The United Kingdom’s keenness to agree to its own data adequacy decisions with countries like the United States could become a contentious issue with the European Union, according to one of the bloc’s main data privacy regulators.
The European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, told Compliance Week while EU-U.K. transfers may be safe, the European Commission has concerns about how such data is then transferred to third countries not considered to have the same level of data protection—the United States being one.
As part of its post-Brexit economic plans, the U.K. government wants to streamline some of the compliance requirements around the General Data Protection Regulation (GDPR)—especially regarding consent—to make it easier for tech companies and data-driven businesses to use personal data to innovate.
It also wants to make its own adequacy decisions to enable data transfers with other countries, most notably the United States, Australia, South Korea, Singapore, and Dubai.
The government has set up an International Data Transfers Expert Council to help on both counts.
“The GDPR is there to protect the personal data of all EU citizens. While the EU has adequacy agreements in place with third countries like the U.K. whose level of data protection is the same, there are concerns about how—and with whom—that data is then shared when transferred outside of the U.K.,” said Wiewiórowski. “This could create problems in the future.”
Wiewiórowski added divergence between the EU and U.K. versions of the GDPR is another potential problem in the long term.
“If you have two systems which are supposed to be based on the same rules and principles but one side wants to change them, then it raises questions about adequacy with the EU in the future,” he said.
Under the U.K.’s draft Data Reform Bill, businesses will still need to adhere to the strict privacy rules set out under the U.K. GDPR, but they will not be required to demonstrate compliance by having dedicated data protection officers or conducting data protection impact assessments.
The U.K. government, as well as the Information Commissioner’s Office (ICO), hope the changes will reduce the compliance burden on smaller businesses where the risk of harm of data misuse or data breaches is low.
Experts have largely said the changes do not appear to be out of sync with the EU GDPR but have also made it clear it is up to the European Commission to decide whether the U.K.’s version of the GDPR is compatible with its own.
Currently, the U.K.’s adequacy agreement with the European Union is up for renewal in 2025, when a new Commission takes over.
Wiewiórowski believes “at first glance, the proposed reforms have been made to reflect professional concerns rather than political statements. Compared to what the U.K. was proposing last autumn, these proposals are professionally thought-out and are not just political propaganda.”
However, the EDPS said “we are a little afraid” over the plans to change the structure of the ICO and whether it will remain sufficiently independent.
“If the U.K.’s reforms work, the European Commission could try to follow suit. … [But] only after 2025 when a new Commission comes into place. There is no political appetite to change the text of the GDPR until then.”
Wojciech Wiewiórowski, European Data Protection Supervisor
The U.K. government intends to “modernize” the data protection authority so it has a chair, chief executive, and board while also revising the U.K. GDPR framework to make it clearer what the DPA’s duties and objectives should be.
“The ICO has a very good record as a regulator and is one of the best assets of data protection in the U.K.,” said Wiewiórowski. “Any changes that make it less independent or require it to push through a political agenda will naturally force the Commission to raise concerns, ask questions, and seek assurances.”
On a positive note, Wiewiórowski believes the Commission could regard the U.K.’s moves toward a more flexible GDPR as a kind of “sandbox” experiment to see how the rules could be changed and possibly improved.
“If the U.K.’s reforms work, the European Commission could try to follow suit,” he said. But he added, “Only after 2025 when a new Commission comes into place. There is no political appetite to change the text of the GDPR until then.”
One area where the EDPS—and others—want change is in enforcement.
Last month at the EDPS data conference, Wiewiórowski called for closer cooperation between the EU’s DPAs to speed up investigations and regulatory decisions involving cross-border complaints against Big Tech firms.
However, the same invitation cannot extend to European DPAs outside the European Union even though they may have adopted the GDPR, such as Switzerland and the United Kingdom, because they are not members of the European Data Protection Board (EDPB), the body that oversees GDPR enforcement.
Instead, Wiewiórowski believes there could be “a special cooperation status for non-EU countries to work with the EDPB” on issues such as cross-border enforcement cases.