Following the successful completion of the post-Brexit trade agreement at the end of last year, there has been much commentary and debate surrounding the extent to which the UK will diverge from EU rules and procedures in the future.
One area this discussion relates to regards privacy and data protection rules, namely the ground-breaking General Data Protection Regulation (GDPR) legislation that took effect in 2018 across the EU. This law has had a significant impact on the way organizations handle and process data and has influenced the development of similar rules throughout the globe. It has also had its share of controversies, including deeming the EU-US Privacy Shield unlawful in the ‘Schrems II’ case last year, making the transfer of personal data between the two regions far more complex.
This year, to much relief, the EU granted the UK’ adequacy’ status, enabling the seamless flow of data to continue between these jurisdictions. This week, with this decision in tow, the UK government announced its post-Brexit global data plans, which aim to “boost growth, trade and improve its public services.” It also strongly suggested that a significant divergence with the EU’s GDPR is imminent.
The plans include striking new data adequacy partnerships with the US, Australia, Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia, prioritizing future agreements with India, Brazil, Kenya and Indonesia. In a press release, the Department for Digital, Culture, Media and Sport (DCMS) stated: “These new data adequacy partnerships, which will be subject to assessments that ensure high data protection standards, will build significantly on the £80bn of data-enabled service exports to these 10 destinations from the UK every year.”
It added: “Estimates suggest there is as much as £11bn worth of trade that goes unrealized around the world due to barriers associated with data transfers.”
Digital Secretary Oliver Dowden made it clear that he views the current GDPR legislation, which was incorporated into UK law post-Brexit, as a significant barrier to these plans and requires reform. He said: “Now that we have left the EU, I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK.
“That means seeking exciting new international data partnerships with some of the world’s fastest-growing economies for the benefit of British firms and British customers alike.
“It means reforming our own data laws so that they’re based on common sense, not box-ticking. And it means having the leadership in place at the Information Commissioner’s Office to pursue a new era of data-driven growth and innovation.”
The government also named its preferred candidate to be the UK’s next Information Commissioner, John Edwards, who currently serves as New Zealand’s privacy commissioner. Once in the role, Edwards will undoubtedly play a big role in this shake-up of global data plans.
In the immediate aftermath of this announcement, Infosecurity looked at the views of several data privacy experts on the possible implications of moving away from GDPR on the UK.
Trevor J. Morgan, product manager of comforte AG, said the plans should not come as a surprise, as the UK is looking to leverage the freedoms that arise from Brexit into economic advantage. “The announcement that changes to data protection and privacy laws in the UK is not unexpected. In a post-Brexit world, rethinking data adequacy agreements and adapting existing privacy laws to reflect the current political environment makes sense,” he outlined.
Although we await further details on how the UK will adapt its current data regime, Bojana Bellamy, president of the Centre for Information Policy Leadership (CIPL), broadly welcomed the sentiment outlined by the UK government. “The UK’s ambitious international data flows and adequacy plans are the right thing to do. The government recognizes the importance of data flows for the economy, people and society at large and wants to enable trusted and responsible data flows,” she said. “Just because the UK government may be more agile, flexible, risk-based and outcomes-driven in how they determine adequacy does not mean this will result in a lower level of protection for people and their data. In fact, likely the opposite is the case. Looking at a whole picture of how privacy protections work in practice in third countries may be better for individuals than a theoretical line-by-line comparison of legal texts. We should not be judgemental of countries doing things their own way as long as they achieve the same outcomes.”
"We should not be judgemental of countries doing things their own way as long as they achieve the same outcomes”
Impact on Businesses
So how may these changes affect the day-to-day activities of businesses?
In the view of Bellamy, the UK’s plans to allow more seamless data transfer between different jurisdictions across the globe will be beneficial to businesses, particularly in light of some of the blockages caused by GDPR in this respect. She commented: “Businesses in all sectors will welcome a more seamless regime for data transfers and adequacy decisions in respect of more countries. Data privacy officers are spending too much time and precious resources on dealing with legalities of data flows from the EU, especially in the aftermath of Schrems judgment, instead of doing more pressing work on privacy by design, risk impact assessments and building long-term privacy culture and programs for the new digital economy. I hope the UK example will inspire the EU and other countries to follow suit.”
However, Morgan cautioned that divergence could have economic consequences for companies, at least in the short term. “For businesses, if Mr Edwards initiates significant changes away from the current GDPR-influenced guidelines, then they will have to invest time and money to come up to speed very quickly in order to remain in compliance with any new UK data privacy rules,” he said.
Others believe such a move could make data transfers between countries more difficult. With GDPR the key influence for the growth in data protection legislation in major economies such as the US and Brazil, any move away from its provisions could make it much harder to set up adequacy agreements.
“Any movement away from the GDPR is likely to have a negative impact on any business that seeks to trade with consumers outside the UK,” said David Smith, partner at JMW Solicitors. “If they are looking to trade with consumers in the EU, then they will need to comply with the EU GDPR anyway as a condition of trading with them. If they are trading with consumers in California, China or the ever-increasing number of other countries that have implemented data protection regimes similar to the GDPR, then they will need to comply with those. In practice, this means that most businesses will continue to comply with the GDPR or something very like it even if the government were to relax the UK regime as a consequence of a desire to trade outside the UK, something the government is keen that business should do.”
Impact on Individual Privacy
The government’s announcement has also raised questions about how individual privacy rights will be affected by changes to UK GDPR. After all, how personal data is handled is a central tenet of GDPR, and a big factor in why it was initially enacted. Morgan stated: “Is this good for the consumer? Again, only time will tell, and it depends greatly on how these things are defined and implemented. However, we all hope that any changes continue to underscore the fundamental right of all people to have a say in how their personal, sensitive data is collected, used and stored.”
Smith also conveyed concerns about some of the government’s comments about GDPR, particularly their attitude to individual privacy. “The suggestion that the GDPR relies on box-ticking does not seem entirely accurate. It expects organizations to have appropriate policies in place to manage personal data. This does not seem to be box-ticking but a requirement on organizations to think about how they manage data and put appropriate procedures in place,” he commented.
Conclusion
The impact of the UK’s planned divergence from GDPR rules is difficult to ascertain until the plans have been formally set out. Nevertheless, it is clear that change is in the air. As Morgan noted: “The fact that John Edwards has been named as the next head of data protection in the UK indicates that changes in data privacy rules will be quickly forthcoming.” It is clear there is both opportunity and danger in this approach, and all eyes will be on further announcements in this area in the coming months and years.