Will GDPR replacement hit your creative industries projects?
One of the few big government policy decisions affecting freelancers so far not be U-turned by chancellor Jeremy Hunt is the replacement of the General Data Protection Regulation (UK), writes Maude Lindfelt of commercial law firm Gerrish Legal.
The GDPR being replaced: why, and what the government has said
But how did we get here? Well, on October 3rd, cultural and digital secretary Michelle Donelan revealed the government's aim of steering away from the UK GDPR to create a new “British data protection system” which will be "simpler and clearer" for companies to manage.
And, she said, that the new system will "reduce unnecessary regulation and stifling elements for businesses, while taking the best elements from other countries around the world to form a bespoke UK data protection system."
Positively-sounding, one of the main goals was said to be to cut bureaucratic "red tape" that disproportionately burdens small businesses. Donelan, who said GDPR UK ties up traders “in knots,” also suggested that simplification would unlock economic growth by increasing business profitability.
GDPR replacement: A befuddling lack of detail for the creative industries
Less positively, details of how the government will actually go about streamlining our current data protection rules remain hazy, leaving UK freelancers and businesses befuddled.
Yet there are sounds of reassurance from the Information Commissioner’s Office (ICO). In fact, the UK’s data protection authority has welcomed the replacement-initiative, saying it is “pleased to hear the government’s commitment to protecting people’s privacy, preserving adequacy and simplifying data protection law.”
Social Media, Freedom of Expression, Big Data: it’s all in the mix
In her October 3rdspeech to the Tory Party conference, Donelan outlined her ambition to create jobs, generate economic value and prosperity in the creative, cultural and artistic sectors, including media, sports and tourism.
She also expressed the government’s willingness to ensure a greater level of security on social media -- especially for minors, while preserving freedom of expression.
Indeed, big data has recently become a very important commodity in the cultural, creative and artistic fields. Personal data no longer only informs about the consumption of content, it in turn becomes content, which feeds the algorithms of personalised recommendation. Personal data are above all usage statistics, and provide information on consumption habits, but the value of data is also predictive, and they participate fully in the creation of value for cultural works.
What are the risks of replacing the GDPR for cultural and creative freelancers and organisations?
While we await more specific information on this issue, it is safe to assume that the UK’s freelancers in the creative and cultural sectors are coming under more and more compliance obligations, given the importance of personal data in these sectors, particularly for those of the sectors’ individuals (and organisations) operating on social media, streaming, managing VoD platforms, or providing any other platform, application or device to a very large audience -- including minors. The transfer of this data across borders obviously complicates those obligations.
The risk is that the government's plan to impose additional data privacy standards would lead to a more complicated system for corporations. Developing a system that is both commercial and “consumer-friendly” (one of Donelan’s stated aims), is a hard process. Therefore the solution may not be straightforward. Moreover, any significant differences to the existing data framework governing freelancers and their clients are likely to result in more red tape -- and hardly less, since businesses are already required to comply with several data protection regimes. Remember, regardless of what new solution is tabled, the GDPR would still apply to UK traders doing online business in the European Union (as other non-EU companies already do). As a result, UK divergence from the GDPR will ultimately result in double-costs for the UK.
Opting out from the GDPR? We wouldn't recommend it
So our concern is that a new data governance system risks adding more compliance issues, aside to being more costly for the businesses concerned. Therefore, if British businesses and freelancers from the cultural, media, creative or artistic sectors wish to thrive in the technology space, and the digital services sector, where audio-visual projects are a prime example of an area looking likely to be affected by a change in data protection requirements, the government should adhere to the GDPR, rather than attempt to opt-out.
Similarly, replacing the GDPR could undermine the “adequacy decision” that the EU granted the UK following Brexit. To recap by leaving the EU, the UK became a "third country" under the GDPR, with the consequence that transfers of personal data between the EU and the UK are only allowed, via an adequacy decision, if the level of data protection in the UK is equal to that in the EU. As a result, one of the main concerns for UK businesses will be whether a reform of national data protection legislation – like that being floated by Donelan -- will jeopardise the country's adequacy status with the EU. If the new regulation deviated so significantly from the existing system that the European Commission could no longer be considered a jurisdiction offering an adequate level of protection, this could invalidate the adequacy decision and UK businesses could not acquire or process EU data.
Marketing and Advertising: TBC (To Be Considered) if replacing GDPR
We’d also urge Donelan’s policy team and those tasked with drafting the framework to factor in that in the marketing and advertising industries, data is a major component. Increasingly, it reveals information about the customer, such as who they are, what they enjoy, and what they expect from a brand -- which then enable businesses to promote development and sales by directing and acquiring this data.
Thus, the acquisition and processing of data from the EU will be the most noticeable change affecting creative industries’ agencies and their clients. As many audio-visual and media projects rely on such transfers, this would be extremely challenging for such companies that share data across borders, as it would effectively impose a new hurdle on large companies. As a result, creative firms and their clients may be slowed and limited in their capacity to target specific customers based on personal data obtained outside the UK.
A cautionary tale from the US…
This concern is reminiscent of the situation in the United States, following the decisions of the Court of Justice of the European Union - Schrems and Schrems II cases - which invalidated the Safe Harbor in 2015 and the Privacy Shield in 2020.
Unable to rely on these data protection mechanisms, US companies have had to resort to a variety of methods to conduct cross-border data transfers, including the use of Standard Contractual Clauses (SCCs), Transfer Impact Assessments (TIAs) and other "additional measures" such as encryption or pseudonymisation. The need for US companies in these sectors to have adequate protection for data transfers with the UK and the EEA adds more expenditures and red tape for companies.
Given the time spent on the revision of the UK’s data framework and future elections being set for two years’ time, is seems likely that the adoption of a new UK data privacy system will take a long time to occur -- if at all.
That said, to keep their operations running efficiently and successfully, creative firms, their suppliers and their agencies should now begin planning for the possibility of a GDPR replacement in the UK.
5 steps for creatives to take with GDRP replacement on the table
If you are a freelancer or a company in one of these sectors and want to prepare your business for GDPR UK being replaced, we encourage you to take, or focus on, the following five steps:
- Map your data transfers and ensure that the data transferred is adequate, relevant and limited to what is necessary for the purposes for which it is transferred and processed in the third country.
- Ensure that data is not misappropriated for hidden marketing or advertising purposes.
- Identify the additional measures that need to be adopted to raise the level of protection to that offered by the EU, considering how much personal information your customers provide to you at any age (especially on social media) can be targeted for mass scrapping and fall into the public domain.
- Keep in mind that your data protection system should not hinder technical and technological innovation and artistic and audio-visual creation.
- In accordance with the accountability process, reassess the level of data protection offered and monitor developments that affect it. Good luck!
25th October 2022