growth and common sense, helping to prevent losses from cyberattacks and data breaches, while protecting data privacy. This will allow us to reduce the needless regulations and business-stifling elements, while taking the best bits from others around the world to form a truly bespoke, British system of data protection.”

The DMA welcomes the intention to boost innovation, cut red-tape and increase growth. The DMA supported the previous work on the Data Protection and Digital Information Bill and believe it provides a strong starting point.

Specifically, the planned change to allow cookies to be used for analytics purposes without consent would reduce consent banners, give greater insight to businesses seeking to better understand and improve relationships with their customers. Finally, the suggestion that third sector organisations would be able to use a soft opt-in for email is a wise move that will boost charity engagement and fundraising.

The DMA has outlined additional amendments that would further improve the proposed DPDI text in the following areas critical to the data and marketing industry:

1. Cookies – Section 79 (2A) of GDPR allows for the use of cookies without consent for ‘non-intrusive’ purposes (e.g. ‘statistical’ and anonymous purposes). We support wording to include audience measurement within this provision, as this can also be considered non-intrusive and anonymous and would provide opportunity for organisations to better tailor their messaging to subscribers and customers.
2. Automated consent – Consistent with the industry-wide approach to the EU’s e-Privacy proposal, the DMA advises the use of in-built automated consent mechanisms should be limited as this could pose competition concerns. It also undermines the relationship between publishers and the user when the control element is taken from the user.
3. Legitimate interests – Recital 47 GDPR states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. We will lobby for Recital 47 to be incorporated into the main text of any new legislation.
4. Data adequacy – DCMS and the ICO were optimistic that the DPDI Bill would not threaten UK’s EU adequacy status. This must be ensured in any new data protection legislation to protect international trade and cross-border data flows. As such we will argue for the Government to give special consideration to maintaining adequacy as it looks to make changes to the UK’s data protection regime, particularly if it will have powers to make changes without parliamentary scrutiny further down the line.
5. Regulatory coherence – We must ensure the considerations of the new GDPR and its relationship with other relevant pieces of legislation are taken into account as the Bill goes through the Parliamentary process. We recognise the industry preference would be for a consolidated piece of data protection legislation but understand that this may not be feasible at this stage.

The DMA has begun engaging with the government to obtain further information and will provide updates as they happen.