Data Protection and what the Labour Government should do

July 2024

What should Kier Starmer’s team do about data protection?

After the Conservative Party’s crushing defeat on July 4th, we now have a Labour administration. As the General Election was called, the Data Protection and Digital Information Bill was progressing through Parliament. Although many thought it might be just pass before an Election, the decision by Rishi Sunak to gamble everything on an early election led to the Bill’s abandonment.

The Bill itself was controversial, proposing a mixed bag of changes to data protection and ePrivacy laws. Views within the industry were, it is fair to say, divided.

I’ve asked industry insiders the question; What should the new Government do with UK GDPR, the Privacy and Electronic Communications Regulations (PECR), and AI? Here’s what they say.

Steve Wood, Founder & Director, PrivacyX Consulting and former UK Deputy Information commissioner

“The New Government should firstly take a step back to consider its approach to public engagement on data and AI, particularly with civil society. As they seek to use AI to transform the public sector, a planned and long-term approach to meaningful transparency and engagement is vital. There are good foundations to build on for AI policy and the new Government should look at options to put AI principles on a statutory footing and what additional oversight and coordination is needed to make them effective.

There is scope for a focused AI and Data Bill, learning the lessons of the complexity and confusion in the DPDI Bill and what will really improve the outcomes of the data protection regime – for people and organisations. Changes to GDPR that should remain on table include the new Information Commission reforms, the data protection test for internation transfers and an exemption for analytics cookies.”

You can read more of Steve’s thoughts in his Substack blog – A Digital Policy Memo for the Minister’s Red Box

Chris Combemale, CEO, Data & Marketing Association (DMA)

“The DMA continues to believe that reforming the data protection regime in the UK is fundamental to driving growth, innovation, and wealth creation in the country. Doing so would be a strong sign of the new Government’s commitment to the industry and business.  Amongst the most important reforms for DMA members are:

1. Reforms that establish greater certainty for the use of legitimate Interests as a lawful basis particularly attracting and retaining new customers
2. Reforms that clarify how data can be better used to support scientific research and technology development
3. Reforms that reduce bureaucracy for small business
4. Reforms that enable Smart Data schemes to be introduced in appropriate sectors
5. Reforms that reduce the consent requirements for non-intrusive cookies
6. Reforms that update the law to enable beneficial update of automated decision-making like AI while maintaining strong safeguards

These reforms are consistent with the Labour Policy Forum position and indeed were supported by Labour during scrutiny of the former government’s DPDI Bill. The DMA will work closely with the incoming government to ensure these reforms become law.”

Read Chris’ Open Letter to all political parties

Robert Bond, Senior Counsel, Privacy Partnership Law and Chair, DPN Advisory Group

“The new Government needs to ensure that any changes it makes to our data protection regime do not harm our “adequacy” with the EU. However, I would welcome a review of the reliance on Legitimate Interest as a lawful ground for processing to bolster this useful ground. I would like to see a review of PECR and a proactive focus on practical AI legislation.”

Gerald Coppin, Deputy Group Data Protection Officer, Springer Nature

“I feel a Labour government should work on an international effort to harmonise the data privacy laws across major jurisdictions, it could make it easier for businesses to manage regulatory requirements. They could recommend or mandate techniques like differential privacy, federated learning, and synthetic data generation to enable AI development without compromising individual privacy. As well as expanding regulatory sandboxes that allow companies to test innovative AI applications in a controlled environment, while ensuring privacy safeguards are in place. A reduction in paperwork to prove compliance with the different laws would be MOST welcome!!”

Debbie Evans, Managing Director, FTI Consulting

“I want to be optimistic about change however, it’s not going to be without challenge. Whilst I’m not proclaiming any particular political persuasion – my personal hope is that individual rights are given more visibility. Businesses consequently will need to take compliance more seriously as laws strengthen.”

Eduardo Ustaran, Partner, Hogan Lovells

“My view is that the new UK Government should aim to realise the opportunity to place the UK as a global leader in these areas. The UK is in an ideal sweet spot because it is close enough to the EU’s policy objectives of providing the highest levels of protection for personal data and human rights in the face of today’s AI revolution, but also understands the crucial importance of technological innovation for growth and prosperity. That combination is particularly attractive for responsible global businesses to model their regulatory compliance strategies for privacy, cybersecurity and AI. This is a crucial issue for the UK Government to get right and support its primary goal of growing the economy.”

Charles Ping, Managing Director, Europe, Winterberry Group

“Labour has a big task ahead, and by its own admission, limited resources. So using the eco-friendly mantra of reduce, reuse and recycle they should take all three aspects into evolving our data protection legislation. Reduce the wasted time on devising new policy objectives in this area when there was cross party consensus on the currently lifeless Data Protection of Digital Information Bill. Reuse, because the bill is pretty much “oven ready”, if that phrase hasn’t been rendered entirely valueless by a previous administration.

Recycle the old bill and ensure an expedited path through the corridors and meeting rooms of Westminster. I can’t see a new administration (or country) wanting a traditional summer recess, so this legislation should have time to whistle through and start making a difference.”

Eleonor Duhs, Partner and Head of Data & Privacy, Wells Bates LLP

“I think the new Labour Government, as a priority, should deal with the uncertainty created by the Retained EU Law (Revocation and Reform) Act 2023 (“REULA”) about how to interpret the UK’s data protection frameworks. REULA has turned the statue book on its head, with domestic law (whenever enacted) taking precedence over any law that was previously EU law (including UK GDPR). An example of the unintended consequences of this is in the area of exemptions from data subject rights. The Open Rights case (brought before REULA came into force) required the government to provide EU-standard protections for migrants when exercising data subject rights. But because of the reversal of the relationship between the UK GDPR and the Data Protection Act 2018 every other group in society now has a lower standard of protection for their data subject rights, compared with migrants.

This outcome was clearly not anticipated. In order to ensure data protection standards in the UK remain high the new Labour government should bring forward legislation. It could either use the powers in REULA to reintroduce deleted principles in order to bring clarity and legal certainty. Alternatively, the best course of action may be to enact bring forward primary legislation to ensure that the UK statute book is stabilised. Powers to update our data protection frameworks should also be considered to ensure it continues to be current and tracks accepted EU and international standards. This would support growth and avoid the risk of losing the UK’s data adequacy decision which is due to be reviewed next year.”

You can read more from Eleonor on the REULA here

While I appreciate reforming data protection law may prove not to be a high priority for the new Starmer Government, to offer my tuppence, if Labour does nothing else, I’d urge them to revise PECR. It’s desperately out of date, first introduced over 20 years ago, and then updated back in 2009 with the ‘cookie law’. The world has moved on. There were some proposed changes to PECR under the DPDI Bill which I favoured. In particular, a change allowing not-for-profits to take advantage of the so-called soft opt-in exemption to consent for marketing emails / texts. This is currently only available in a commercial context, which I feel is unfair. As others have mentioned, I’d also like to see a revision of the consent rules for website analytics cookies.