The UK government announced plans on Thursday (26 August) for international data partnerships and a more innovation-friendly privacy law, which could collide with the EU data protection standards and jeopardise data flows between London and mainland Europe.
London’s post-Brexit global data plans include the definition of the priority territories to reach a data adequacy agreement, the pre-selection of the new Information Commissioner and the launch of a consultation for a data protection framework that favours economic growth.
“Now that we have left the EU, I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK,” said Oliver Dowden, secretary of state for digital, culture, media, and sport.
“That means seeking exciting new international data partnerships with some of the world’s fastest-growing economies, for the benefit of British firms and British customers alike,” Dowden added.
The announcements are part of the UK’s National Data Strategy, which has the ambition to establish the country as a ‘science and technology superpower’.
Global data plans
One of the priorities is to establish international data partnerships with the United States, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre, and Colombia. India, Brazil, Kenya and Indonesia are also singled out for future partnerships.
The government indicated John Edwards as its favourite candidate for the key position of Information Commissioner.
Edwards is currently the Privacy Commissioner for New Zealand and his international experience seems to be one of the reasons behind his choice, as his mandate is expected to go beyond enforcing data protection rules and also promote innovation and economic growth.
Estelle Masse, a senior policy analyst and global data protection lead at Access Now, criticised the UK’s data strategy for “prioritising profit over people”.
“The focus of the government is on increasing trade, including with partners who are lacking comprehensive data protection laws like the US, but it says very little about how people’s rights will be protected,” Masse said.
Marco Leto Barone, a coordinator of policy for Europe at the Information and Technology Industry Council, told EURACTIV that “the goals sketched out by the UK government reflect the importance of maintaining the seamless free flow of data across borders, while upholding strong privacy safeguards.”
Barone stressed as “imperative” the need to avoid any disruption of data flows between the EU and the UK.
EU-UK data transfers
The announcements are, however, set to prompt concerns in Brussels less than a month after the European Commission adopted its own data adequacy decision.
When agreeing to continue transferring personal data to the UK, the EU executive specified it would revise its decision in case London changed its privacy regime or established transfer agreements with countries that do not meet EU privacy standards.
Robert Bateman, analyst and research director at GRC World Forums, noted that is precisely the case for some of the UK priority countries such as Australia and the US.
“If the EU believes that personal data transferred to the UK might end up in one of these less tightly regulated jurisdictions, there is a risk that the UK will lose its EU adequacy decision and further distance itself from EU trade. Indeed, government ministers may even be planning for this eventuality,” Bateman said.
A European Commission spokesperson warned that any new development that negatively affects the level of data protection might lead the EU executive to suspend, terminate or amend the adequacy decision.
Bojana Bellamy, president of the centre for information policy leadership, argued that the UK ‘agile’ approach is more likely to strengthen data protection standards than lower them.
“Looking at the whole picture of how privacy protections work in practice in third countries may be better for individuals than a theoretical line by line comparison of legal texts. We should not be judgemental of countries doing things their own way as long as they achieve the same outcomes,” Bellamy told EURACTIV.
New data protection regime
Secretary of State Dowden told the Telegraph on Wednesday the UK considered changing its privacy law as “one of the big prizes” of Brexit. London launched a consultation on how to make its data protection regime more innovation-friendly, including by reforming the role of the Information Commissioner’s office.
Paolo Balboni, professor of privacy law at Maastricht University, told EURACTIV that “the UK has launched a challenge not just to the EU, but on a global level, which consists of keeping high data protection standards (EU equivalence) and at the same time re-thinking data protection legislation in a way that makes it more innovation-friendly.”
For Balboni, the EU has fallen short of providing practical solutions for international data transfers in the aftermath of the Schrems II judgement, which struck down the EU-US Privacy Shield agreement, and the bloc “should take up the challenge this opportunity offers to reflect on how its system can be improved and its global leadership maintained.”