Big Ben and House of Parliament at night in UK showing post-Brexit privacy rules

UK Data Protection Plans Take Shape Post-Brexit: Partnerships With Countries Frozen Out by EU Privacy Rules, General Reduction of Compliance Requirements

Having formally broken with the European Union and the governance of the General Data Protection Regulation (GDPR), the United Kingdom is now firming up what its data handling and privacy rules will look like post-Brexit. The lead item in a new package of measures is an announcement of partnerships with countries that have lost “trusted partner” status in the EU, most notably the United States.

The UK government also named a new Information Commissioner, and announced it would be launching a consultation to find new ways to spur trade and innovation online.

UK forges ahead with post-Brexit partnerships

The UK is prioritizing several countries to work out its own equivalent of the GDPR’s “data adequacy” agreements with, and the US appears to be first on the list. Other early priorities include Australia, South Korea, Singapore, Dubai’s financial center and Colombia. The EU recently recognized South Korea as an adequate partner under the post-Schrems II terms of the GDPR, but does not currently recognize any of the other listed countries due primarily to a lack of equivalent data privacy laws. The UK government also said that Brazil, India, Indonesia and Kenya would be high on the priority list. Collectively, the UK exports about £80 billion in data-related services to these countries each year.

New Zealand Privacy Commissioner John Edwards was also named as the country’s preferred candidate to become the next Information Commissioner, with the government stressing that it wants to expand this role from protecting data rights to a “balanced approach” that seeks to spur economic growth. The country estimates that it can grow its online trade by as much as £11 billion if it tackles present issues with restrictions caused by data transfer laws and privacy rules. Edwards has yet to formally accept the offer, but expressed his gratitude for being selected. He would also need to go through a confirmation process and receive an approval from the Queen.

Press releases from the UK government have stressed the desire to be “pro-growth” and “innovation-friendly” in the establishment of new post-Brexit privacy rules. As to how the country will assess partner adequacy, it also published a “UK Data Adequacy Assessment Manual” that outlines the evaluation process.

Balancing privacy rules with economic desires

Questions about the degree to which the UK would divert from GDPR standards and privacy rules post-Brexit have been swirling for some time now, particularly with continued talk from government officials about prioritizing economic opportunity. Culture secretary Oliver Dowden summarized his desired approach as “common sense over box-ticking” and gave some examples of what the new privacy rules could look like to the end user: no more mandatory consent agreements, cookie popups and lengthy notification boxes when visiting websites. Dowden has said that limitations on data sharing temporarily lifted for the Covid pandemic should be made permanent.

Whether that actually serves the end user’s need for protective privacy rules remains in question, particularly given that the UK is relying on adequacy agreements. Should the partner country not have an equivalent federal-level privacy law, as in the case of the US, the concern is that the UK will simply be lowering its own standards to match those that it sees as the most immediately profitable.

Privacy advocacy organization Open Rights Group is already campaigning against the new post-Brexit privacy rules scheme, saying that Dowden wants to trade the private information of citizens like “oil.” Privacy advocates are also raising concerns about the state of data security in such a climate, worrying that fairly robust protections previously provided by the GDPR will be undermined.

The issue that forced the EU-UK data transfer split was the Schrems II decision, the culmination of a lengthy court battle that initially began over Facebook’s transfer of EU citizen data to the US for processing. The case was prompted by the Edward Snowden revelations of mass interception of data by the US government and spying on foreign leaders. Without federal privacy rules in place guaranteeing protection from actions such as these, the GDPR must now view the US as not having adequate protections in place to be viewed as a safe data transfer partner from a national security perspective.

The UK must be careful in this, as it looks to maintain its existing “trusted partner” status with the EU. Being too loose with passing EU citizen data on to “third countries” that do not meet GDPR standards could cause issues with its most significant neighbors and trading partners. Though early speculation tends to lean toward the post-Brexit direction being a cynical profit-focused enterprise, Bojana Bellamy (President of the Centre for Information Policy Leadership (CIPL) – a global privacy and data policy think tank based in Washington, DC, Brussels and London founded by international law firm Hunton Andrews Kurth) lays out a case for an optimistic view of the situation:

“1. The UK plans do not necessarily mean divergence from GDPR. It is possible to improve the data privacy regime and how it works in practice without lowering the level of protection for individuals. This is a positive development and should be encouraged in the UK and in the EU, too.

2. UK ambitious international data flows and adequacy plans are the right thing to do. The government recognises the importance of data flows for economy, people and society at large and wants to enable trusted and responsible data flows. Just because the UK government may be more agile, flexible, risk-based and outcomes-driven in how they determine adequacy does not mean this will result in lower level of protection for people and their data. In fact, likely the opposite is the case. Looking at a whole picture of how privacy protections work in practice in third countries may be better for individuals then a theoretical line by line comparison of legal texts. We should not be judgemental of countries doing things their own way as long as they achieve the same outcomes.

3. Businesses in all sectors will welcome a more seamless post-Brexit regime for data transfers and adequacy decisions in respect of more countries. Data privacy officers are spending too much time and precious resources on dealing with legalities of data flows from the EU, especially in the aftermath of Schrems judgement, instead of doing more pressing work on privacy by design, risk impact assessments and building long term privacy culture and programmes for the new digital economy. I hope the UK example will inspire the EU and other countries to follow suit.”