Reforming the UK’s data watchdog: an opportunity, or a risk of fixing what ain’t broke?
After many years of the UK working so closely with the EU so as to almost mirror it in the data protection space, Brit contractors have finally got what many have likely waited for since before Brexit was even a buzzword -- a chance to have their say on how the UK should be different, writes Alix Balsan and Anthi Pesmazoglou, legal consultants for Gerrish Legal.
Before we explore this chance, courtesy of a new consultation to reform the UK Information Commissioner’s Office, it’s worth reminding ourselves how we got here.
Open to you, a new consultation to differentiate UK data protection
It’s largely thanks to Brexit of course, but also ambition and identity as the UK goes it alone. Digital Secretary Oliver Dowden got to his feet in August to say that, now the UK has left the EU, the government wants to create “a world-leading data policy” that delivers a Brexit “dividend.” A wise usage of a word if he wanted to get contractors interested!
Having a world-leading data policy (that “unleashes data’s power across the economy and society” -- no less) is an admirable ambition. But is it too good to be true? Is the ICO’s agenda a bit too, well, ambitious?
Sounding more grounded than the minister, the ICO says it is pushing for a “common sense” approach in order to distinguish and distance itself from the EU regime on data protection. Indeed, the consultation which contractors, agencies and end-clients can respond to until November 19th, makes clear that subject to the terms of the Brexit withdrawal agreement on digital trade, the UK now has the authority to amend its domestic laws and potentially diverge its position from what has come to be regarded as the “golden standard” for data protection set by the EU GDPR. Perhaps a good starting point is to ask:
How does the UK’s current privacy regime compare to EU data protection standards?
Well currently, the EU considers that the UK’s data protection laws offer essentially the same protection as the EU GDPR. This means that the UK benefits from an “Adequacy Decision” issued by the European Commission in July 2021 which was embraced by UK businesses and contractors alike.
Quick reminder. An Adequacy Decision a certification given by the European Commission to a country which can demonstrate that it has a comparable level of protection to the data to the EU. An Adequacy Decision is therefore a ‘safe’ place in which to process personal data.
And the benefit of an Adequacy Decision means that no other steps, admin or hurdles need to be completed or overcome when transferring data outside EU to a business established in an Adequacy Decision territory.
This is a real bonus, as it allows for free data flows and facilitates trade in our digital economy – something that the UK currently benefits from.
So where does the ICO want to go from this pretty good spot?
Although many parties strongly imply that they find the EU GDPR to be too onerous – which not coincidentally, seems to be at the core of the ICO’s plan for reform, the EU framework still represents the gold standard, because it is the strongest piece of privacy legislation to date.
The EU GDPR applies to businesses processing personal data of EU individuals or offering or targeting goods and services to them, whether the businesses are based in the EU or not. Brexit or no Brexit, if the UK processes EU data, then it needs to adhere to the EU GDPR or equivalent standard.
As the GDPR was heavily negotiated for years, and its implementation requires a lot of effort from businesses, this means that keeping part of the level playing field set by the EU must be at the core of any data strategy – if any business or country wants to remain open for international trade where the EU or its residents are involved.
Furthermore, according to the UK government's Department for Digital, Culture, Media & Sport, the free flow of personal data between the EU and the UK under the UK’s Adequacy Decision is estimated to represent 13%, or a cool £85 billion of UK global trade!
Moving away from EU GDPR standards: a cautionary tale
The chance to differentiate the UK from the EU in the data protection stakes will appeal to many But just glance ‘across the pond’ to the US to observe the difficulties experienced by countries which do not have adequate data protection laws.
Due to the US’s lack of robust data protection regime, in the Schrems II case of July 2020, the European Court of Justice’s invalidated the US Privacy Shield which previously allowed EU data to flow to Privacy Shield certified businesses in the U.S without any red tape.
Of course, despite the decision, the restriction of data flows between the EU and the US could not be an impediment to trade.
Many EU companies use American products and services, such as Google, AWS, Apple and Microsoft -- to name just a few. The result of the post-Schrems world is that the only way to lawfully transfer personal data to the US or other countries without an adequacy decision involves a time-consuming, costly and laborious contractual set up – using the Standard Contractual Clauses which now need to be implemented for all EU-US personal data transfer deals.
This of course creates hurdles to the transactional process and slows down business for all parties -- which undoubtedly costs US companies in terms of profit and opportunities.
Our take? Without doubt, therefore, the ICO should tread carefully with its big plan for reform to ease up admin, lest it finds itself walking into the red-tape it so strongly wants to avoid.
But let’s get specific. Although at this point in time it is not clear exactly how the reform will play out, if the ICO is looking to reduce the data protection obligations imposed on companies treating UK residents’ data (such as easing up on obligations for smaller businesses processing minimal and low risk data), it needs to proceed cautiously.
The example given by the ICO that a hairdresser ought not to have the same strict data obligations as a multi-million pound technology company is a straightforward one, difficult to disagree with.
But to us, common sense dictates that companies across this quite different world to only 24 months ago will likely stick to the strictest data protection rules they can, because they will want to be covered in all locations and jurisdictions with a single set of rules to follow, rather than multiple rules in different jurisdictions, or across different businesses.
On that note, many countries without adequacy decisions are scrambling to implement their own GDPR-style laws with the goal of being deemed ‘adequate’ by the European Commission to promote their digital trade offerings. This is happening right now, from the UAE to Brazil. Even data colossus China is now coming out with its own ‘Personal Information Protection Law.’
So maybe it’s just us being cautious as a firm of lawyers! But our take is this --if the UK departs too much from the EU GDPR, it risks losing the right to free data flows
Not convinced of the need for caution? Well, keep in mind, the UK has the prized Adequacy Decision today but it will be reviewed every four years by the European Commission. If the UK departs too much from the EU GDPR standards, the European Commission may cancel the finding of adequacy – much like the invalidation of the Privacy Shield suffered by our US friends. Such a cancellation would leave the UK in a mire of red tape – the same sort of mire it so wishes to leave behind.
Looking at the positives of the ICO taking a look at itself
However, reform need not be synonymous to be regrettable. There are specific areas of the GDPR which are seen as ‘pain points’ in the UK and even in the EU.
Standing back from the nitty gritty which contractors are welcome to get stuck into in their own time (although note, not all the ICO’s consultation questions need be answered), generally, this reform is an initiative to solidify the UK’s stance regarding data privacy.
There is an admirable aim here of strengthening trust in data usage and data sharing for the advancement of business and innovation. And there is cause for it, beyond flexing our muscles as independent country wanting to carve out our own data identity post-Brexit. Scandals such as Cambridge Analytica have left in their wake mistrust, due to the growing awareness that our time online leaves a trace which can potentially lead to the abuse of our personal data. So it’s admirable, but achievable? A little worryingly, the details on how the ‘world-leading’ target of a unique data protection regime is to be hit have yet to be shared by the ICO. But if it were achieved, it’s safe to say it would benefit not just the UK but all data protection regimes.
More harm than good, often when you try to fix something that ain’t broke
This attempt at reform (see the consultation document here ‘Data: A new direction’) is generally to be embraced. But if it’s ill-executed it can lead to the wrong result and potentially long-lasting consequences not easy to take back. With generally too little-known information about the ICO’s plans, it’s fair to wonder if the UK seeks to distance itself from the EU in an attempt to supplant the “golden standard” set by the EU on the global stage that is data protection, and whether in doing so, it will accidently do more harm (to the UK) than good, in its campaign for success, and independence in the post-Brexit world. It shouldn’t be forgotten that this campaign comes at a time when our nation is promoting international trade outside of Europe.
For all the certainty us data professionals like, unfortunately there’s none here -- only time will tell. So let’s watch this space to find out in the coming months, but only after you have had your say to the ICO online here, by November 19th. From our perspective, we’re seeing privacy practitioners and businesses alike lean towards the status quo being maintained, but really nothing is certain right now, except perhaps that reforming what ‘ain’t broke’ is a real risk. In short, a bit like the detail on reform from the ICO, the success of its plans very much remain to be seen.