On data protection, the UK says it will go it alone. It probably won’t.
The UK may have finally left the European Union, but the now the wrangling over key aspects of the country’s future relationship with Europe – including data flows – really begins.
After the UK left the EU, at the end of January, Prime Minister Boris Johnson said the UK will now look to “develop separate and independent policies” in a number of areas, including data protection. However, in reality the UK is unlikely to stray too far from European rules or risk significant disruption.
Currently, the UK’s data privacy legislation adheres closely to the General Data Protection Regulation (GDPR), the rules that were rolled out across all European Union member states in May 2018.
The data protection laws are designed to give citizens more control over how their personal data is used by organisations. Businesses that offer goods or services in the European Union must be compliant with the legislation.
SEE: IT pro’s guide to GDPR compliance (free PDF)
It’s been over a year and a half since GDPR came into force and UK-based organisations have felt its impact, with the Information Commissioner’s Office having issued fines to a number of businesses that have been found to be non-compliant following a data breach or cyberattack.
GDPR appears to be working as intended, so even following the UK’s departure from the EU – and the initial transition period throughout 2020 – it seems unlikely that Downing Street would propose data protection legislation that wildly veers from what has already been set out by Brussels.
“There isn’t anything within in this that’s telling us we’re going to see a bonfire of the data protection regulatory scheme,” says Stewart Room, head of data protection and cybersecurity at multinational law firm DWF.
At a political level, there isn’t any need for the UK government to tear up data protection laws just to make a point over Brexit, especially as GDPR is part of UK legislation under the Data Protection Act 2018 – and since the referendum, ministers have repeatedly stated that GDPR will stay.
Cutting back data protection laws also wouldn’t make sense at an everyday level, because in the time since GDPR has come into force, it’s become ingrained in how both businesses and consumers approach privacy and data security.
“That would be crazy, not just from a regulatory perspective and the way businesses operate, but also from a consumer expectation and demand perspective,” says Enza Iannopollo, senior analyst on security and risk at Forrester.
Not only would deciding to scrap GDPR go against what people are used to, it would also make it difficult for UK businesses to offer their services to Europe in future.
“Deciding we don’t care about data protection anymore means that we’re not looking at the market or consumer expectations and we’re making the life of businesses that need to operate in UK and European markets at the same time very, very difficult,” Iannopollo says. “Businesses from the UK which do business with the EU will need to comply with GDPR no matter what the UK decides to do,” she adds.
That’s particularly significant in the context of what government ministers have previously described as “buccaneering Britain”, which is a vision of the UK being able to pursue trade with countries all around the world (although it’s not as if that wasn’t possible before Brexit).
But to be able to trade freely with the rest of the globe, UK data protection legislation will likely still need to adhere to GDPR, not just to do business with the European Union, but also many other countries around the rest of the world; because GDPR is fast becoming the standard for good data protection legislation.
“There won’t necessarily be a huge deviation from GDPR; we’re seeing from other countries that GDPR is the gold standard worldwide, so I don’t think we’ll go completely off-piste to be different,” says Marta Dunphy-Moriel, commercial technology partner at Kemp Little, a London law firm specialising in technology.
“I’d be shocked if we suddenly had legislation which pushed us back and didn’t allow for free flow of data to an adequate standard or anything that made it undesirable for UK businesses to process data,” she adds.
GDPR actually prohibits the transfers of personal data to countries outside of the EU unless there’s a certain level of data adequacy – or legal agreements in place that take doing business with the third-party country into account. That means that following the transition period, data flow between the European Union and the United Kingdom will have to meet the requirements of a data adequacy assessment.
Johnson’s post-Brexit statement calls on the EU to recognise that, when it comes to data protection, the UK will be operating exactly the same regulatory frameworks as the EU. But it will be up to Europe to decide whether the UK’s data protection stance is adequate, and that’s not guaranteed.
“The adequacy assessment looks beyond the presence of legislation, to a broader range of considerations, such as whether the law is actively enforced; whether there is a ‘culture’ of data protection-related respect and adherence in the country; whether there is appropriate access to justice; and the ‘norms’ of the state and public sector,” Room explains.
As things stand, the requirements will be matched, but potential alterations to data protection policy in future could jeopardise this; so it simply wouldn’t make sense to diverge from GDPR and other privacy legislation in this way.
“It’s in the interests of the United Kingdom – and it’s in the interests of a successful Brexit – for the UK to have a regulatory scheme that’s close enough to those in other countries because that’s what’s demanded by global big business,” says Room.
Changing or reducing data protection legislation and risking an adequacy agreement would therefore make it much more difficult for UK businesses to sell their products to customers across Europe and beyond – especially when it comes to those centred around software and data.
“It’ll be extremely detrimental if a data adequacy agreement doesn’t happen,” says Iannopollo.
“This doesn’t mean that all data transfers will stop and it will be a catastrophe, but in the medium term it will be a bigger determent to organisations; it’s more cost, it’s less efficiency and it could lead to a perception of not taking privacy as seriously as other European businesses,” she adds.
One potential risk lies in the way of the EU granting an adequacy agreement, in the shape of the UK’s Investigatory Powers Act legislation, which some have argued gives too many surveillance powers to the government, something that the EU may not like.
Some argue that Boris Johnson’s statement on future relations between the UK and EU is in reality designed to appeal to his supporters and should not be taken as a guide to future policy. And the UK government argues that it needs to keep its options open in case there are changes in technology or business practices.
But, in reality, while the government might like the idea of the UK altering policies around data protection because they originally came from the EU, changing them would be more effort that it’s worth – and for little reward.