My Head Spins – UK Gets Adequacy As Task Force Says GDPR Must Change

The EU Commission today (June 28, 2021) announced that the UK has been granted adequacy for data flows from Europe to the UK.  The UK received adequacy, in part, because the UK law is substantially the same as the EU GDPR. 

Just last week the UK government published the final report from the Task Force on Innovation, Growth and Regulatory Reform, The TIGRR Report. It is the interplay between the adequacy finding and the TIGRR Report’s proposals that make my head spin.

The TIGRR Report proposes “Replacing [the UK] GDPR with a New UK Framework for Data Protection.”  The TIGRR Report describes this proposal more fully:

Replace the UK GDPR 2018 with a new, more proportionate, UK Framework of Citizen Data Rights to give people more control over their data while allowing data to flow more freely and drive growth across health care, public services, and the digital economy.

The proposal goes on to say in part:

The UK has the opportunity to cement its position as a world leader in data, through a combination of proportionate, targeted reforms that boost innovation, and by maintaining its enthusiasm for digital. The Government should use an approach to data based more in common law, so case law can adapt to new and evolving technologies such as artificial intelligence and blockchain.

. . . .  Reforming GDPR could accelerate growth in the digital economy, and improve productivity and people’s lives by freeing them up from onerous compliance requirements. In a survey by DataGrail 49% of business decision makers reported spending over 10 working days a year just to sustain GDPR compliance, with 12% spending over 30 working days a year. A more proportionate approach would free up many businesses to provide more value to the consumers and other businesses they serve.

The TIGRR Report also proposes encouraging AI by removing Article 22 of the GDPR that covers automated decision making and profiling.

So, my head spins not because the proposals have been made, but instead because of its timing right before the EU announced UK adequacy.  It is hard to see how the UK would stay adequate with the changes suggested by the TIGRR Report.

The TIGRR Report task force is not alone in finding issues with the GDPR as it relates to advanced analytics and AI.  Axel Voss, shadow rapporteur for both data protection and AI in the European Parliament, has published a white paper entitled “Fixing the GDPR:  Towards Version 2.0.”