What will influence the UK’s approach to data protection post Brexit
At our recent Privacy Question Time we asked the audience the following question:
Do you think Britain will diverge from GDPR after Brexit?
We were rather surprised at how close the poll result was. Does this reflect a divided a nation or simply the fact most of us have no idea what is going to happen on 1st Jan?
After all the huffing and puffing from the government, what will really happen? Let’s look for some clues…
The UK Government’s National Data Strategy
In September DCMS published a consultation document on a new National Data Strategy. Designed to unlock the potential when using data effectively, it consisted of 5 key pillars:
- Unlocking the value of data across the economy
- Securing a pro-growth and trusted data regime
- Transforming government’s use of data to drive efficiency and improve public services
- Ensuring the security and resilience of the infrastructure on which data relies
- Championing the international flow of data
The narrative includes a couple of interesting paragraphs:
As with all policy areas, the UK will control its own data protection laws and regulations in line with its interests after the end of the transition period. We want our data protection laws to remain fit for purpose amid rapid technological change. Far from being a barrier to innovation or trade, we know that regulatory certainty and high data protection standards allow businesses and consumers to thrive. We will seek EU ‘data adequacy’ to maintain the free flow of personal data from the EEA, and we will pursue UK ‘data adequacy’ with global partners to promote the free flow of data to and from the UK and ensure that it will be properly protected.
To build a world-leading data economy, we must maintain and bolster a data regime that is not too burdensome for the average company – one that helps innovators and entrepreneurs to use data legitimately to build and expand their businesses, without undue regulatory uncertainty or risk in the UK and globally.
Given the rapid innovation of data-intensive technologies, we also need a data regime that is neither unnecessarily complex nor vague.
For anyone familiar with GDPR there is an inherent contradiction in these statements but let’s take it at face value and assume the government wishes to secure data adequacy from the European Comission (which would allow for data to flow unrestricted from Europe to the UK).
The outcome of USA Presidential Election
Not surprisingly, there is a major difference in the approach of Republicans and Democrats to privacy and data protection. Biden has publicly called for a national privacy standard similar to GDPR, whilst Trump believes GDPR is restrictive and provides cover for cyber criminals.
Whoever wins will have a direct impact on UK post Brexit, as UK will need to line up with USA to get a trade deal in place. Based on the current polling, a Biden win would signal a more privacy friendly approach.
The direction of travel for US regulation
The enactment of Californian Consumer Privacy Act in 2018 plus the move by other US states towards a GDPR friendly data regime implies a general trend towards more privacy friendly legal frameworks.
Eventually, there will be a legal framework at Federal level which will ensure a more consistent approach towards handling privacy matters. Other nations are seeking to gain adequacy agreements with the EU, and Japan has recently secured one. Overall the legal direction of travel is pro-GDPR.
Our ability to gain adequacy
Given we were one of the co-architects of GDPR, you’d expect the UK to be immediately granted adequacy. However, there is one potential spanner in the works.
What about surveillance for law enforcement purposes? The CJEU has just ruled these activities are illegal. If UK wishes to continue with their surveillance activities this would imperil the adequacy agreement and free the UK to go its own way.
Impact of a post Brexit trade deal for UK
The trade deal negotiations are reaching the end game but, for now, it is still not clear if there will be a deal. Many sectors will suffer with a hard Brexit and its quite possible UK will not granted adequacy if the trade negotiations fail.
Without an adequacy agreement, depending on how petulant the government decides to be, there is less incentive to fall into line with EU laws and the UK government may decide to strike out alone. Many businesses would far rather see some certainty and that applies to Data Protection as much as anything else.
Power of the business lobby
Businesses are likely to want no disruption with data flows – they have plenty of other problems to contend with without disruption caused by newly illegal data protection arrangements. If the various bodies such as CBI and DMA are loud enough and the government bothers to listen there may be some pressure exerted to remain aligned with GDPR.
What will happen?
I still believe the UK would prefer to have an adequacy agreement to maintain smooth cross border data-flows. This would enhance rather than hinder the National Data Strategy.
If the UK wants to be a key tech hub removing any friction with the movement of data will be critical. In the end, and it may not be from day 1, the UK Data Protection regime won’t look too different to how it is now.
Julia Porter, November 2020
If you’d like to talk to us about your Brexit planning please get in touch with Simon, Phil or me.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.