UK data protection - on the horns of many dilemmas

Data regulation reform is at the heart of the political challenge facing the UK. The government – locked in one self-made crisis after another as bigger crises grip the world – wants more growth and productivity, but the figures show both are flatlining. 

With national strategies for data, AI, robotics, space tech, and more, plus a data protection watchdog (the ICO) tasked with enabling the commercialization of data, how the government regulates data protection outside the EU is a core challenge. Not least because the global direction of travel is towards GDPR-style rules, just as the UK decides to (perhaps) go in a different direction. 

Either way, a new data protection Bill/Act for the UK is incoming, one that (theoretically) sweeps aside the need for both the Data Protection Act 2018 and UK GDPR.

Also in the frame is something critical but under-appreciated: the UK’s data adequacy agreements – particularly with the EU, but also with other partners. Stray too far from what the EU regards as acceptable, then Whitehall would have a big problem on its hands. UK data sits in or passes through European data centres daily and eight of the UK’s top 10 trading partners are in Europe.

The UK cannot afford to lose adequacy, therefore, and the consequences would be catastrophic. So, despite the UK’s newfound independence, it can’t stray too far from the European model: one of those moments when reality and ideology are at odds with each other.

And if that’s not enough, there’s another problem: Westminster’s constant upheaval, u-turns, and policy changes, with new Prime Ministers and Cabinets arriving like busses. The machinery of government is left stalling or idling while the Conservative party fights among itself. As a result, key decisions are pushed back, and confidence is low. 

Arguably, the upheaval has been ongoing since leaving Europe, with one peer describing every decision in Whitehall as being “impaled” on Brexit.

All this provided the context for a Westminster eForum policy conference on next steps for data reform – a recurring topic over the past five years, with speaker after speaker often reduced to saying:

Well, obviously we have to wait for the government’s announcement on X.

All too often, the topic leaves delegates kicking generalities around, largely because clarity is absent. The sense that, since the Brexit referendum, ministers have just been making it up as they go along is sometimes hard to avoid. There are strategies, but is there a strategy? A substantive vision beyond the rhetoric about being a “superpower” or the desire for growth?

Giving the keynote this week, Paula Barrett, Partner and Co-Lead for Global Cybersecurity and Data Privacy at law firm Eversheds Sutherland, said:

We heard from the Secretary of State earlier this month, confirming the desire to create a new data protection law that would take the UK forward with a huge simplification of the legislation, while maintaining adequacy.

Why is adequacy important? We’re blessed with being an island, but are part of a global economy and it is important for us to use and share data. But to do so wisely, cognisant of the need to protect that data, and the impacts it can have on individuals when we don't. 

I would say that we have never been at a point where there's been more change going on in the world in relation to data […] As we look at the potential for change, it’s important to bear in mind that even those jurisdictions that have had legislation for some time, like Canada, are revisiting that legislation to enhance its protections, enhance the rights given to individuals, and GDPR is the model that they are all looking to.

But at this point in time, we are also seeing a particular rise in data sovereignty and protectionism, as governments look to restrict where data about those residents in their jurisdictions can be located.

Keeping pace 

One industry more than most has complicated the data landscape, creating tensions between citizens/consumers and Big Tech platforms: the advertising and marketing sector. The sense that some companies regard consumers as the real product they sell to partners is both strong and hard to walk back.

Chris Combermale is CEO of the Data and Marketing Association (DMA). In a presentation that seemed very ‘on message’ with recent government announcements, he said:

Trust in data exchange is essential to growth and therefore a high level of data protection will be maintained, with all of the core concepts within EU and UK GDPR maintained. The Secretary of State and other ministers and DCMS officials have been clear that they understand this and that maintaining adequacy with the EU is the number-one imperative. The loss of adequacy would be an anti-growth measure. So, it's absolutely imperative that adequacy be maintained.

But in terms of my remit at the DMA, there is nothing more fundamental than the right to conduct business to find new customers and retain existing customers. So, there are further amendments we'd like to see before the Bill is resubmitted to Parliament. Probably the most important for us is greater recognition of legitimate interest for direct marketing. 

At least £1.5 billion [$1.7 billion] of lost GDP is because companies are nervous about using data, especially third-party data that has been collected on the basis of legitimate interest, even though it's clear that it can and should be used.

Julian David is CEO of industry organization techUK. He added:

We have 930 member companies, and they represent a huge part of the tech industry, including many SMEs. A big flavour of what we think is good about the current proposals and their potential for future improvement really centers on small companies. And we think that the opportunity to improve on European legislation is something that should be grasped. 

However, in doing this, one of the things we must bear in mind is not just the opportunity within the UK, but how the UK identifies its role in the world when it comes to global debates on data flows. 

And we think now is the time to take the steps to ensure that the law will be able to keep up with technological developments, such as the rise of artificial intelligence and automation. And by building this custom approach, backed by a world-class regulator, we can not only get the right system for the UK, but also influence abroad.

David stressed his general support for GDPR and for maintaining data adequacy, but added:

One thing that was clear to us was that clarity and certainty around how to use data under GDPR was in short supply. Many businesses simply were not using data to the fullest extent because of concerns about the dividing lines between where it's okay to process data and where it is not. 

We would like a government to build a more tailored approach for compliance for smaller companies whose data usage is relatively modest, as well as providing certainty for all businesses, particularly businesses who are asked to share data with public authorities – which is an area we don't think there's enough clarity about.

We also need to make clear that automated decision-making should be on this list, otherwise this reform will be outstripped by technological developments. 

Lastly, it’s a very uncertain time, although there's great opportunity for businesses seeking to transfer data abroad, and so we want to ensure this Bill makes it very clear the tools that UK businesses have to do that.

The first is derogation in the law for data transfers. And the second is to make it easier for UK businesses to return data that came from outside the UK back to its origin point – a so-called reverse transfer exemption. Those two proposals were originally discussed but not taken forward in the final Bill, and we think they should be brought back.

My take

These debates will rage for months to come. But one thing is clear: the UK is far from clear where it really stands in the world, and that lack of focus is hurting business – and politics.