Legal experts have expressed serious misgivings about aspects of the UK government’s proposed changes to data protection legislation, claiming it may risk ending streamlined data flows with EU countries.
The long-awaited and much-trailed Data Protection and Digital Information Bill has been billed as the UK’s attempt to update its legal framework post-Brexit.
However, the balance between improving on the GDPR and diverging too far away from it is key. If the latter happens, then the EU may reconsider the 'adequacy' agreement which allows data to flow freely to and from the UK, with serious financial consequences for British businesses.
“With the multiple amendments proposed in the bill, the UK GDPR is starting to look quite different to its European cousin,” warned Jon Baines, senior data protection specialist at Mishcon de Reya.
“The more the two regimes diverge, the more there is a risk that the EU might question whether it still considers the UK to have an ‘adequate’ regime for the purposes of data transfers.”
Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy and cybersecurity practice, had similar concerns.
“The GDPR isn’t perfect and it would be foolish for the UK not to learn from those lessons in its own approach, but it’s walking a tightrope between improvements to the current framework and performative changes for the sake of ripping up Brussels red tape,” he argued.
“My initial impressions of the bill are that the government has struck the balance in favor of business and overlooked some civil society concerns, so I would think that reduced rights and safeguards for individuals will be areas that are targeted for revision before the bill is finalized.”
The bill also seeks to reduce the independence of data protection regulator the Information Commissioner’s Office (ICO), a world leader in privacy regulations which was instrumental in drafting the GDPR.
“It’s disappointing that the government has stuck to its view that parliament needs greater influence over the ICO – particularly as watering down regulatory freedom whilst trumpeting the UK’s own independence smacks of hypocrisy,” said Machin.
“The ICO is not a trigger happy or sleepy regulator so it’s hard to see the logic of a change that risks undermining its status on the global stage for negligible domestic benefit.”
There are also concerns that the government will have too much power to change the legislation without requiring the scrutiny of lawmakers.
“Overshadowing everything is an ability for the secretary of state to amend anything they feel like about the text of the UK GDPR through regulations, circumventing parliamentary debate,” wrote UCL associate professor in digital rights, Michael Veale.
“This should not happen in a parliamentary democracy, is an abuse of powers, and must not pass.”
Digital minister Matt Warman echoed Brexit talking points in his summary of the proposals.
“The bill will sustain and scale the UK’s approach to supporting international data flows by capitalizing on its independent status to strike partnerships with some of the world’s fastest growing economies,” he claimed.
“Reforms will ensure that the mechanisms to transfer personal data internationally are secure and flexible to help British businesses grow.”