British ministers have taken to Twitter and television to tout a new UK consultation document on “proposed changes to the UK’s data landscape” which would aim to “remov[e] barriers to responsible data sharing and use”, according to the government’s press release.
By "barriers" the UK means the General Data Protection Regulation (GDPR). When it was a member of the European Union, the UK, as required, transposed GDPR into British law. Now that it isn't in the EU, it would like an alternative, with possible parameters set forth in the consultation document entitled Data: a New Direction.
This sounds like the latest instalment in a blockbuster film franchise targeting the kind of people who get excited about the difference between opt-out and opt-in consent, and I suspect that may well be the main audience for the 146-page document, which is nearly, but not quite, as dull as the GDPR itself.
Perhaps deliberately, not many will be encouraged to read the entire thing, much less answer detailed and often leading questions (“When developing and deploying AI, do you experience issues with navigating reuse limitations in the current framework?” And: “To what extent do you agree that identifying a lawful ground for personal data processing for research processes creates barriers for researchers?”)
After close perusal of this data novella, one data-privacy analyst, Robert Bateman, pinpointed a dizzying 74 areas of the current privacy regime that could be significantly changed by its proposals, including numerous ways in which organisations could use data without having to obtain direct consent.
“If even a significant fraction of these reforms are passed, the UK’s data-protection and privacy regime could radically change,” he writes.
For better or for worse?
Well, Forbes offered the headline "UK to consult on weakening data protection laws" while UK digital rights campaign organisation the Open Rights Group has taken to referring to the New Direction as the "UK Hostile Digital Environment".
Digital secretary Oliver Dowden, the British minister in charge, suggests the GDPR is full of irritating "box ticking" and said: "Now that we have left the EU, we have the freedom to create a new world-leading data regime that unleashes the power of data across the economy and society."
The difficulty for the UK is that, however eager its government might be to unleash the power of data, it must still comply with GDPR to handle EU data. Offering equivalent protection is a baseline requirement for non-EU countries obtaining an EU adequacy decision – the green light allowing cross-border data flows.
Losing adequacy is unthinkable. By 2015, the UK accounted for more than 10 per cent of global data flows. A 2017 estimate from consultancy Frontier Economics held that 75 per cent of the UK’s cross-border data flows were with EU countries. Maintaining those flows is critical to the UK economy.
The flows continue now because, post-Brexit, UK received an adequacy decision from the European Commission earlier this year. Some were surprised, given the digital surveillance powers the UK government allows its security agency GCHQ (Government Communications Headquarters). Similar powers possessed by the US security agencies continue to perturb data-flow negotiations between the US and EU.
The EU placed pointed constraints on the UK decision, though. It is to be reviewed in four years, and the EU has specified that it could be withdrawn at any time if, ahem, post-Brexit UK were to detrimentally alter data-protection laws.
While some might think UK businesses would universally embrace a lower bar for data protection, this isn’t the case. The British Chambers of Commerce expressed worry that reforms may place EU/UK data flows at risk, advocating a careful approach.
‘Separate but equal’
The UK government seems to be trying to head off such concerns by arguing, alongside the US (not exactly the best bedfellow here), for a digital “separate but equal” system under which differing systems might be seen as achieving the same ends.
The US ramped up such rhetoric last week in a speech by US commerce secretary Gina Raimondo at the Tallinn Digital Summit. "We don't need to have the same systems or privacy laws to be interoperable with one another – we just need to develop principles and frameworks that allow our approaches to complement, not contradict, each other," she stated.
That’s possibly true, but the opaque operations of many US tech companies found in violation of GDPR, and the mass digital data surveillance trawls by security agencies and inadequate transparency and recourse for affected individuals all remain notable barriers. The UK may not benefit from too close an alliance with US arguments.
To echo lingo from one of those tech giants, the emerging EU/UK data-flow relationship post-Brexit might best be described as “It’s complicated.”
Where we are, and where we might be going with the post-Brexit data-protection relationship will be the topic of a Dublin City University Brexit Institute discussion at 2pm Thursday by former EU commissioner and chief GDPR architect, Viviane Reding, and a panel of legal and policy experts. I'm moderating the event. Register for free: dcu.ie/commsteam/dcu-events/2021/sep/former-eu-commissioner-and-gdpr-author-viviane-reding-address-dcu