On 26 August 2021, in a move that puts it on a potential collision course with the EU, the UK Government made a number of announcements relating to the future of the UK’s data protection regime, with the stated intention of “seizing the opportunity” by “developing a world leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK”.
The key points to note in relation to the UK Government’s announcement are the following:
- the UK Government has set out its Mission Statement on the UK’s approach to international data transfers, announcing those countries that it considers to be priority countries for UK adequacy decisions and its proposals for how it will make those decisions;
- the UK Government has named the current privacy commissioner of New Zealand, John Edwards, as the preferred candidate for the new UK Information Commissioner; and
- the UK Government has unveiled plans to consult on the future of the UK’s data regime, with the stated aim of making it “even more ambitious, pro-growth and innovation-friendly”.
We have set out more detail on each of these below.
-
International data transfers:
The UK’s approach in relation to international data transfers and adequacy decisions is the primary focus of the UK Government’s announcements on 26 August. In their Mission Statement on the topic, the Government sets out the actions it plans to take to support international transfers of personal data from the UK.
In particular, they stress the importance of the UK granting adequacy decisions to third countries so that personal data can transfer freely without the need for alternative transfer mechanisms (which they go on to acknowledge the importance of), identifying Australia, Colombia, DIFC, Singapore, South Korea and the US as their top priorities for adequacy determinations (with India, Brazil, Indonesia and Kenya as “longer term” candidates).
The statement also sets out, at a high level, the Government’s proposed test for adequacy and the procedure they will adopt for undertaking such test, noting the following four phases:
- “Gatekeeping” – i.e. deciding whether to commence an adequacy assessment in the first place;
- “Assessment” – i.e. the collection and analysis of information relating to the level of data protection in the relevant third country, through the use of templates and guidance;
- “Recommendations” – i.e. the UK adequacy team will then make a recommendation to the Secretary of State, who will, after consulting with the ICO, decide whether to make an adequacy determination. The Mission Statement also sets out the specific roles of the ICO in the adequacy decision process; and
- “Procedural” – i.e. the procedural and regulatory steps needed to give legal effect to the adequacy determination.
Adequacy decisions must then be monitored and kept under review at intervals of no more than four years.
2. Naming of preferred Information Commissioner:
In naming John Edwards as the preferred candidate for the new UK Information Commissioner, the UK Government also stresses that the ICO’s role will go beyond focusing only on protecting data rights, as the ICO will have “a clear mandate to take a balanced approach that promotes further innovation and economic growth”. Although there is no comment on the current Information Commissioner’s approach, the UK Government’s announcements regarding the role of the new Commissioner really signal its intention to adopt a different approach to data privacy in the future.
3. The future of the UK’s data regime:
This different approach is further evident in the Government’s plan to launch a consultation on changes to the current data protection regime, with a view to “developing a world-leading data policy that will deliver a Brexit dividend for individuals and business across the UK” (as referenced above) and “reforming [the current data laws] so that they’re based on common sense, not box ticking”.
In an interview with the Telegraph newspaper, Oliver Dowden (the Secretary of State for Digital, Culture, Media and Sport) expanded on what this might mean in practice. In particular, the interview suggests a move away from a one-size-fits-all model so that small companies may not be subject to the same rules as large companies and, in what will be music to many business’ ears but may result in significant push-back from privacy activists, an overhaul of the current rules on the need to collect consent for the use of cookies.
Our take
Whilst the UK will be constrained by the need to ensure that its new regime continues to be considered adequate by the European Commission, the Government’s announcements are the clearest signal yet that changes to the UK data protection regime are coming soon. The UK Government clearly considers that it can divert from the EU data protection standards to a new standard that is pro-growth, “whilst still being underpinned by secure and trustworthy privacy standards”. This is certainly a noble aim, and the likely appointment of John Edwards (who oversaw New Zealand’s adequacy process) as the new Information Commissioner indicates a desire to adopt a more global, rather than Europe-centric, approach.
However, the devil is in the detail and it remains to be seen how these ambitions will ultimately be realised particularly when many countries are adopting ever more robust data protection laws. The UK will need to balance its desire to develop its own standards, including in relation to its adequacy assessments of third countries such as the US, with the protection that current laws offer to data subjects, especially in view of its own crucial adequacy decision.
This point appears to have already been picked up by the EU, with the Financial Times reporting an EU spokesperson as saying that Brussels is monitoring the UK’s decision “very closely” and that it would immediately revoke its data sharing arrangement with the UK where the changes in UK law threatened EU citizens.
So, despite the headlines of these announcements, putting the UK Government’s proposals into practice will involve a delicate balancing act.
