At this stage, all of this remains vague enough to be fairly innocuous. What businesses, citizens, and the UK's international trading partners are still waiting for is a more concrete articulation of the Government's intentions. In particular, which GDPR-mandated "box-ticking" requirements might be removed, and how much of the protection currently afforded to data subjects is the government prepared to sacrifice in pursuit of a more business and innovation-friendly agenda?

Much of the ongoing uncertainty can be attributed to the breadth of the initial Consultation. It contains over 150 specific questions on issues spanning some of the most significant aspects of the data protection regime, including purpose limitation rules, profiling and automated decision-making (ADM), scope of data subject rights, cookie requirements, international data transfers, and reform of the ICO.

It is uncontroversial that several of these aspects currently present practical difficulties for businesses, and could potentially be recalibrated to ease the compliance burden without substantial detriment to individuals. However, if data protection impact assessments, legitimate interest balancing tests, requirements to appoint DPOs, data breach reporting and maintenance of records of processing activities (ROPAs) are all on the chopping block, it is questionable whether organisations would make sufficient voluntary use of such tools to avoid material reduction in standards. While large, multinational organisations may continue using these tools in order to adopt a uniform approach across all jurisdictions in which they operate, smaller organisations with a UK focus may welcome the freedom to bypass these obligations in favour of a more flexible approach to risk assessment.

This represents a very difficult balance to strike, particularly as the levers that the Government chooses to pull (and how hard) are being closely scrutinised by the European Commission. The UK's data protection regime is currently deemed to offer "essentially equivalent" protection for data subjects as the EU GDPR and, as a result, personal data can currently flow freely between them without additional safeguards. However, when the adequacy decision was issued by the European Commission in 2021 it included a sunset clause, meaning the decision would automatically expire in 2025. This provision was included (for the first time in an adequacy decision) for the specific purpose of guarding against future divergence by the UK.

Therefore, in seeking to ease the administrative burdens of compliance for businesses there is also a risk of sailing too close to the wind; should the UK's position change sufficiently for it to lose its adequacy status, this will create a significant and expensive compliance problem for businesses that routinely transfer personal data across borders.

Some of the proposals in the Consultation have already come under fire from civil society and consumer groups, including plans to liberalise legitimate interests as a lawful basis for processing, facilitate more widespread use of AI and ADM, and introduce new conditions for the exercise of data subjects rights. However, the potential reform of the ICO could have an equally significant bearing on the future for UK adequacy.  As we have seen from the developments on international data transfers in recent years, one of the major concerns of the EU's institutions is the level of access to personal data by government agencies. While the increasing prevalence of private sector surveillance is grabbing the lion's share of the headlines, safeguarding data subjects against abuses of data rights by governments remains of paramount importance.

The Consultation includes a number of proposals which would render the UK's ICO less independent from government. These include making the ICO's Guidance and Codes of Conduct subject to approval by the Secretary of State, and giving the government the right to appoint the ICO's Chief Executive. These proposals create the possibility of external interference in the operations of the ICO and could significantly impact its ability scrutinise governmental and public sector use (or abuse) of personal data.

Much is also likely to depend on how the proposals develop for a potential UK Bill of Rights to replace the Human Rights Act. The Ministry of Justice is currently reviewing responses to a consultation on this issue, which closed last month. The EU has previously emphasised the importance of the UK continuing to fulfil its international obligations under the European Convention on Human Rights, and is one of the pillars on which its adequacy decision depends. The ICO also highlighted this point in its public response to the consultation.

Few would suggest that the GDPR is perfect and, like any new law that attempts such a major program of reform, it has some vocal detractors. There are many voices calling for the GDPR itself to be reformed in some of the ways being proposed by the Consultation, and arguing that strict compliance with a number of low-impact requirements places disproportionate demands on companies engaged in benign data processing activities. There certainly seems to be a growing consensus that data laws and regulators should train their sights on the small number of operators who do more to undermine data protection than everyone else combined. 

The UK government is also not alone in highlighting that many regimes that currently benefit from adequacy decisions from the European Commission are not based on the prescriptive GDPR model, and instead favour the more risk-based "Privacy Management Program" approach that the Consultation envisages. Although a great many of the data protection and privacy laws that have emerged since 2018 have borrowed heavily from the GDPR model, the adequacy decisions in favour of New Zealand, Canada and Argentina are proof that there is plenty of room for manoeuvre within the concept of "essentially equivalent protection".