Risk vs Reward: The UK’s New Direction on Data
Proposals to encourage economic growth and innovation are welcomed, but moving away from GDPR still has its risks.
Since the UK left the EU, the government has been seeking to adjust regulations in search of the elusive Brexit dividend. One of the key areas of focus has been data where the government hopes adjustments to GDPR can retain privacy protections while removing those elements which they feel stifle innovation. This is a delicate balancing act, and as we’ve seen in the responses to the government’s consultation, creates several issues…
1. Interference with the ICO
Some elements of the consultation would appear to limit the independence of the Information Commissioner. The government wants the ICO to have regard for the Secretary of State’s ‘statement of strategic priorities’, and innovation and growth when taking any action. The state could also have powers to reject the ICO’s code of conduct and regulatory guidance. In its response to this document, the ICO pointed out that this would hinder its ability to carry out oversight without ‘fear or favour’.
2. Equivalence
This increased interference raises another fear – adequacy. Under GDPR, external states are judged on whether their data laws provide equivalent protections to GDPR. Any changes to UK law which fall short could create problems. While the government stresses its intention to build on, rather than subvert, data protection agreements, their new direction could endanger that status. For example, under GDPR law, all information regulators must work independently from the state. This would seem to drive against the government’s aim to have more control over the ICO’s actions.
3. Balancing tests
Another area of contention is the balancing tests. Under current regulations data controllers must identify lawful grounds before processing data. Among these are establishing that it is necessary for the legitimate interests of the controller. However, this only applies if the organisation’s interests are not outweighed by the interests of the individual. The government believes this is complex and hard to define. It proposes removing this balancing test. It would publish a list of pre-approved legitimate interests on which organisations could rely without having to balance against an individual’s rights. The ICO has said more detail is needed, especially as many organisations have already invested in implementing such balancing tests. Pre-approved lists risk being overly generic which could create confusion.
4. Data breach reporting
The government could loosen guidelines on reporting data breaches. Only those which are likely to create a risk to the rights and freedoms of individuals, and which are material, need to be reported. This would diverge from EU standards which can create more problems for any country with a multinational footprint.
In general, there is support for a regime which is geared towards economic growth and innovation. In an ideal world, this is simply the government seeking to tweak GDPR to keep those aspects it approves of and eliminate those which threaten growth and innovation.
Even so, any divergence from EU regulations creates complexity for companies holding data in multiple jurisdictions as well as raising questions about whether UK regulations would continue to be considered adequate for the purposes of GDPR. While the government’s new direction has been welcomed in many places, the devil will be in the detail.
To speak to us or subscribe to our newsletter please contact us here.
Or message us via the chat icon in the bottom right corner of your screen.
