The UK appears to be distancing itself from the EU’s GDPR with the announcement of plans to rewrite domestic data protection laws while pursuing lucrative data adequacy agreements with countries around the world.
The government has revealed a package of measures that will see it “move quickly and creatively” to strike adequacy agreements with a range of nations worth more than £11 billion in untapped trade. These will be subject to assessments to ensure high data protection standards, according to the Department for Digital, Culture, Media and Sport (DCMS).
The first territories the government will negotiate with are the US, Australia, South Korea, Singapore, the Dubai International Finance Centre, and Columbia. These agreements will be followed by negotiations with India, Brazil, Indonesia, and Kenya. The UK currently recognises the data regimes of 42 countries as being adequate with its own.
The government has also identified New Zealand’s privacy commissioner John Edwards as its preferred candidate to replace Elizabeth Denham as the UK’s Information Commissioner, with a revised remit prioritising innovation over enforcing privacy rights.
“Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK,” said DCMS secretary Oliver Dowden.
“That means seeking exciting new international data partnerships with some of the world's fastest growing economies, for the benefit of British firms and British customers alike.”
At the heart of this package of measures are plans to reform domestic data laws so they’re “based on common sense, not box-ticking”, Dowden added. This is the most explicit signal yet that the UK will distance itself from GDPR, with the government suggesting the current regime is antagonistic towards innovation.
The government has previously signalled that it’s keen on scrapping GDPR rules, with prime minister Boris Johnson commissioning a task force earlier this year to examine the UK’s data protection regime.
This panel, comprising three right-wing Conservative MPs, blasted GDPR as being “prescriptive and inflexible” and recommended replacing the current regime with a new framework for data protection.
Government officials have also suggested that the Information Commissioner’s Office (ICO) focuses too heavily on privacy rights and data protection, and not enough on innovation. This is considered an ‘imbalance’ that needs addressing, with the government looking to John Edwards’ appointment as a chance to reform the role of the data protection watchdog.
In the coming weeks, the government will launch a consultation on how to change domestic data protection laws so it can “break down barriers” and speed up innovation, give businesses greater license to use data, and improve public services.
How exactly this data protection regime will be structured, and how vastly it might differ from GDPR, isn't clear. However, briefing national newspapers in advance of this announcement, officials said it would lead to the end of web cookie requests.
Building a winning data strategy
Get serious about data and data science
“This set of ambitious announcements is welcome," said director of markets with techUK, Matthew Evans. "Data is a foundational asset for modern societies, creating accessible and trusted routes for businesses, civil society and researchers to access data from around the world will help drive innovation and create better digital services.
“However, these new routes must be trusted and command the confidence of the public. TechUK, therefore, welcomes the technical assessment criteria and commitment to high privacy standards laid out by the Government. Both of these will be vital to maintaining access to existing data flows, such as from the EU as well as opening up global opportunities."
European officials are expected to follow these developments closely given the UK was only awarded a data adequacy agreement with the EU in June. This indicates that the EU considers the UK’s data protection laws are harmonised with its own, which paved the way for data flows to continue post-Brexit without the need for businesses to pursue individual alternative mechanisms, such as standard contractual clauses (SCCs).
Any changes to UK data protection laws, however, might threaten the status of this agreement in future, with the agreement subject to being reviewed every four years while also being susceptible to legal challenge at any time.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.