The UK government unveiled plans this week to create “a world-leading data policy” that delivers a “Brexit dividend” following the country’s departure from the EU. These include plans to negotiate new data adequacy agreements with the US, Singapore, South Korea and Australia; the appointment of its intended candidate for Information Commissioner; and the launch of a consultation on reforming the UK’s data laws to “break down barriers” to innovation and growth.
Industry bodies have welcomed the initiative to unlock innovation and trade for post-Brexit UK, but other groups are concerned that the new data adequacy agreements and forthcoming reforms could be detrimental to privacy standards – and that the UK’s adherence to GDPR, the EU’s data protection rules, could be dropped altogether.
Is the UK committed to GDPR?
techUK, which represents the technology industry, welcomed DCMS’s “ambitious announcements” and its intended use of data assets to drive innovation. The body warned of the need to build public trust in how data is shared, but is reassured by the government’s commitment to data protection, it says.
“The DCMS announcement puts a commitment to high data protection standards central to its aims and we expect the consultation announced today to be an evolution of the existing UK data protection framework based on the GDPR,” Matthew Evans, techUK’s director of markets told Tech Monitor in a statement.
Other commentators are less convinced of the UK’s commitment to GDPR, however, following an interview with secretary of state for digital, culture, media and sport Oliver Dowden in The Telegraph earlier this week. The minister said that GDPR rules are limiting scientific research and are overwhelming small businesses and charities with red tape. He said that he wants to get rid of “endless” cookie banners and that many consent notices are “pointless”.
Sam Smith, policy lead at medical privacy advocate group medConfidential, believes this week’s announcements confirm public fears that the government plans to sell off NHS data, prompted by the much-criticised General Practice Data for Planning and Research (GPDPR) scheme.
“At a time when the Department of Health is working out how to reassure the public about their plans for GP data, DCMS announces plans which show public concern is well-founded,” Smith told Tech Monitor. “Perhaps they should talk to each other before making promises they will then break.”
Can the UK strike new data adequacy deals while upholding GDPR?
Whatever the government’s intentions, the UK’s ability to adhere to GDPR may be jeopardised by its plans to forge new data adequacy agreements, which allow personal data to cross borders without additional compliance measures, with its major trading partners.
The UK has data adequacy agreements with 42 countries, the government says, including the 27 member states of the EU. New agreements with its high-priority trading partners – the US, Australia, South Korea, Singapore, the Dubai International Finance Centre (DIFC) and Colombia – would be worth billions of pounds in additional trade, it says.
These new agreements would help "remove unjustified barriers to international data transfers," wrote Dowden and minister for media and data John Whittingdale in the government's mission statement for data transfers, published yesterday.
US-based data privacy consultant Debbie Reynolds says that while it is possible for the UK to strike these deals without its data laws diverging from GDPR, trading partners may seek business-friendly concessions. "This move could create complications for the UK if countries see [data adequacy agreements] as a way for them to bypass GDPR,” Reynolds says.
“Transparency will be key in how the UK handles its adequacy partnerships and also how it intends to retain its own adequacy relationship with the EU," she adds.
The mission statement lays out the process of assessing a country's data adequacy and the alternative mechanisms that organisations can use to transfer data when such agreements are not in place, such as standard contract clauses and binding corporate rules.