The pointless war on GDPR

The winner, therefore, is the new secretary of state for digital, culture media and sport Michelle Donelan, who is planning to tear up the UK’s General Data Protection Regulation (GDPR) and replace it for seemingly no good reason other than it originated with the European Union.

Data gathering might sound like some obscure branch of the computer industry, but it is now vital to almost every business, and that means data protection is vital to us all. Details of your finances, your employment, tax and legal history, your possessions and the things you like and dislike are all prized by businesses. Supermarkets use data to target deals at shoppers and advertising agencies use it to target adverts. GDPR exists to give you some power – the ability to consent, or not consent, to having your data stored and then sold on by one company to another.

The government was already in the process of changing GDPR – there is even an act going through parliament to do just that – but that has now been suspended so that the government can look at it again. Ms Donelan now says the new improved version will be a “business- and consumer-friendly British data protection system” and promises “that it will be simpler, it will be clearer, for businesses to navigate. No longer will our businesses be shackled by lots of unnecessary red tape.”

There are two big issues with this. The first is that the business world is used to GDPR and spent years preparing for it. They were starting to prepare for the new British version too, but all that work has had to be suspended and business now awaits the government’s final decision, again. As the Institute of Practitioners in Advertising’s director of legal and public affairs, Richard Lindsay complained: “from an ad industry perspective, businesses cannot afford any further disruption which a fundamental redesign would seem likely to impose.”

And although the minister seems to think that there are huge changes that can be made to these rules with no adverse effects, the second major worry is that they will just go too far. If Britain changes its data protection rules too much, makes them too slack and too easy to get around, the EU will simply refuse to accept them.

As Konrad Shek, director of policy research at the Advertising Association told me, “It depends on the ambition of the divergence. If you try to diverge too much then there is always the risk that it becomes double compliance.” An attempt, therefore, to water down the strict protections the EU has put in place means UK firms wanting to do business in the EU, or put themselves in front of European consumers – virtually all of them – would face two lots of rules, one British and one EU, and two lots of costs to implement them. “I would argue there is a general limit on how much divergence you can have before it becomes counterproductive,” said Shek.

Leaving the EU’s GDPR is likely, therefore, to be rather like leaving the Customs Union. You get to set your own very slightly different customs rules but in return, you open yourself up to massive delays and costs at the border with the EU, which far outweigh any possible benefits.

The UK has some room for manoeuvre but the basic principle is this: The EU must accept that the UK system is “adequate”; that is as good as its own system and so data transfers between the UK and EU businesses and governments can continue. If the British government rewrites its rules dramatically so that they are no longer considered “adequate” those transfers would have to stop. Firms would have no choice but to comply with both systems if they wanted to do any business at all in the EU.

The minister says the new all-British GDPR system will still be “adequate” but she also says the current system is “limiting the potential of our businesses”. Nothing could be further from the truth. Complying has allowed them access to 450 million customers; changing the system could well block them from those customers unless they pay up to comply with two different standards. It will make things tougher for businesses and restrict growth – it could even have been thought up by the anti-growth coalition.

But GDPR is only the start. The prime minister herself has declared that by the end of 2023 “all EU-inspired red tape will be history”. This is where the argument over GDPR is really helpful because it shows how pointless and indeed counterproductive this whole exercise is. The government, with a recession and energy crisis and a cost of living disaster to deal with is going to exhaust vast amounts of its bandwidth on abolishing “EU red tape”, just as it slashes away at the civil service which will be dealing with some of the fallout from its abolition.

The current system is useful to industry, which can still use it to trade across the EU. Changing it will be disruptive, time-consuming, expensive and probably pointless.

The room to “improve” or just abandon the rules and regulations we helped set as a member of the EU is almost non-existent and will make no difference to the UK economy. The OBR has looked at this exhaustively and found it makes no measurable difference to growth.

Any attempt to make UK legislation weaker or lighter will eventually hit the brick wall that is trade with the EU. Companies will just have to adopt EU rules to sell in the EU and UK ones to sell here. “Red tape” doubles. Hey presto, British industry is worse off, not better off.

The EU can even retaliate if UK law is weakened so much it means British firms enjoy an unfair advantage in the EU. There really is very little room for manoeuvre, very little if anything to be gained and a great deal to be lost.

The PM’s growth strategy, which to a great extent consists of claiming that British industry can be set free by a bonfire of EU rules, is a fraud.