Let’s Take a Look Back: The Dynamism and Evolution of Data Protection
The UK has a long history with data protection law, with the first law passed in 1984 designed to cover use of “scary machines” called computers that would soon take over our lives.
However, modern data protection law started with the European directive from 1995, which the UK passed into law with the Data Protection Act 1998. And there it stayed for 20 years, comfortable and settled until we had a much-needed update in the form of the GDPR which came into force in 2018. Since then, things have become a bit complicated, particularly for the UK.
First, Brexit. As early as 2016, nearly two years before GDPR came into force, the UK voted to leave the EU. This meant that even before GDPR became enforceable, the UK faced an uncertain future over how data protection was enforced.
The process for formally leaving the EU took nearly four years, with the UK ceasing to be a member state in January 2020. There was however a transition period which lasted until 31 December 2020, that meant the UK was still part of the free-trade deal and, significantly, decisions made by the Court of Justice for the European Union (CJEU) during this period.
Schrems II; this time it’s personal (data). One important aspect of the GDPR are the rules on transferring personal data outside of the EU. In short, the GDPR restricts any transfers of data outside the EU unless that country is deemed “adequate” or another safeguard exists, such as a specific contract known as the SCCs.
In July 2020, during the Brexit transition period, activist Max Schrems successfully overturned the adequacy decision for the US as well as making it more onerous to rely on the SCCs. In other words, transferring personal data to the US became very difficult.
From 2021, the UK became subject to the restrictions from the EU on data transfers and were granted a decision of adequacy on the basis that the GDPR was incorporated as retained law with alterations, creating the imaginatively titled UK GDPR. While now outside of the EU and with its own albeit almost identical law, the UK was still bound by the Schrems II ruling, meaning it could not simply award the US adequacy.
This is part of the reason that UK is proposing changes to the current law. The proposed Data Protection and Digital Information Bill (DPDI) aims to simplify the rules, making it easier for businesses to comply.
On 3 October 2022, after Liz Truss became Prime Minister and appointed a new head of the Department for Culture, Media and Sport (DCMS) and the DPDI was pulled, the Government updated to state they would propose a new “British Data Protection System”. The contents of this are yet to be confirmed.
What Would Be the Consequences of More Relaxed Data Protection Rules?
With the planned DPDI now subject to change, the impact is harder to judge. However, when read alongside other announcements there is a clear direction of travel that the UK is seeking to head towards.
For practitioners, we’ll hope that the changes make the law easier to navigate. The latest proposals would mean jumping between the DPDI, UK GDPR, and the Data Protection Act 2018. For a government that states data protection law is too confusing, creating a single law seems like a quick win in that regard. Outside of that, we’ve identified:
3 Main Consequences of The Relaxed Law
- Weakening of individual rights
It is often argued that the GDPR has become the “gold standard” for data protection laws, with many countries looking to follow suit. Any relaxation of these standards by the UK is likely to weaken the rights that people have over the use of their data. The proposed DPDI appears to lower the bar for companies where they can refuse the request from people seeking to exercise their rights, such as requesting access to their data, as well as calling into question the independence of the regular; the Information Commissioner’s Office (ICO).
The latter raises concerns that without a robust independent regulator, enforcement of the law through enforcement notices or monetary penalties will reduce. With that, businesses will feel less inclined to comply.
- More adequate countries
As it has been made clear by the Government, they are seeking to make it easier for businesses to comply with the law while utilising the data they hold. This appears to be aimed at the larger international companies. One way to support this could be to award adequacy decisions to a greater number of countries.
The DPDI proposed a so called “data protection test” for a country to meet for the Secretary of State to award them adequacy. There are already indications that this is a key area the Government will look to utilise. In fact, in 2021, they announced intention to seek adequacy decisions for United States, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia, with plans to expand this to India, Brazil, Kenya and Indonesia.
- Increase in internet tracking
One of the big changes in the proposals is related to the use of tracking technologies. These are most commonly referred to as cookies, though other forms exist. Currently, to use cookies, companies must have the prior consent of individuals unless they are “strictly necessary”.
The proposed DPDI expands the exemptions on requiring consent and widens when consent can be assumed, called the “soft opt-in”. While the aim appears to focus on removing the consent fatigue suffered through cookie banners, there is a concern that this will lead to increased tracking and profiling under the pre-text or “collecting statistical information about an information society service to improve that service”.
What Will the New GDPR Version Mean for UK Businesses?
There are two schools of thought around the implications on UK Business. First, the Government proposes that by implementing a new “business friendly” data protection regime will reduce the burden on businesses, reducing costs and improving trade and the economy. Proposals such as narrowing the definition of personal data or setting a defined list of “legitimate interests” will make it easier for organisations to use information.
The second one argues that relaxing laws in the UK will do the exact opposite. This is because of the extra territorial scope of the EU GDPR. Unless you run a business that only operates in the UK and does not process any data on people in the EU, you will still need to comply with the EU GDPR.
This will create a dual regime for most companies with differing rules for personal data in scope of the UK regime and the personal data in scope of EU law. Running these two regimes will likely lead to complexities for the many rather than the few.
Either way, there will be a period of uncertainty and transition for businesses while they look to understand how the changes impact them and how they need to adapt their internal framework to comply with the new requirements.
Could This Mean Goodbye to Data Adequacy?
Potentially.
The devil will be in the details which we don’t have.
What we can say is that the UK’s adequacy decision from the EU is dependent on the law providing similar standards to that in the EU. The current proposals are not completely radical, with a number simply reading as a rebranding exercise. There are some that could raise concerns to the EU who will be watching the developments closely.
Any threat to the independence of the ICO, such as being compelled by the Government to “have regard to economic growth and innovation”, is unlikely to be seen with approval from the EU Commission. But it is more the culmination of the reforms that could pose the biggest threat rather than one single change.
While we are on adequacy, the UK’s own response to the Schrems II decision will be a factor. While the US and EU are working on a new adequacy agreement of their own, it is the prospect of an adequacy agreement between the US and UK, or the UK with any other non-adequate country from the EU’s perspective, that could throw a spanner in the works. If the UK allows personal data of people in the EU to be transferred to a country that does not have an adequacy decision from the EU, then this could lead to weakening of the EU’s standards and the EU GDPR in general. Organisations could attempt to use the UK as a “transfer hub” to circumvent the EU’s rules, putting the UK’s adequacy under threat.
Conclusion
Right now, we are very much in a wait and see position. It is still unclear after the announcement at the conservative party conference whether the new “British Data Protection System” will be alterations to the DPDI which was pulled, or whether this will be a completely new proposal. Therefore, grand statements about the downfall of individual rights in the UK may be somewhat premature, even if the direction of travel appears concerning.
The UK will look to argue that any changes to the law should not impact adequacy and draw on examples of other countries that have achieved adequacy without implementing a GDPR copy and paste. There is also an economic advantage to the UK maintaining adequacy, so any proposed reforms can reign in a bit as it progresses through parliament.
Looking Forward
In the meantime, the team of experts at DataGuard are carefully monitoring the direction of travel and keeping up to date with all developments.
Whatever happens with regime in the UK, the importance of knowing the what, how and why you use personal data will remain. And that is where DataGuard can help, by utilising our hybrid model to provide expert advice alongside our privacy management platform.
