Alongside disagreement on the Northern Ireland Protocol, relationships between the EU and the UK look set to be further tested over UK plans to rewrite its data laws.
The EU has threatened to withdraw from a data-sharing agreement with the UK if post-Brexit plans by the UK Government to change its data protection laws pose a threat to EU citizens’ privacy.
On 26 August, the UK Government published a package of measures which it says will help seize the “opportunities of data”, aiming to boost growth, trade and improve its public services.
Among the proposed changes to data protection law, which the UK Government intend to consult on, is the removal of cookie pop-ups informing internet users they are being tracked, something critics have pointed to as a smokescreen to cover the broader weakening of good data protection practices.
The move by the UK comes swiftly on the heels of EU governments signing off on plans to recognise UK data protection standards as aligned to those that apply in the EU, in January 2021. The ‘adequacy decision’ status, something similarly enjoyed by the likes of Canada, Switzerland, and New Zealand, was broadly welcomed by businesses, particularly multi-national companies.
“It means reforming our own data laws so that they’re based on common sense, not box-ticking.” Oliver Dowden, UK Digital Secretary
However, following the UK’s recent announcement, the EU has said that it is monitoring the moves by the UK closely and warned that where actions threatened the privacy of its citizens, it would immediately revoke its existing data-sharing arrangement with the UK.
Brexit has offered the flexibility for the UK to rewrite its data protection laws. In making the announcement, the Government set out its intention to seek global data partnerships with the US, Australia, and the Republic of Korea.
“The Government is outlining the first territories with which it will prioritise striking ‘data adequacy’ partnerships now it has left the EU as the United States, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia.
“It is also confirming that future partnerships with India, Brazil, Kenya and Indonesia are being prioritised.”
The UK’s Digital Secretary Oliver Dowden MP also announced John Edwards, currently New Zealand’s Privacy Commissioner, as the preferred new Information Commissioner to oversee the shake-up.
Dowden says: “Now that we have left the EU, I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK.
“That means seeking exciting new international data partnerships with some of the world’s fastest growing economies, for the benefit of British firms and British customers alike.
“It means reforming our own data laws so that they’re based on common sense, not box-ticking. And it means having the leadership in place at the Information Commissioner’s Office to pursue a new era of data-driven growth and innovation. John Edwards’s vast experience makes him the ideal candidate to ensure data is used responsibly to achieve those goals.”
The UK’s data protection regime was last updated substantively in 2018 when the General Data Protection Regulation (GDPR) took effect alongside a new Data Protection Act, implementing the 1995 EU directive and had been in force since 1998.
GDPR was transposed into UK law, with minor changes, following Brexit, closely aligning the UK’s data protection laws with the remaining 27 EU member states. However, in its national data strategy published in 2020 the UK Government indicated that it could deviate from EU law in the area of data protection. While the Strategy acknowledged the importance of “regulatory certainty and high data protection standards”, it also stressed a desire to see UK data protection laws “to remain fit for purpose amid rapid technological change”.