In December 2020, the British government presented its national data strategy, outlining its ambition to unlock data value and promote responsible growth by reducing the administrative burden on technology innovators and digital entrepreneurs.
The strategy prompted concerns in Brussels that the new U.K. data policy might strive away from the EU General Data Protection Regulation. In early 2020, Prime Minister Boris Johnson announced that the U.K. would establish its own "sovereign" rules in the field.
In July 2021, the European Commission adopted its data adequacy decision, certifying that the U.K.'s legal framework offered sufficient safeguards compared to EU privacy standards. That was largely expected since the data protection rules had not yet changed after Brexit.
However, seeing London's manifest intention to make significant changes to its legal regime, the EU executive made the adequacy decision automatically expire after four years, with the renewal dependent on the U.K. maintaining comparable privacy standards, caveats included following concerns voiced by the European Data Protection Broad and the European Parliament.
Legislative trend
Increasing the attractiveness of the U.K. for tech and innovation was one of the talking points for the part of the conservative party campaigning for Brexit. This ambition took shape with the national data strategy, a plan to refocus national legislation on data as an opportunity and driver for economic growth.
The strategy was followed by a post-Brexit global data plan, which set out the intention to establish global data partnerships with key international partners, the nomination of John Edwards as Information Commissioner and a consultation on the new data regime. The plan stated the bold ambition to make the U.K. a "science and technology superpower."
"The overarching strategy is one of economic growth and innovation, to become a leader in new technologies. The strategy is quite clear whether all the various parts of that kind of tie in together is the question," PrivacySolved CEO and Practice Director Wayne Cleghorn, CIPP/E, CIPP/US, CIPT, FIP, said.
Several initiatives have followed since then. A public consultation closed in November on how to amend the U.K. General Data Protection Regulation and the Privacy and Electronic Communications, the country's transposition of the ePrivacy Directive. Plus, the new data transfer regime went live last month.
Other proposals might indirectly impact the pending data protection regime, including the proposed Human Rights Bill, for which the consultation closed in March; pending legislation on algorithm transparency and the AI strategy; and the Online Safety Bill, a rather controversial proposal to regulate online content moderation.
International data transfers
The post-Brexit international data transfer framework went live on March 21. In the future, the U.K. Department for Digital, Culture, Media & Sport will be in charge of issuing "adequacy regulations," the equivalent of the EU's adequacy decisions. The EU member states plus Norway, Iceland and Lichtenstein have been automatically recognized as adequate as the GDPR covers them.
At the same time, London made no secret of its ambition to establish other transborder data flow partnerships, indicating Australia, Colombia, the Dubai International Financial Centre, South Korea, Singapore, and the United States would be on top of their priorities. The U.K. also aims to reach a partnership with Brazil, India, Indonesia and Kenya in the long run.
These priority lists raised concerns in Brussels, as countries like Australia, Singapore and the U.S. are still far from privacy standards comparable to the level of the GDPR. Therefore, the fear was that the U.K. might become a loophole for transferring the personal data of EU data subjects to jurisdictions that were not adequate safeguards are in place.
"The EU has an adequacy agreement with Japan, whereby there are restrictions on further transfers of personal data originally from the EU, ending up in Japan. The UK could conceivably arrange something like that with the EU to protect its own data adequacy decision," Robert Bateman, head of content at GRC World Forums, said.
New data law
Last September, the Department of Digital, Culture, Media and Sport opened a public consultation called "Data: a new direction." So far, more than 3,000 responses have been received. The upcoming data law is expected to feature in the Queen's Speech parliamentary session on May 10.
"There is a recognition that UK GDPR and its implementation has not quite achieved these goals. The UK government wants to be more agile and make some legislative interventions to evolve the UK GPDR regime to make it more fit for the 21st century and digital/data economy," Hunton Andrews Kurth's Centre for Information Policy Leadership President Bojana Bellamy, CIPP/E, said.
The overall approach is outcome-driven and seeks to clarify certain legislative concepts, resolve tensions between the data protection rules and technologies like artificial intelligence, and reduce the administrative burden for companies.
A spokesperson from the trade association techUK stressed that businesses welcomed the initiative. The clarification of the legal basis for processing and reusing personal data for research purposes and the introduction of an exhaustive list of legitimate interests that would not require a balancing test are deemed particularly beneficial.
Accountability and transparency
At the same time, techUK has warned against some proposed changes to the data protection regime, stressing that they go too far and might threaten public trust in the system and jeopardize the EU's data adequacy decision.
Points of controversy relate to provisions involving automated decision-making based on profiling, the introduction of fees for subject access requests, the requirements for specific organizations to appoint a Data Protection Officer and keep a record of processing activities, and the mandate of the Information Commissioner's Office.
"It's a potential incursion into transparency and accountability. If you take away the Data Protection Officers, you take away the DPIA, you take away the RoPA, you have no way to assess risks. You have no way of knowing where data is coming from and where data is going as you can't even judge on a properly standardized basis," PrivacySolved's Cleghorn said.
By contrast, for CIPL's Bellamy, these concerns are unfounded because what London is proposing is not removing the DPO role or the impact assessment but making the requirements less prescriptive to allow for more flexibility while still ensuring accountability.
Still, a primary concern remains the role of the ICO, as the floated reform has been generally seen as a way to bring the data protection authority under stricter control of the government. The need to ensure the authority's independence is also emphasized in the ICO's response to the public consultation.
"I am confident that ministers and officials are fully aware of the concerns and we are working constructively with them, I think, to try and ensure that the policy objectives are met in ways which don't imperil adequacy or undermine the independence of the office," the recently appointed ICO John Edwards told Politico last month.
Political context
For Cleghorn, these sweeping proposals might be part of a negotiation strategy, starting with an excessive bid and then settling down with a more moderate policy.
However, some argue that the impetus to change the U.K.'s tech policy might have lost momentum. The main reason is that the political driver for such reforms was the former digital secretary Oliver Dowden, who left that office in September 2021 amid a cabinet reshuffle.
Without strong political backing, the bill might lose impetus as the government is distracted by the war in Ukraine and the so-called “Partygate,” the scandal that saw Prime Minister Boris Johnson and Chancellor Rishi Sunak getting fined for attending parties during the COVID lockdowns.
UK-EU divergence
The EU's data adequacy decision will come under review in three years. In the meantime, if London implements significant changes to its privacy rules, it could be challenged in court along the same lines as the "Schrems" rulings.
"The harder and the faster the UK goes before the renewal of this adequacy agreement, the more red flags and risks. If the UK paces itself, there could be a slow divergence, which is more manageable and more transparent. Speed and impact will dictate how the EU responds," Cleghorn added.
Think tank New Economics Foundation estimated the loss of the data adequacy might result in a total cost for U.K. companies of up to 1.6 billion pounds, primarily due to the administrative and legal expenses related to alternative transfer mechanisms such as standard contractual clauses.
The loss of adequacy status with the EU might also make the country less attractive to tech entrepreneurs. According to a study by the House of Commons, 43% of large EU tech companies are started in the U.K., and 75% of the U.K.'s cross-border data traffic is with EU countries.
"The EU adequacy decision does not require identical rules in a third country, but rather the basically similar outcomes. We have to keep our focus on the outcomes and ask the question — do the rules in both countries create the same outcomes for people and protection of their data and their rights. That is the right way to think about the adequacy," Bellamy said.
Photo by Marisa Cornelsen on Unsplash