Chancellor Rishi Sunak has said that GDPR is not necessary to have data adequacy and that “sensible countries” such as Japan, Switzerland or Canada operate out of the scope of the EU data privacy regulations.
Speaking at the launch of Treasury Connect, a forum for UK tech leaders and companies to discuss how the country can boost its competitiveness and innovation, the chancellor told delegates that after leaving the EU, the UK should come up with its own data legislation that works best for the interests of the country.
“We are in charge of our data protection rules now,” Sunak said. “You don’t need GDPR to have data adequacy.
Sunak added that the UK government wants to move away from “a tick-boxing approach to regulation” to “focus on the substance”: “We want to protect individual data but we don’t want to hinder innovation, and the whole view is that there are things that we can change that will be pro-innovation whilst protecting rights and getting rid of some of the box-ticking and ending up in a good place that is net positive for the UK.”
The chancellor’s statements confirm previous declarations by his colleague Oliver Dowden, the minister in charge of digital, which strongly hint at a likely abandonment of GDPR by the UK. Rishi Sunak declined to put a timescale on when the UK might move away from GDPR when asked by Tech Monitor.
In February, Dowden wrote in the Financial Times that “[the] EU doesn’t hold the monopoly on data protection” and he indicated a shift from privacy protection to innovation that promotes economic growth.
The Department of Digital, Culture, Media and Sport (DCMS) published a 146-page consultation document last week outlining some of the ways the UK’s data laws could be reformed, including the possibility to scrap GDPR’s Article 22. This would imply that the “human-in-the-loop” provision for algorithmic decision making in current data laws would be diluted or nullified.
The UK’s new Information Commissioner, John Edwards, who is currently New Zealand’s Privacy Commissioner, said at a hearing of the DCMS Committee last week that the “United Kingdom is entitled to take Fleetwood Mac’s [in reference to the British music group] advice and ‘Go Your Own Way’” in regards to GDPR.
Should the UK get rid of GDPR? Tech leaders not convinced
There are concerns within the tech industry about the UK ditching GDPR, however. Russ Shaw, founder of Tech London Advocates and Global Tech Advocates, attended the launch of Treasury Connect, and urged caution because he thinks that GDPR is beneficial for the country’s economy.
“I actually think that there is more good from GDPR than not, so I would be careful about things like that,” Shaw said.
He believes that the EU will follow the UK in certain areas where the latter has already started to fend for itself, such as financial services, but data privacy should not be one of those areas: “I wouldn’t want to see us getting too far ahead on things like GDPR because I think there’s a lot of value in that in terms of how you engage with other markets,” he adds.
International non-profit Human Rights Watch calls GDPR “one of the strongest and most comprehensive attempts globally to regulate the collection and use of personal data by both governments and the private sector”. The ICO, the authority responsible for enforcing GDPR in the UK, has collected more than €44m in fines (mainly from big corporations) since the rules came into force in May 2018. This money is paid into the Treasury’s Consolidated Fund for public spending.
One of the largest penalties was issued to British Airways after a data breach that hit more than 420,000 of its customers’ personal data. An investigation by the ICO found that BA was processing personal data without adequate security measures in place. In addition to the fine, the airline reached a financial settlement with the victims of the breach in what some privacy experts believe was a victory for consumer data privacy.
UK businesses have spent $1.2bn in GDPR compliance measures, including hiring over 500,000 data protection officers and carrying out GDPR gap studies. Rishi Sunak declined the opportunity to offer any guidance to companies that have heavily invested in GDPR compliance about what they should do if the legislation is withdrawn, or how their data flows with the EU might be affected.
Instead of getting rid of GDPR completely, Shaw advises gradual changes, noting that companies abroad look up to GDPR when drafting their own data privacy policies: “When I go to the US, many of the tech companies that I talked to are trying to adopt elements of GDPR so that they can align with the EU,” he says.
“You should be taking little steps to push the boundaries and experiment. But I wouldn’t just get rid of it entirely. I think it’s been a very important part of us connecting with the rest of the world”.
A European Commission spokesperson told Tech Monitor the Commission “does not comment on comments”, but said: “We do however monitor very closely any developments related to the UK’s data protection rules.
They added: “When adopting the UK adequacy decisions, the Commission was fully aware of the risk of possible future divergence of the UK system from the EU’s. This is why in case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended, terminated or amended at any time by the Commission. This can be done immediately in case of justified urgency.
“We will continue to ensure that European’s data will be protected by strong safeguards when crossing the channel.”