UK Reiterates Intention to Diverge from EU Data Protection Standards
The U.K.’s culture secretary has repeated his ambiguous claims about the future data protection regime.
Sky News published the glibly-titled Government to reform data protection laws to spur economic growth on Thursday, in which Oliver Dowden, the U.K.’s culture secretary, states that he is “seeking to set out where we are going to go with data” post-Brexit.
The “unashamedly pro-tech” minister has made similar comments in the past, including in a Financial Times op-ed earlier this month, but has been relatively coy about providing solid details.
In one sense, the U.K. can do whatever it likes with its data protection law, now it isn’t part of the EU.
But the government can’t move too far away from EU standards without putting the U.K.’s data protection “adequacy decision,” drafted by the European Commission last month, at risk.
Failing to achieve or maintain adequacy would mean more red tape for businesses and, arguably, make British firms less attractive prospective business partners.
The government keeps signaling its intention to liberalise data protection law. In February, Prime Minister Boris Johnson said the U.K. would develop a “separate and independent” data protection policy from the EU.
So what do we know about the U.K.’s plans? Not a lot.
The U.K.-Japan trade deal, concluded in October last year, contained clauses suggesting that the U.K. could be planning to operate two models of data protection — an EU version and a more liberal Asia-Pacific version — according to an article by Javier Ruiz for Open Rights Group.
The U.K.’s continuing disregard for EU principles in its surveillance laws continues to take the country further away from adequacy. While this matter didn’t preclude a draft adequacy decision, it might conceivably cause any final decision to be overturned by the CJEU somewhere down the track.
Then there’s the appointment of the next Information Commissioner, who heads the U.K.’s data protection authority. While Liz Denham’s replacement hasn’t yet been announced, the government has clearly signaled that it hopes to appoint someone who will prioritise innovation (which will most likely come at the expense of enforcement).
There is some for the risk in the U.K. loudly declaring its intention to depart from EU standards when the draft adequacy decision contains a four-year review period
But adequacy means “essential equivalence” — not absolute equivalence. So how much room for manoeuvre do adequacy decision recipients have?
Looking at the list of “adequate” countries, many have data protection regimes that are much less strict than the U.K.’s, including Canada, Israel, and New Zealand. But, as Douwe Korff and Ian Brown point out: these are older decisions that require review by the Commission.
David Erdos argues that some wriggle room is possible, particularly if the U.K. commits to the continued recognition of the Council of Europe’s Convention 108 and complies with the standard of “essential equivalence.”
But move too far, and there is a risk that the adequacy decision goes the way of the U.S. Privacy Shield framework.
Sacrificing the U.K.’s adequacy decision in the name of economic stimulus might be unwise. The UCL European Institute estimates that implementing alternative safeguards for data transfers could cost businesses up to £1.6 billion in compliance costs alone.