British readers logging on to American news sites after the EU’s flagship data protection rules took effect noticed some significant changes.
Not only were most websites asking for permission to serve up targeted adverts tracking via irritating pop-ups, but a host of well-known destinations had suddenly become unavailable.
The General Data Protection Regulation (GDPR), passed in 2016 and introduced on May 25, 2018, was viewed in the US as so draconian that rather than attempt to comply the publishers of the LA Times and Chicago Tribune blocked European visitors entirely. Several online video games withdrew service from EU players, too.
GDPR granted individuals the right to be informed about the personal data being gathered both online and in the real world, and the right to object to the sharing of that data. This meant businesses were required to get consent up front.
Many sites resorted to clunky click-throughs as internet providers scrambled to work out how to comply with the new laws. The cost of GDPR was easily borne by US tech giants, which are collectively worth trillions of dollars.
Now the Government is eyeing reforms to these rules and creating a more “common sense” version of UK data rules post-Brexit.
Sir Martin Sorrell, founder and chairman of advertising group S4 Capital, says: “Underlying GDPR were concerns around privacy and the dominance of the three Western platforms of Google, Facebook and Amazon."
But he notes: “The unintended consequence was to limit the expansion of small and medium sized alternatives, because they were overburdened by bureaucracy and by cost.”
At a glance | Your data rights under GDPR
UK laws mirror the EU rules under the 2018 Data Protection Act and confirmed under an “adequacy” agreement signed in June.
Oliver Dowden, the culture secretary, has laid out plans to strike a series of post-Brexit data deals with other nations while implementing a new “light touch” framework in place of GDPR to ease red tape around using data by small businesses and in fields such as science and healthcare.
Some Conservatives, such as Sir Ian Duncan Smith, have pushed for broad reforms and called for “fewer obligations and lower compliance burdens”. A report by MPs published in June found that some small businesses were spending 80 hours on data protection alone.
Another strand is to reform rules, partly governed under laws known as the Privacy and Electronic Communications Regulation, to cut down on the need for cookie pop-ups.
While plenty support the notion that the EU’s GDPR rules are imperfect, actually fixing them has provoked sharp division.
Privacy advocates fear that Dowden’s “data dividend” is little more than an effort to allow tech companies and the state to slurp up more private information, starting with the NHS, while securing a trade deal with the US.
“Everyone should be concerned with the plans of relaxing data protection rules,” says Lukasz Olejnik, an independent privacy consultant. “It would be disappointing if the changes make the UK a data exploitation hotbed.”
Businesses may not be pleased about having to wade through another change to data rules. Neil Brown of law firm Decoded.Legal says: “Companies that have been through a GDPR compliance programme, still relatively recently, probably aren’t going to love the idea of having another one.”
Culture Secretary Oliver Dowden has laid out plans to strike a series of post-Brexit data deals with other nations while implementing a new “light touch” framework in place of GDPR
However, the Government argues some of the changes it wants to make are simply to align data rules with “common sense”. Dowden gave an example of the Church of England warning about sending parish newsletters with local advertising because they risked being classed as needing prior consent.
He told The Telegraph: “We should not expect exactly the same from a small family run business as we do from a massive social media company.”
Advertising executives are understandably sympathetic to the approach of separating everyday data gathering from the legal responsibilities of tech giants.
Myle Younger at creative agency Media.Monks says: “It simply doesn’t make practical sense to worry whether, say, local churches are adhering to an enterprise-grade standard of data management.”
The challenge in making any changes to GDPR run smoothly will be ensuring “adequacy” with the EU’s regime – that any changes do not diverge so far that they make the two sets of laws incompatible.
But at the same time, the UK wants to seek agreements with other countries with more open rules on data, such as the US. The Government estimates there are £67bn worth of data-enabled exports from the UK to the US that could be better oiled with reforms to privacy rules.
Yet the EU and US have been at loggerheads over data protections. Last year, EU courts struck out a “privacy shield” deal between the bloc and the White House, which lets data be freely transferred as a breach of EU citizens’ rights.
Reforms to cut down on cookie pop ups may be more popular. Dowden says he wants to stop countless cookie alerts – trackers that are added to browsers or phone to store log in details or track a purchase – and limit permission request to “high risk” situations. It is understood “low risk” cookies could include analytics monitors that do not harvest sensitive personal data.
Biggest GDPR fines chart
Big Tech firms are already doing some of this work. Google is implementing an end to third-party cookies in its Chrome browser from 2023.
Sir Martin says the model of third party cookies is already increasingly outdated: “We’ve crossed that bridge. That’s not a pleasant environment for ad holding companies selling third party data. First party, consented data is the way forward.”
Ad-tech companies are already getting with the programme that cookie pop-ups are on borrowed time.
One thing that GDPR has led to is bigger fines for technology giants. Amazon was hit with a £636m fine by Luxembourg’s regulator in August. The UK Information Commissioner’s Office’s biggest fine was a mere £20m fine for British Airways over a 2018 data breach.
Britain is unlikely to slow down here. It has appointed John Edwards to take over as head of the ICO. The Facebook hawk has labelled Mark Zuckerberg’s social network as led by “morally bankrupt pathological liars” – a sentiment shared by some in government.
But if the UK and Europe both expect to be tough on tech giants, they are drifting apart in many other respects. Post-Brexit Britain is looking to the rest of the world when it comes to trade. It would make sense for its data regulations to do the same.