Professional Comment

Will the UK Depart from EU GDPR Regulation?

John Goss is a barrister practicing at 5 Essex Court chambers ( in London. He specialises in Data Protection & Information Law, Personal Injury, Licensing, Public Law and Inquests. He acts for private companies, individuals, and a range of Government departments and public bodies, including on a ‘direct access’ basis.

Three years after the UK’s data protection regime was radically overhauled by the adoption of GDPR, there are rumblings from the Government that further changes might be afoot now that the UK has left the European Union.Although there has been no change on the ground for the hospitality sector, that means we are now operating under what is known as the ‘UK GDPR’, rather than the original EU GDPR. Post-Brexit, the UK GDPR can be amended by Parliament.

The Culture Secretary, Oliver Dowden, has suggested that under the current rules ‘too many businesses and organisations are reluctant to use data – either because they don’t understand the rules or are afraid of inadvertently breaking them.’ He wants the appointment of a new Information Commissioner later this year to lead to a focus not only on privacy, but also the use of personal data for

‘economic and social goals.’ Similarly, in a recent article the Minister for Media and Data, John Whittingdale, has suggested that the UK ‘will champion the international flow of data, seeking to enable secure, trusted and interoperable exchange across borders, while continuing to protect data to high standards.’

What might these straws in the wind point towards? The most likely possibility is changes to the requirements set by the UK GDPR around international data transfers.That might well assist multi-national hotel or restaurant chains, who would be able to transfer customer or employee data outside the UK more easily. Less strikingly, the UK could simply make data adequacy decisions about more countries, without changes to UK GDPR. Mr Whittingdale’s article specifically raised the possibility of the UK granting data adequacy decisions to international partners beyond the EU.The big prize would be a UK-based adequacy decision for the USA.

A perhaps less likely possibility is that the UK GDPR could also be amended to reduce the levels of fines from the punitive levels possible under the EU GDPR, in an effort to reduce the fear factor associated with mishandling personal data, or to provide a wider range of justifications for processing personal data. But so far that does not seem to be on the agenda.The substantial fines of the sort imposed recently on Marriott International for mishandling of customer data seem likely to be here to stay.

Short of changing the statutory framework, another possibility is simply Government encouragement to the Information Commissioner’s Office to redirect its efforts away from enforcement and compliance, and more towards enabling innovative uses of personal data. One way the ICO is doing that at present is via its current ‘regulatory sandbox’. Several projects in the sandbox relate to age verification, an area which is likely to be of interest to the hospitality sector as it develops. Most pub chains, for example, now have apps for remote ordering, which might be further developed to include age verification.We might also see policy or guidance around the use of customer data for more sophisticated analytical purposes or permitting more finely targeted advertising.

But of course, there are likely to be limits on how far any changes can go. At present, the UK is waiting for a final decision on data adequacy from the European Commission. Even once an adequacy decision is obtained, it could be challenged in the European Court of Justice: the Commission’s decision to grant partial adequacy to the USA has been struck down there twice. So too much divergence from the standards set by the EU GDPR is likely to put data flows to and from the EU at risk. For that reason, express or sweeping changes to the current statutory framework seem unlikely.And the Information Commissioner is an independent regulator, who may well not bow to pressure from the Government.

As always in the world of data protection, change is clearly coming, but it is not always clear what form that will take or what its consequences will be. For the hospitality industry, the best advice on data protection – as in other areas – remains ensuring that the basics are being done right, that clear policies and training are in place, and that you know which specialists to turn to should issues arise.