Camilla Winlo, Head of Data Privacy, analyses what Michelle Donelan’s recent speech at the Conservative Party Conference means for the new Data Protection and Digital Information Bill.
I wrote recently about the potential for the new Data Protection and Digital Information Bill (DPDI) to change as it moves through parliament. At the time of that blog, the Conservative leadership contest had only just started. As it turns out, I was right that Nadine Dorries would not remain as Secretary of State for the Department of Culture, Media and Sport (DCMS). This week, at the Conservative conference, the new DCMS leader Michelle Donelan set out her plans for UK data protection.
Donelan started the section of her speech about GDPR by saying “we inherited GDPR from the EU, and its bureaucratic nature is still limiting the potential of our businesses …,” which makes it clear that this government does not intend to pivot back towards the European approach to data protection.
She goes on to say “we will co-design with business a new system of data protection. We will look to those countries who achieve data adequacy without having GDPR, like Israel, Japan, South Korea, Canada and New Zealand,” and “I will be involving [businesses] from the start in the design of a tailored, business-friendly British system of data protection.” This sounds awfully like a sizeable review of the DPDI could be in the offing. Donelan does not appear to be pitching herself as ‘continuity Dorries’ – and in fact Dorries’ recent media interviews and tweets make clear her unhappiness at Donelan’s willingness to reconsider decisions the former had previously made.
However, the clues as to what this review might cover don’t seem as significant as they might first appear. Donelan still aspires to adequacy with the EU – it’s hard to see how businesses can operate without this – but the examples she gives of the types of organisations she wants to support include “smaller organisations and businesses [that] only employ a few people each”, “electricians and plumbers” and “churches … pleading for us to do something, so that they can send newsletters out to their communities without worrying about breaching data rules.”
This sounds awfully like Donelan may not actually be planning much more than a review of the scope of the domestic use exemption, which allows individuals to process personal data for household purposes without needing to comply with the GDPR. The kinds of processing that church groups and sole tradespeople do often looks very similar to the processing that is exempt from GDPR already – text, WhatsApp and email communications to very small numbers of people, or a little light self-promotion on social media.
Donelan does talk about “unnecessary red tape”, “clunky bureaucracy” and other similar objections that are often levied at regulations. The current draft of the DPDI already removes the requirements to complete some of the documentation required under GDPR (sort of – it’s left for organisations to decide what their privacy programme should look like, and the work still needs to be done) so it’s not clear what ‘clunky bureaucracy’ she feels remains or how she thinks this could be removed without jeopardising data protection and EU adequacy.
Now, it’s fair to say that new UK prime minister Liz Truss and her new top team have had a torrid start, and there are already rumblings of plots; therefore, it’s hard to say how much chance Donelan has of getting her data protection agenda through this parliament. One thing is clear – if Donelan really is planning to go back to the drawing board and start a new round of consultations with organisations, she has a very narrow window of opportunity to do that before the next general election.