UK seeks divergence from GDPR to 'fuel growth'
Experts warn that deviating too much from the EU's regime would jeopardise the UK’s fragile data adequacy status
Digital secretary Oliver Dowden has signalled the UK will explore ways to diverge from the General Data Protection Regulation (GDPR) to find a “sweet spot” that will encourage growth in the post-COVID economic recovery.
Although he said the UK won’t be seeking to water down data protection standards, the government will explore ways to tweak the rules where there might be opportunities to encourage economic growth, according to Reuters.
However, legal experts have warned that the recently-secured draft data adequacy decision could be jeopardised if the EU sees any signs that the UK is attempting to break away from core GDPR principles.
“There is a sweet spot for the UK whereby we hold onto many of the strengths of GDPR in terms of giving people security about their data,” Dowden told reporters. “But there are obviously areas where I think we can make more progress.”
“In our rule-making, we can take a slightly less European approach as set out in GDPR by focusing more on the outcomes that we want to have and less on the burdens of the rules imposed on individual businesses.”
The digital secretary added Britain could deviate from GDPR while maintaining adequacy, arguing it wasn’t a binary choice between driving growth and sacrificing adequacy, or retaining adequacy and stifling growth. His views echo recent government assertions that the next Information Commissioner will seek to correct an apparent “imbalance” favouring privacy rights.
However, a lecturer in digital rights and regulation with UCL’s Faculty of Law, Dr Michael Veale, argued that the draft decision is highly fragile and that there’s a serious risk it won’t be translated into a formal agreement.
“It barely mentions this very large elephant in the room, which is the UK’s surveillance regime,” he said, listing an example during a policy event on Tuesday. “Another data flow that we’ve seen many times is the data flow between the UK and the US, and in practice, the Court of Justice of the European Union (CJEU) has been very clear in other cases about factors which seem to directly contradict what we see in the UK regime.
“Potentially the largest risk to data flows is that the UK will become an onward transfer hub for information to the United States in particular. The CJEU has held many times that the US surveillance regime provides negligible protection to foreigners, negligible standing of any type in court or judicial remedy, and in these cases, when data is flowing to the UK, data can flow to data intelligence regimes effectively based on a political decision by the secretary of state.”
Although the government has signalled its intent to deviate from GDPR, it is yet to detail exactly how that will happen or why such a deviation is necessary.
Phil Earl, deputy director for data strategy implementation within Dowden's own department and also present at Tuesday's policy event, admitted that the government's anxieties were largely based around the perception that GDPR has created, adding that any evidence of GDPR serving as a barrier to growth was largely anecdotal, with the wider discourse around GDPR fostering a culture of fear in which businesses hadn't been given the confidence to innovate.
Dowden's comments come just weeks after the EU granted the UK two draft decisions on data adequacy, meaning that it considers the UK’s data protection laws and standards to be compatible with its own.
While a positive outcome wasn’t in doubt - given how closely the UK's Data Protection Act 2018 reflects GDPR - of greater concern was the time it would take to reach a decision following Brexit. Delays in reaching an agreement would have disrupted data flows between the EU and the UK, and potentially harmed the economy.
Now, EU lawmakers are likely to be on alert following Dowden’s comments, given the fragile nature of the draft decision and ongoing concerns about the UK’s commitment to GDPR. Last year, for example, the European Data Protection Board (EDPB) called into question the UK’s prospective adequacy status in light of a preliminary data sharing-agreement struck between the UK and the US.
While not commenting on any data-sharing relationship with the US specifically, Dowden echoed the government’s previous sentiments that Britain could move faster than the EU to strike data-sharing deals with non-EU countries.
The government has also said it won't move at speed to change the UK’s data protection regime, and would only draft proposals after consulting with UK organisations. These will be fed into a wider set of policies based on using technology to boost economic growth, once the effects of the pandemic have waned.
How to choose an AI vendor
Five key things to look for in an AI vendorDownload now
The UK 2020 Databerg report
Cloud adoption trends in the UK and recommendations for cloud migrationDownload now
2021 state of email security report: Ransomware on the rise
Securing the enterprise in the COVID worldDownload now
The impact of AWS in the UK
How AWS is powering Britain's fastest-growing companiesDownload now