The UK’s relationship with the rest of Europe has had its fair share of ups and downs. From Agincourt to the Anglo-Dutch wars and beyond, we have always had what some might call a love-hate relationship with our European neighbours. In recent times, although it was a battle waged in the corridors of political power rather than the battlefield or high seas, the most obvious example of our conflicting agendas is the UK’s decision to leave the EU entirely in the form of Brexit. And while we may have left, the ramifications of this decision are yet to be fully realised.
At present, both the EU and the UK have their own General Data Protection Regulations (GDPR) which are, to all intents and purposes, identical. However, the UK has recently sent some pretty strong signals of its intention to live by its own data protection rules…
The rumblings of discontent
In 2020 the UK government published an updated National Data Strategy (“the strategy”). This claimed that there is a lack of clarity about “certain aspects of data protection rules and regulations” which caused particular difficulties for SMEs. In particular, the strategy stated that “businesses should not be driven to costly over-compliance or high risk aversion with respect to data sharing by unnecessary complexity or vagueness in the regulatory environment.”
The strategy said that, to tackle this, the government would work in partnership with the ICO to clarify aspects of the UK’s existing data regime that “generate confusion or inertia” to lift compliance burdens on businesses.
A public statement of intent
On 27 February 2021, an article written by Oliver Dowden, Secretary of State for Digital, Culture, Media and Sport (DCMS), was published in the Financial Times. Mr. Dowden, who is responsible for the UK’s data protection policy, referred to the UK having a long and proud tradition of defending privacy, and a commitment to maintaining world-class data protection standards.
Pointing out that the UK is no longer in the EU, he wrote “we do not need to copy and paste the EU’s rule book, the General Data Protection Regulation, word-for-word.”
The way forward
On 19 March 2021, the DCMS and the ICO signed a Memorandum of Understanding which recognises the roles and responsibilities of the DCMS and the ICO in carrying out adequacy assessments. The Memorandum says that the DCMS now holds powers to make independent UK data adequacy arrangements with new partners around the world, making it easier for organisations to send data internationally.
The ICO and DCMS have issued a joint statement: “Data transfers are vitally important to global economies and societies and through the granting of adequacy we will reduce barriers to transferring personal data internationally, while also ensuring that data continues to be safeguarded by high data protection standards”.
Time to prepare for G(dp)Rexit?
All of the above seems to strongly point to the UK developing, at least in some areas such as international data transfers, its own data protection rules. It is likely that, very soon, the government will announce priority countries for data adequacy agreements.
This will identify those countries that the government deems it safe to transfer personal data to – without the need for any additional security or contractual arrangements (such as SCCs) to be put in place. Whether this will include the US remains to be seen.
As for the wider implications, it isn’t time to throw the GDPR rule book out of the window just yet. The ability to transfer personal data securely, and to put adequate measures in place to protect that data wherever it resides, is essential to business transactions and operations across Europe and beyond. The sentiments and principles of the GDPR will remain in place for some time, even if the UK government does decide to assert its independence in the form of changes to the UK regulation.
The GDPR isn’t facing its Waterloo just yet, but UK and EU businesses alike would be wise to keep track of developments in data protection regulations in the UK as any changes are likely to impact their ability to trade and transact in the future.
Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.