UK Looks to Revamp Data Privacy Policies Post-BrexitGovernment Wants to Spur Growth, But Experts Warn of Potential Risks
The U.K. is preparing to revamp the country's data protection and privacy laws as a way to spur economic growth and innovation in its post-Brexit economy, according to the Department for Digital, Culture, Media and Sport.
These plans include new "data adequacy partnerships" that will allow the U.K. to form new deals with countries such as the U.S., Australia, the Republic of Korea, Singapore, the Dubai International Finance Center, Colombia, India, Brazil, Kenya and Indonesia, according to the department.
These partnerships will allow the U.K. to remove the "costly compliance measures to share personal data internationally," the department's statement notes. At the same time, the British government believes that it can ensure high levels of protection standards to keep data both safe and private.
The move by the U.K. to rely more on its data protection and privacy laws comes as the country moves into its post-Brexit economy and becomes less reliant on the EU and laws such as the General Data Protection Regulation, which has set legal standards for privacy and data protection in the U.K. since May 2018 (see: UK's Brexit Transition Period: Keep Complying With GDPR).
"Now that we have left the EU, I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the U.K.," says Oliver Dowden, the secretary of state for the Department of Digital, Culture Media and Sport.
Besides these new partnerships, the U.K. government also has 42 existing adequacy arrangements in place including with New Zealand, Japan and Canada as well as the 30member states of the EEA and a further three are with jurisdictions that form part of the UK: Jersey, Guernsey and the Isle of Man.
In a note detailing its approach to international data transfers, the U.K. government says it will take into account another country's data protection laws, implementation, enforcement and supervision to determine its adequacy.
"The test for adequacy provided for in the U.K. General Data Protection Regulation or GDPR is that when personal data is transferred internationally, the level of protection under the U.K. GDPR is not undermined," the government notes.
Earlier this month, the country's Information Commissioner’s Office gave its approval for the first U.K. GDPR certification scheme criteria. This includes the Asset Disposal and Information Security Alliance ICT Asset Recovery Certification, which ensures that personal data is being handled appropriately when IT equipment is reused or destroyed.
The reformed data laws must be "based on common sense, not box-ticking," Dowden says.
Dowden also told U.K. newspaper The Telegraph that the government plans to eliminate "endless" cookie pop-ups that ask for permission to store a user's personal information.
David Smith, partner at the JMW Solicitors law firm in Manchester, says that Dowden's suggestion that the GDPR relies on box-ticking is inaccurate.
"It expects organizations to have appropriate policies in place to manage personal data. This does not seem to be box-ticking but a requirement on organizations to think about how they manage data and put appropriate procedures in place," Smith says.
The example given by the government on cookie assent on websites has nothing to do with the GDPR at all and relates to a different, albeit connected, piece of legislation called the Privacy and Electronic Communications Regulations, Smith adds.
Eduardo Ustaran, co-head of global privacy and cybersecurity practice at Hogan Lovells, says that the U.K. believes that there is no room for diversion from EU data protection laws while retaining the GDPR as a framework.
"The way international data flows are approached is not identical to the way the same data flows are treated in the E.U. But this doesn't necessarily mean that the protection is going away. It does not mean doing away with the GDPR framework but adapting it to make it as progressive and effective as possible," Ustaran says.
The prospect of reforms to U.K’s data protection framework raises the question of how the EU views data protection standards in the U.K., data protection law expert Claire Edwards says.
"That view has major implications for U.K. trade across the European Economic Area, as the EU only recently adopted an adequacy decision in respect of the U.K. to facilitate cross-border data flows. With a significant element of data flows from the U.K. still within the European Economic Area, the government need to have one eye on ensuring that the free flow of data is not jeopardized with the reforms planned,” Edwards says.
Any movement away from the GDPR, however, is likely to harm any business that seeks to trade with consumers outside the U.K., Smith says.
"If they are looking to trade with consumers in the EU, then they will need to comply with the EU GDPR anyway. If they are trading with consumers in California, China or the ever-increasing number of other countries that have implemented data protection regimes similar to the GDPR, then they will need to comply with those," Smith says.
In practice, most businesses will continue to comply with the GDPR or a similar privacy legal framework, even if the U.K. was to relax some of its privacy protections, Smith notes.
Undermining the core principles of the GDPR is likely to be more of a publicity stunt than a practical, business-focused measure, Smith says.
The U.K. government says it looks to hold consultations on the future of the country's data regime to make it "pro-growth and innovation-friendly, while still being underpinned by secure and trustworthy privacy standards."
In the coming weeks, the government will launch a consultation on changes needed to "break down barriers to innovation and [identify] responsible uses of data so it can boost growth."
The consultation is expected to include discussion of how the Information Commissioner's Office can be empowered to encourage the responsible use of data to achieve economic and social goals as well as to prevent privacy breaches before they occur.
The announcement comes alongside calls for experts to form a council to inform and consult on U.K.’s international data transfers policy.