The UK Government plans to replace GDPR with its own data protection system, culture secretary Michele Donelan told the Conservative Party Conference on Monday.
“We will be replacing GDPR with our own business- and consumer-friendly British data protection system,” Donelan announced. “No longer will our businesses be shackled by lots of unnecessary red tape.”
Avoiding any detail, the new culture secretary promised the rules would be “simpler [and] clearer for businesses to navigate” than the current EU regulation.
GDPR is notoriously complex and “riddled with uncertainties,” says James Rosewell, CEO and co-founder of data services specialist 51Degrees. IAB Europe tried to untangle some of that complexity for advertisers with its Transparency and Consent Framework (TCF) – and according to the Belgian Data Protection Authority, violated GDPR in the process.
“The industry has been grappling for a long time with some of the GDPR complexities, particularly with respect of use of data in a programmatic context,” comments Bryony Long, Partner at Lewis Silkin and co-head of the law firm’s Data and Privacy Group. “Key concepts around transparency, lawful basis and accountability in particular are proving difficult to overcome – just ask the IAB.”
And it’s not just businesses struggling under the demands of the regulation; users are bombarded with GDPR consent pop-ups every time they go online, and many are probably unsure what they are being asked to consent to anyway.
“The consumer experience with these businesses online, because of GDPR, is largely terrible,” says Wayne Blodwell, founder and CEO of TPA (formerly known as The Programmatic Advisory). “I believe a UK-centric approach will create more consistency and therefore users will have clearer expectations on how their data is used. I think the odds are in favour of removing the popup boxes with complicated language.”
While this might seem like an easy win for a “populist government”, Mattia Fosci, founder and CEO of data platform ID Ward, argues it would undermine Donelan’s “business-friendly” claims. “The cookie pop-up is not written in GDPR,” he notes. “The only thing GDPR says is that the user needs to give consent. So if you replace the cookie pop-up with something more user friendly, it will probably be something at the browser level. That is not what publishers and advertisers want.”
“If you simply have a setting on your Chrome or Safari that says, ‘Do you want to share data with third parties or not?’, what would consent rates be like?” he continues. “Complexity was created by publishers to prop up consent rates. If you simplify it too much most people would probably stop sharing.”
Fosci calls this “ignorance” on the part of the government, born from a desire to pull a Brexit benefit from an ailing administration. “This government has had almost three years in power,” he adds. “They’re very likely not to win election in another two years. Will they be able to rethink the whole thing, pass a law and implement it within two years? I’m not sure.”
Sharpening the rules
Lewis Silkin lawyer Long agrees that replacing the established data protection law is “not particularly” practical. “While GDPR might be seen as burdensome for many, it is becoming/has become the global standard that all multinationals are aiming to achieve from a privacy compliance perspective. Having a slightly more relaxed regime in the UK in reality won’t make a huge difference for many.”
One immediate impact will be the merging of e-privacy and GDPR regimes in the UK, she explains, meaning “significantly larger fines” could emerge for e-privacy breaches. “This is not doubt going to have a huge impact on organisations who currently take a relatively high-risk approach to compliance on the basis that the penalties under current law don’t necessary outweigh commercial gain.”
TPA analyst Blodwell concurs that the regulations could “give the UK government more teeth to fight back” against deep-pocketed tech giants. “It will be interesting to see how the big US tech companies approach this as they’re all chartering their own course will little regard for market nuance (initiatives such as ATT with Apple for example),” he says. “Time will tell if it effects any change.”
In any case, publishers would expect the new privacy rules to offer “the clarity that enables them to responsibly use personal information to provide personal advertising to the people that want it,” remarks Rosewell.
But the risk is that further fragmentation leads to even less clarity, with global businesses having more regulations to understand. “You need one consistent set of rules for everybody,” states Fosci. “Is GDPR perfect? No. Can it be improved? Yes. But does the UK need to go and just rewrite it? It’s just posturing to be honest, it’s just politicians being politicians, at this stage at least.”
Blodwell is more optimistic. “The addition of another set of regulations will be challenging for multi-national advertisers and publishers to navigate,” he accepts, “but if the UK gets it right, this should be simpler than before and creates great upsides for businesses to be more data-driven.”
Though the reaction is largely speculative at the moment, there is scope for industry players to shape the debate while the Information Commissioner’s Office (ICO) consults the sector on what the new framework should look like. “Get your issues into the ICO tout suite,” advises Rosewell. “Don’t expect someone else to do it for you!”