Earlier this year, the UK government revealed its vision for the UK’s role in the world in its highly anticipated Integrated Review of Security, Defence, Development and Foreign Policy, entitled Global Britain in a competitive age. It declared its intent to be “at the forefront of global regulation on technology, cyber, digital and data”, and set the target of establishing the UK as a “global services, digital and data hub”.
As the UK looks to science and technology as a means of projecting power on the world stage, it has been upfront that data standards will need to develop to account for technological advances. In setting 10 priorities to drive forward a “new golden age for tech in the UK”, it registered its intent to remove existing barriers that impede responsible data-sharing.
How might this affect the data privacy requirements currently incumbent on enterprises? We saw the EU Commission adopt two adequacy decisions in late June, which after more than a year of talks, formally recognised the UK’s existing data protection standards as equivalent to that guaranteed under EU law. This decision was widely regarded as a breakthrough development that allows for the free flow of data across the Channel – but for how long?
For the first time in the European Commission’s history of granting adequacy decisions, it inserted a “sunset clause”, which limits the decision’s lifespan to four years, with the option to revoke adequacy in the intervening period if the UK were to dilute its current level of protection. Only two months later, on 27 August 2021, the UK government unveiled its plan to revise data protection rules, not surprisingly with the stated aim of boosting economic growth and innovation. One proposed reform is to eradicate cookie pop-ups that dominate anyone’s online experience, which would put the UK out of step with the General Data Protection Regulation.
Digital secretary Oliver Dowden was vocal that legislative reform would be grounded in common sense, rather than box-ticking, which is so often associated with compliance requirements. A key motivation for this overhaul is to secure data-sharing arrangements with priority partners, such as the US, the Republic of Korea, Dubai, Singapore, Colombia and Australia, to enable the free flow of personal data, with emerging economies such as Kenya, India, Brazil and Indonesia also called out as markets of interest to the UK.
As the UK chases a Brexit dividend to open up non-EU markets to UK businesses and unlock data-driven trade opportunities, it has a fine line to tread. The European Commission will be alert to any relaxation in data protection safeguards that materially diverges from EU law and gives it cause to revoke the adequacy decision – and this would prove costly and burdensome to organisations on both sides of the Channel.
Creative solutions will therefore have to be found for the UK to skirt what it perceives to be burdensome legal constraints, while upholding the privacy standards to which its citizens have become accustomed.
While steps to facilitate the free flow of data to markets outside the EU is a worthy endeavour, changes to the UK’s data regime that impact technical and organisational measures for ensuring data security may not necessarily provoke changes in an organisation’s privacy policy.
For many, compliance with data protection legislation has required significant investment in time and resources to overhaul processes and capabilities, which ultimately have optimised an organisation’s security arrangements. Multinational enterprises, in particular, are likely to prefer to maintain the most stringent level of data protection to ensure that legal obligations across different jurisdictions are met.
As the UK initiates public consultations on the responsible use and transfer of data, organisations should not hesitate to express their views and share their experiences to ensure that future changes to the UK’s data regime account for the practical reality of keeping data secure in a cost-effective, commercially beneficial way.