Post-Brexit data protection regime to deliver 'common sense, not box-ticking'

Government signals intent for more-business friendly environment as it plans partnerships with the likes of the US, Colombia, India and Kenya
Image: Adobe stock

By Sam Trendall

30 Aug 2021

The government hopes that the UK’s post-Brexit data-protection regime will “break down the barriers” that prevent businesses using data in innovative ways, Department for Digital, Culture, Media and Sport has said.

In the months since the UK completed its exit from the European Union at the start of this year, ministers have hinted at a desire to foster a data-protection landscape that is friendlier to business and the data economy.

DCMS announced this week that it will shortly launch a consultation on possible “changes” to current rules and practices. The intention of any updates will be to “break down barriers to innovative and responsible uses of data so it can boost growth – especially for start-ups and small firms, speed up scientific discoveries and improve public services”.

The consultation will also examine the role of the Information Commissioner’s Office, and how the regulator could be “empowered” to not only address the fallout of data breaches, but also to “encourage the responsible use of data to achieve economic and social goals as well as preventing privacy breaches before they occur”.

According to digital secretary Oliver Dowden, the government ultimately wishes to establish codes "based on common sense, not box-ticking".

In addition to this potential new way of doing things, the ICO will also shortly have a new leader, with John Edwards – currently New Zealand’s privacy commissioner – announced last week as the government’s preferred nominee to become the next information commissioner.

Partnerships

The government also wishes to put in place new data-adequacy partnerships with a range of other nations.

The initial priorities for such agreements will be the US, Australia, Colombia, the Republic of Korea, Singapore and the Dubai International Finance Centre – a large business district in the emirate.

Brazil, India, Kenya and Indonesia will be next in the queue, the government indicated.

“Having left the EU, the digital secretary now holds powers to strike data adequacy partnerships with partners around the world,” it added. "The government believes it can unlock more trade and innovation by reducing unnecessary barriers and burdens on international data transfers, thereby opening up global markets to UK businesses.”

Although it is true that, now Brexit is complete, the UK does have the power to make its own data-adequacy decisions, the more that its data-protection regime diverges from that of the EU, the greater the risk of jeopardising the UK’s own data adequacy status, which the EU finally granted in June, after more than a year of discussions.

Many of the countries prioritised by the UK government for adequacy agreements do not have any such arrangements with the EU. 

The UK became the 13th country or territory to gain EU adequacy status – meaning that European authorities have assessed personal data protections in those nations are equivalent to those offered by European law, and information can thus flow across borders unhindered. Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay have previously achieved adequacy, and South Korea is in the process of doing so.

The US is not deemed by the EU to adequately protect the data of European citizens nor, as yet, are  Australia, Colombia, Singapore, Dubai, Brazil, Indonesia, India, or Kenya.

If the UK grants data adequacy to these countries, it opens up the possibility of EU citizens’ data being able to flow freely not only into the UK, but onwards and beyond its borders into countries which are not considered by the EU to have adequate data protections. This could imperil the UK’s own hard-won adequacy status with the EU.

Newly published DCMS guidance on the new UK-specific adequacy framework said: “The test for adequacy provided for in the UK GDPR is that when personal data is transferred internationally, the level of protection under the UK GDPR is not undermined. To determine this, we will consider the overall effect of a third country’s data protection laws, implementation, enforcement, and supervision.

“When understanding how a third-country protects personal data we will – amongst other things – take into account the following factors: the rule of law, respect for human rights and fundamental freedoms; the existence and effective functioning of an independent regulator; and relevant international commitments.”

To help advise the government on cross-border data flows, an International Data Transfers Expert Council is being established. The 15-strong group will bring together representatives of business, academia, and civil society, who will provide guidance “of both a technical and tactical nature”. Applications for a spot on the council are open until midnight on 12 September.

Digital secretary Oliver Dowden added: “Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK. That means seeking exciting new international data partnerships with some of the world’s fastest growing economies, for the benefit of British firms and British customers alike.”

He added: “It means reforming our own data laws so that they’re based on common sense, not box-ticking. And it means having the leadership in place at the Information Commissioner’s Office to pursue a new era of data-driven growth and innovation. John Edwards’s vast experience makes him the ideal candidate to ensure data is used responsibly to achieve those goals.

Sam Trendall is editor of CSW's sister title PublicTechnology, where this story first appeared.

Read the most recent articles written by Sam Trendall - ICO to continue 'minimal-fine regime' for public-sector bodies

Share this page