By Robert Bateman

The U.K. government is planning a significant overhaul of its privacy laws in a move that experts told Digital Privacy News risked damaging the country’s economy and relations with the European Union.

The government’s national data strategy, published last month, says that the U.K. “will control its own data protection laws and regulations in line with its interests” after the country’s transition out of the EU.

Once the Brexit transition period ends on Dec. 31, the U.K. will need to obtain an “adequacy decision” from the European Commission to ensure cross-border flows of personal information can continue without interruption.

“Failing to obtain an adequacy decision from the EU risks damaging the U.K. economy and weakening the rights of U.K. citizens.”

Javier Ruiz, Digital Trade Alliance.

To obtain an adequacy decision, the U.K. must demonstrate that its privacy standards are at least as high as the EU’s, which are enshrined in the bloc’s General Data Protection Regulation (GDPR).

Weakened Laws Feared

Some observers told Digital Privacy News that they were concerned that the government’s national data strategy showed that the government would weaken U.K. privacy laws, putting an adequacy decision at risk.

“The national data strategy suggests that the U.K. intends to prioritize innovation in AI and tech over obtaining an adequacy decision,” said Javier Ruiz, policy adviser for the Digital Trade Alliance.

“Failing to obtain an adequacy decision from the EU risks damaging the U.K. economy and weakening the rights of U.K. citizens.”

UK Government’s Position

A government spokesperson told Digital Privacy News: “We are a global leader, committed to high-data protection standards.

“Protecting the privacy of individuals will continue to be a U.K. priority.

“The EU’s adequacy assessment ascertains whether U.K. data-protection standards are ‘essentially equivalent’ to the EU’s,” the spokesperson said.

But Ruiz, based in Brighton, U.K., argued that the country’s privacy landscape could become more akin to that of the U.S., where corporations had an “assumption” that they could collect and sell consumer’s personal information. 

“The U.K. will in future develop separate and independent policies in areas such as … data protection.”

Prime Minister Boris Johnson.

Under a weaker privacy regime, Ruiz warned that U.K. citizens could face increased rates of spam, nuisance calls, and surveillance. Removing EU protections also might lead to more algorithmic decision-making in such areas as health, education and personal finance.

Further, Ruiz pointed to existing issues with the U.K. law, including exemptions to the GDPR and powers that would allow U.K. government ministers to determine third countries’ data adequacy. 

“The EU is concerned with the balance between innovation and human rights,” Ruiz told Digital Privacy News. “The U.K. risks failing to obtain an adequacy decision if the EU determines that it has not got that balance right.”

While conceding that the EU’s data protection framework is not perfect, Ruiz argued that it remained “the strongest in the world.”

The U.K.’s plans for self-determination, he warned, could be a “mistake.”

‘Go Its Own Way’

Chris Pounder, director of the U.K. data-protection training company Amberhawk, said the U.K. was likely to “go its own way” on privacy law.

“There’s a public statement by Boris (Johnson, U.K. prime minister) saying the U.K. will follow its own data protection course,” Pounder told Digital Privacy News.

In February, Johnson told Parliament: “The U.K. will in future develop separate and independent policies in areas such as … data protection.”

Pounder argued that the U.K. might fail to obtain an adequacy decision if it used its powers to weaken citizens’ data rights, to alter the fundamental principles of data processing or to remove safeguards on sensitive personal information.

“The government has the powers to modify any article of the U.K. GDPR.”

Chris Pounder, Amberhawk company.

However, if the U.K. and the EU arrive at a post-Brexit trade deal, Pounder said he believed the European Commission could “fudge” an adequacy decision — even if the U.K. did not strictly meet EU privacy standards.

“The commission’s got a track record on this,” he said.

“For example, if you take the American position on Privacy Shield and Safe Harbor — the commission knew there were problems,” Pounder noted. “But essentially, they came to a deal.”

Invalidated Programs

The Privacy Shield and Safe Harbor frameworks were programs designed by the commission to enable data transfers between the EU and U.S.

The EU court invalidated the Safe Harbor framework in 2015 and the Privacy Shield framework this July. Both programs were deemed not to provide an adequate level of protection over personal information.

If the U.K. does not secure a trade deal, Pounder believes that an adequacy decision is less likely. This would allow the U.K. to depart more radically from the EU’s data-protection standards.

“Of course, the government has the powers to modify any article of the U.K. GDPR,” Pounder told Digital Privacy News. “If it wanted to modify (data) rights, it could do so.”

Robert Bateman is a writer in Brighton, U.K.

Sources (external links):

• UK Government: National Data Strategy – GOV.UK
• The Guardian: Dominic Cummings’ data law shake-up a danger to trade, says EU