Government proposals to liberalise the UK’s data protection regime in support of increased innovation, research and economic growth, alongside an expansion of the remit held by the Information Commissioner’s Office (ICO) to support these goals, have prompted discussion among data privacy and infosec experts, with some concerned that Boris Johnson’s government means to gut the General Data Protection Regulation (GDPR) and open the door to an unstoppable grab of personal and private data.
Westminster stated its intention to make changes to data regulation in a major announcement on 26 August 2021, in which it also detailed an enhanced role for the new information commissioner and plans to pursue data adequacy agreements with a number of countries that the government is targeting as a focus of British trade, now that it has successfully cut the UK off from its European partners.
Digital secretary Oliver Dowden talked up the still nebulous changes, describing them in interviews with national media as a means to put an end to some of the consent mechanisms that have been core to how the GDPR works, such as pop-up cookie consent tick-boxes, an issue that will play well to the average voter.
But data privacy experts are already warning that the government is setting itself up for trouble in more ways than one. Some argue that the government’s ambition to create more freedoms for how organisations can make use of data, while still retaining citizens’ ability to control their data and make decisions about it, is not going to be an easy ask.
Mishcon de Reya data protection partner Adam Rose was one who raised this as an issue, saying: “Squaring the circle of giving citizens and consumers more control over how their data is used, while also giving business and government greater freedoms to use that data, will be the big challenge.”
Chris Waynforth, Imperva’s area vice-president for Northern Europe, also expressed concern. “The GDPR was introduced to safeguard citizen rights and privacy, helping to protect data, and while there are certainly always improvements that can be made, the government will need to be careful that these hard-won rights are not diluted when making changes,” he said.
“It’s already becoming harder and harder to guarantee data security. According to Imperva Research Labs, the number of data breaches is growing by 30% annually, and the number of records compromised is increasing by exponentially more. At the same time, 15% of breaches still happen because sensitive data is left publicly available. Unless changes take account of these risks, and organisations take action to protect increasingly vulnerable data, we could still find that the damage to privacy and security outweighs the benefits.”
Moreover, with the UK having only recently achieved a data adequacy agreement with its former European Union (EU) partners at the end of June, any proposed changes to how the UK regulates data will raise eyebrows in Brussels, given the UK’s multiple attempts to unilaterally change parts of the Brexit deal that it negotiated and signed.
And you can rest assured that the EU will be watching the consultation like a hawk, with a huddle of lawyers ready to spring into action if needed.
During negotiations with the UK, members of the European Parliament (MEPs) pressurised the European Commission (EC) to take an even tougher line on exemptions in UK data protection regulation in some areas, such as national security and immigration. When the data adequacy agreement was signed, the EC’s vice-president for values and transparency, Věra Jourová, said: “We are talking about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards, and if anything changes on the UK side, we will intervene.”
Mishcon de Reya’s Rose said: “Coming just a couple of months after the EC granted the UK an adequacy decision in relation to its post-Brexit data protection regime – on the basis that the UK law was essentially equivalent to the EU GDPR regime – today’s announcements put the UK on a collision path with the EU, but also more widely with civil society organisations, with the likelihood of serious domestic data litigation in the future.”
Greg Palmer, a counsel at Linklaters’ TMT/IP practice, said: “In exploring its newfound regulatory independence, the UK government will be mindful of the tension between the adequacy deals it reaches and its own adequacy status with the EU. If it goes too far in permitting data to flow too widely or too freely, it risks its EU adequacy status being revisited.”
JMW Solicitors’ David Smith added: “Any movement away from the GDPR is likely to have a negative impact on any business that seeks to trade with consumers outside the UK. If they are looking to trade with consumers in the EU, then they will need to comply with the EU GDPR anyway as a condition of trading with them.
“If they are trading with consumers in California, China or the ever-increasing number of other countries that have implemented data protection regimes similar to the GDPR, then they will need to comply with those. In practice, this means that most businesses will continue to comply with the GDPR, or something very like it, even if the government were to relax the UK regime as a consequence of a desire to trade outside the UK, something the government is keen that business should do.
“Certainly, the government should look closely at the guidance that supports the GDPR to ensure that it offers practical options for business and it could certainly work towards adequacy decisions with different countries, something the EU has not been terribly good at. However, undermining the core principles of the GDPR is likely to be more of a publicity stunt than a practical business-focused measure.”
Reasons to be cheerful?
However, Linklaters’ Palmer said there were clear signs that many – those who see the current restrictions on data export as “overly burdensome and a barrier to trade” – would be happy about the proposals, and there may be other reasons to be cheerful.
“This is also an important opportunity for the UK to show that it can continue to protect data while creating a business-friendly environment, particularly for SMEs,” he said.
Palmer said the addition of former New Zealand data protection regulator John Edwards to the mix – Edwards is the preferred candidate to succeed the outgoing Elizabeth Denham as the new UK information commissioner – might be a good move on the government’s part.
“He [Edwards] has been at the helm of New Zealand’s data protection regulator for over seven years,” he said. “That will have required him to keep a close watch on New Zealand’s own adequacy status with the EU and how the EU views two different laws as providing essentially equivalent data protection.”
Eduardo Ustaran, who co-heads the global privacy and cyber security practice at Hogan Lovells, was also optimistic. He said the plans demonstrated that there could be room for diversion from EU data protection law while still retaining GDPR as an effective regulatory framework.
“What this means in practice is that the way in which international data flows are approached is not identical to the way the same data flows are treated in the EU, but this doesn’t necessarily mean that the protection is going away,” he said. “It does not mean doing away with the GDPR framework, but adapting it to make it as progressive and effective as possible.
“For example, the notice and consent model is not suited to regulating cookies and other sophisticated technological ways to gather data about our electronic interactions. The UK knows that and the EU knows that.”
Ustaran added: “It seems that the UK is taking the lead in finding an alternative, more effective way to protect online privacy while allowing us to use the internet without so much friction. That is not an easy task and will require a regulatory policy that is technology-friendly but robust in enforcing data protection by design and by default.”
A consultation on the proposals will begin later in 2021.