Adopted in April 2016 by the European Parliament, the General Data Protection Regulation 2016/679 still regulates how companies can – or can’t – capture and store the personal data of their users: even after Brexit, the UK government was quick to introduce mirroring rules to enable UK companies to go on operating in the EU. However, HMG are now considering diverging from this fundamental European piece of legislation; this article will present some possible consequences of such a decision.
Adopted in 2018, the Data Protection Act is the UK’s implementation of the General Data Protection Regulation (GDPR). At the end of last summer, the then Digital Secretary Oliver Dowden announced that the Government planned to diverge from GDPR, declaring “There is a sweet spot for the UK whereby we hold onto many of the strengths of GDPR in terms of giving people security about their data, but there are obviously areas where I think we can make more progress.”
The current situation
The UK’s legislative framework had been granted adequacy status a few months before, on June 2021; the decision – granted on the basis that the UK was at the time still aligned with GDPR – meant that data could flow freely between the EU and the UK, an outcome hailed by John Foster, director-general of policy for employers’ group the CBI: “The free flow of data is the bedrock of the modern economy and essential for firms across all sectors – from automotive to logistics – playing an important role in everyday trade of goods and services.”
However, the decision on adequacy was hardly a vote of confidence: it came with
- a four-year sunset clause meaning the decision would have to be revised by 2025 at the latest,
- a strong verbal warning from Věra Jourová, vice-president for values and transparency at the EC: “We are talking about a fundamental right of EU citizens that we have a duty to protect, this is why we have significant safeguards, and if anything changes on the UK side, we will intervene.”
Oliver Dowden described the diverging move as “seiz(ing) the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK”. He justified HMG’s decision to review compliance with GDPR by the will to do away with “red tape” and to improve user experience, getting rid of the pesky cookie notices, pop-ups, and consent requests.
Another argument put forward is that the UK would seek international data partnerships with various territories (the US, Australia, South Korea, Singapore, the Dubai International Financial Centre, Colombia, and longer-term, India, Brazil, Kenya, and Indonesia).
Ultimately, even though that is not a reason put forward by the government, this would also represent an opportunity for companies who wish to capture user data and to e.g. track and trace visitors on their website.
Of course, diverging from the EU GDPR will have some consequences, both for companies and for users.
For one thing, the road to GDPR compliance was a huge task for a lot of companies, with some of them only reaching compliance several months after the law came into force; fears are that a change in regulations would mean a repeat of this mountain of work.
Given that trade with the EU represents approximately 50% of the UK’s imports and exports as of 2020, any impediment to the necessary transfers of personal data would have a huge impact on companies operating abroad. What’s more, divergence could end up generating more red tape. Indeed, these companies operating in the EU would have to comply with two sets of rules, which would consume a lot of time and money. Divergence could also end up in the loss of access to EU data, actually jeopardising digital innovation.
As for citizens, the threat to their privacy is very real. Cookie notices may be annoying, but they are the only way for users to effectively consent to the usage of their private data; without them, and if consent is deemed given by default, our privacy will only be respected insofar as it doesn’t hamper business. Indeed, Rt Hon Oliver Dowden asked the Information Commissioner’s Office to carry out “economic impact assessments” to understand the impact of divergence on business, not on people’s life.
EU citizens could potentially be threatened by the change as well: there is a suspicion that “the UK will become an onward transfer hub for information to the United States in particular: when data is flowing to the UK, data can flow to data intelligence regimes effectively based on a political decision by the Secretary of State” (Dr. Michael Veale, lecturer in digital rights and regulation with UCL’s Faculty of Law)
In a nutshell, divergence from GDPR rules would probably trigger not only extra work but also mistrust of digital services among stakeholders; as we all know, mistrust is the single most harmful thing for business.
By Thierry Salus-Robbins, Director Of Operation at DRIAD