The UK government is planning to strike data adequacy agreements with countries outside of the European Union amid a proposed shakeup of data protection laws geared towards reducing costs and barriers for businesses.
Digital Secretary Oliver Dowden said the government was looking at ways to reform the UK’s data protection regulations post-Brexit so that rules are “based on common sense, not box-ticking”.
This could mean the scrapping of online cookie popups and consent requests. But any divergence from European data laws could threaten the UK’s current data adequacy agreement with the EU.
Countries that have a data adequacy agreement in place recognise that they have equivalent levels of legal protection for personal data. It means organisations do not have to implement additional compliance measures to ensure data can flow between the two countries.
In June, the EU awarded the UK data adequacy status following years of post-Brexit talks between London and Brussels.
That decision was granted because the UK brought the EU’s General Data Protection Regulation (GDPR) into UK law under the Data Protection Act 2018.
However, GlobalData principal thematic analyst Laura Petrone told Verdict that the UK could “water down” its data protection rules when making partnerships with other countries “without compromising the adequacy agreement with the EU”.
That’s because the EU-UK agreement doesn’t cover countries outside of the European Economic Area (EEA), she explained.
This was echoed by Bojana Bellamy, president of privacy think tank the Centre for Information Policy Leadership: “The UK plans do not necessarily mean divergence from GDPR. It is possible to improve the data privacy regime and how it works in practice without lowering the level of protection for individuals.”
In a statement, Dowden said: “Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK.
“That means seeking exciting new international data partnerships with some of the world’s fastest-growing economies, for the benefit of British firms and British customers alike.”
UK takes global approach in data law revamp
On Thursday the government said it will prioritise striking data adequacy deals with the US, Australia, the Republic of Korea, Singapore, Colombia and the Dubai International Finance Centre.
It is also exploring partnerships with India, Brazil, Kenya and Indonesia. The UK currently has adequacy arrangements in place with 42 other countries including New Zealand, Japan and Canada.
The government said these data adequacy partnerships would eliminate “costly” compliance measures for organisations sharing personal data overseas.
Businesses transferring personal data to third countries must carry out an assessment as to whether standard contractual clauses – a legal framework for transferring data – provide protection that is “essentially equivalent” to UK data law.
If they are not then it is up to businesses to put additional measures in place to ensure personal data is protected.
The New Economics Foundation estimated that such compliance costs for a large business would have exceeded £160,000 had the EU not granted the UK data adequacy status.
The government cited research estimating data transfer barriers cause up to $11bn worth of “unrealised” global trade.
“Businesses in all sectors will welcome a more seamless regime for data transfers and adequacy decisions in respect of more countries,” said Bellamy. “Data privacy officers are spending too much time and precious resources on dealing with legalities of data flows from the EU, especially in the aftermath of Schrems judgement, instead of doing more pressing work on privacy by design, risk impact assessments and building long term privacy culture and programmes for the new digital economy.”
But Petrone countered data adequacy agreements that diverge from GDPR would mean businesses operating across both EU and non-EU countries will need to be compliant in at least two different data regimes.
“In this sense, it would bring about additional compliance costs,” said Petrone, adding that the UK’s data watchdog could also require “additional resources and expertise” to supervise multiple data regimes.
David Smith, partner at JMW Solicitors warned that “any movement away from the GDPR is likely to have a negative impact on any business that seeks to trade with consumers outside the UK.”
He added that Dowden’s suggestion that GDPR relies on box-ticking “does not seem entirely accurate”. He pointed to cookie agreements instead being related to the 2002 Privacy and Electronic Communication Regulation (PECR), which sits alongside the UK GDPR.
The government is launching a consultation to establish how the UK’s data law can be improved in a bid to boost growth and trade in the digital economy.
Introduced in 2018, GDPR threatens companies fines of up to 4% of annual global turnover if they fail to protect personal data. However, it has been criticised for its focus on consent-based permissions.
“I would imagine the UK government will try to move away from these restrictions when it comes to the transfer of data and information between UK and non-EEA countries,” said Petrone. “This will mean having different data transfer agreements which differ in some ways to the data flows that happen within the EU and EEA.”
Chris Waynforth, AVP Northern Europe at Imperva, said the UK government will need to “be careful” that the privacy rights are not “diluted when making changes”.
As part of the overhaul, the UK government has recommended New Zealand’s privacy commissioner John Edwards as its preferred new information commissioner. As the head of the ICO, Edwards would be responsible for enforcing data protection law.
In a statement, Edwards said: “There is a great opportunity to build on the wonderful work already done and I look forward to the challenge of steering the organisation and the British economy into a position of international leadership in the safe and trusted use of data for the benefit of all.”