The United Kingdom last week announced plans to strike independent data adequacy decisions with key countries—including the United States—as part of its post-Brexit economic strategy.
The development could pave the way for the United Kingdom to diverge from the EU’s General Data Protection Regulation (GDPR). Along with the United States, the territories it will prioritize partnerships with include Australia, South Korea, Singapore, the Dubai International Financial Centre, and Colombia.
Future partnerships have been penciled in with India, Brazil, Kenya, and Indonesia.
The U.K. government says it will explore alternative data transfer mechanisms to remove barriers to trade, including issuing new standard data protection clauses, using certification schemes, and approving international industry-specific codes of conduct that are “currently underutilized.”
The United Kingdom currently has 42 adequacy agreements in place, including with all but one of the EU’s 27 members (Estonia).
The government also announced it will launch an International Data Transfers Expert Council to “provide independent and expert advice, of both a technical and tactical nature, which will enable the government to deliver on its mission to champion the international flow of data.”
The U.K.’s data regulator, the Information Commissioner’s Office—whose role has been expanded to promote economic growth and innovation through data use—will help develop and approve the adequacy agreements.
In a statement, Digital Secretary Oliver Dowden said, “Now that we have left the EU, I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the U.K.”
“It means reforming our own data laws so that they’re based on common sense, not box-ticking,” he added.
Dowden has previously singled out policies around “pointless” cookie requests, pop-ups, and consent requests as areas where the United Kingdom could now diverge. However, consumer groups and privacy campaigners are likely to challenge changes that reduce citizens’ rights to have control over what personal data is collected and how it is used.
Some experts say the United Kingdom is trying to show there is room for diversion from the EU data protection law while still retaining the GDPR as a framework. The European Union is monitoring the situation and would rescind adequacy—which was only finalized two months ago—“in (a) case of justified urgency” if the United Kingdom strayed too far away from the data rules, a spokesperson told the Financial Times.
Helen Snow, senior associate at law firm Geldards, believes the removal of barriers to the flow of personal data “will undoubtedly assist businesses and other organizations operationally and financially.”
But she adds, “The U.K. is unlikely to radically depart from the GDPR for fear of jeopardizing its own adequacy decision from the European Commission,” which is not due to expire until June 27, 2025.
Phil Parkinson, head of commercial law at Blacks Solicitors, says the proposals present a risk that companies might need to comply with two different sets of GDPR rules—one for EU citizens and one for U.K. citizens—if the EU’s adequacy decision for the United Kingdom is revoked. This scenario would likely require more resources, including time and money, he adds.
“It’s questionable that organizations want to be presented with differing international rules to manage privacy when dealing with online services, which are often extraterritorial,” says Peter Galdies, consultant at data risk management firm DQM GRC. “The added complexity often means organizations have to default to the most restrictive set of legislation rather than engineer and manage complex privacy rules. For many organizations, such divergence would create more problems than it might actually solve.”
Some doubt the United Kingdom can forge independent relationships with third countries without rubbing the European Union the wrong way, particularly regarding the United States, whose strong surveillance laws have derailed previous EU-U.S. mechanisms to transfer data safely.
“Until the U.S. has a single, federal data protection regime that delivers equivalent legal protection for data subjects, as is available under EU law, the European Commission will not recognize it as having an adequate data protection framework,” says Alan Calder, executive chairman at cyber-risk firm IT Governance. “If the U.K. were to enter into a data-sharing partnership with the U.S. that undermined the EU position, then the U.K. will find its adequacy decision revoked.”
Isabel Ost, data protection lead for Big Four firm KPMG’s Law team, believes reports the government’s intentions would mean a significant departure from the GDPR are “premature.”
“Provided the substantive expected protections are achieved, adequate protection for personal data can result from a wide variety of legislative approaches, as demonstrated by the recipients of EU adequacy decisions,” says Ost. “Whether the final proposals can be considered adequate will depend upon their terms and, until more is known, companies should not be concerned.”