UK data protection laws in limbo as Brexit forces regulation rethink
The UK has left the EU, and since the 28 June, it has the long-desired adequacy decision that recognises the equivalency of its data protection laws, and so, allows it to continue trading seamlessly with the EU bloc of countries.
Now, however, emboldened perhaps, by its new-found freedom, and determined to advance the interests of its domestic digital economy, it published a 146-page consultation paper called Data: A new direction. Among the many suggested reforms in this busy paper are, removing the need for DPIAs; revoking the requirement to appoint data protection officers; dispensing with the obligation to maintain records of processing; and, instead, replacing them with a risk-based privacy management programme. In addition, proposals suggest removing the ‘human-in-the-loop’ protection for AI processing, bringing back fees for data subject access requests and loosening the requirement to report data breaches to the regulator. It’s a fundamental re-imagining of data protection regulation in the UK, and one whose ambitiousness and stridency will not go unnoticed in EU circles.
Representing a significant weakening of data subject rights and possessing a notable emphasis on facilitating the growth of the technology industry, the question is begged: how can the UK press on with such an agenda and, simultaneously, retain its EU adequacy decision? Critics will condemn the move as a monumental case of having your caking and eating it – you can’t dismantle the EU standard and keep Brussels happy? Can you?
Well, Rishi Sunak, the UK Chancellor of the Exchequer, thinks you can. Speaking to tech leaders at a conference in east London on 15 September, he proclaimed: “You don’t need GDPR to have data adequacy.” Continuing, in a not-so-subtle aside to Brussels, he noted that many other ‘sensible countries’ such as Japan and Canada hold EU adequacy despite having their own distinctive data protection laws.
Speaking during the summer, Oliver Dowden, the UK’s former Secretary of State for Digital, Culture, Media & Sport was far blunter in sizing up the EU standard and the new dawn that could be breaking for the UK. He argued: “Reform of data protection rules is one of the big prizes of leaving the EU. There’s an awful lot of needless bureaucracy and box ticking and actually we should be looking at how we can focus on protecting people’s privacy but in ‘as light a touch way’ [sic] as possible.”
Although couched in the language of data protection reform, many will feel that the underlying political-economic context is not so difficult to grasp. The UK, now freed from the perceived constraints of the EU, wants to set its stall out to the business world as a light-touch-regulation outpost on the edge of the EU – a honey pot, if you will, to attract valuable tech business away from the EU with the alluring promise of a more innovation-friendly environment.
The reality, however, is that the UK is most likely playing with fire and faces the very real possibility of losing its EU adequacy decision, something which will mean a lot more to the UK economy in the longer term than any mooted new trade deals. What is more, and what may, perhaps, be the most decisive factor in the future of its data protection laws, is the fact that even domestic UK companies, faced with a diluted UK regime and the more robust EU framework, are likely to prefer to hold on to GPDR practices, knowing that doing so will prove much more beneficial in a world that is increasingly viewing the GDPR as the gold standard of data protection.
Jared Browne will be delivering a webinar on this topic to ICS members on Wednesday 10 November at 12pm. Find out more and book here.