UK shift away from GDPR is bold, ambitious, but risky

The UK has announced its determination to depart from the terms of the EU’s General Data Protection Regulation (GDPR), the provisions of which are cast into UK law under UK GDPR and the Data Protection Act (2018). A Data Reform Bill will be put before Parliament in the Summer.

The aim is to create what the government calls a new “pro-growth and trusted data regime” under the National Data Strategy, at a time when the global direction of travel – including in the US – is towards GDPR-style rules, and not away from them.

The new 27,000-word report represents the government’s written response to a 10-week consultation programme, ‘Data: A New Direction’, which was launched in September 2021.

According to the government, that consultation attracted nearly 3,000 responses from the UK and overseas, with two-thirds coming from online. Those findings were debated with business, academics, privacy rights groups, and other interested parties.

Industry support

Industry body techUK has welcomed the proposals, saying:

At its introduction the GDPR was not perfect. The challenge in reforming it has always been how to retain key protections for citizens while introducing clarity and flexibility to enable growth in data-driven innovation, and new technologies such as AI.

The reforms find a good balance between making the UK’s data protection system clearer, more flexible, and more user friendly […]. [But] there are some outstanding questions about how exactly these reforms will work in practice.

Meanwhile, Isabel Simpson, Global Data Protection Lead for KPMG Law, said:

How companies use data is changing all the time, so an agile, pragmatic, proportionate approach to how information is stored and managed is welcome.

 She added:

Data protection must be embedded within company culture, rather than merely a box-ticking exercise, in order for firms to achieve the best outcomes for all stakeholders.

“Empowering the citizen”

In its introduction to the report, the Department for Digital, Culture, Media, and Sport (DCMS) explains:

We want to create a framework which empowers citizens through the responsible use of personal data. Our reforms will give individuals greater clarity over their rights and a clearer sense of how to determine access to, and benefit from, their own data.

This suggests a new regime of similar spirit to Open Banking, perhaps, in which the UK is both leader and prime mover, with a thriving FinTech economy.

However, the document also stresses that many barriers to “the responsible use of personal data” (as opposed to open data) by business will be removed. As a result, there will be greater opportunity for organizations to use automated decision-making tools on that data, presumably powered by artificial intelligence (AI), machine learning (ML), and digital employees (software robots).

This raises a red flag. The government’s own research – cited at an April Westminster policy eForum by Tabitha Goldstaub, head of the UK’s AI Council – found that just 15% of businesses train their employees in ethical AI usage. It stands to reason that the “responsible use of personal data” in this context is predicated on organizations’ having good knowledge of ethical principles.

The same labour market research cited by Goldstaub found that 100,000 UK posts in AI and data science are unfilled, because of a lack of relevant business and technical skills.

Taken together, this means that there is a real risk of the government’s bold plans for a dynamic, barrier-free, responsible data economy relying on skills that are largely absent in the UK.

Other research has found that many businesses deploy AI tactically to cut costs, and not strategically to make their businesses smarter (see diginomica, passim). That does not bode well for the government’s plans either.

Huh?

The new report then makes an odd and inaccurate point:

This includes the use of repatriated ‘adequacy’ powers from the EU to remove inappropriate barriers to the flow of UK personal data overseas in support of trade, scientific collaboration and national security and law enforcement cooperation.

It is true that the UK is now free to strike deals outside of Europe under its own data regulations (should they chime with those of partner nations, with Singapore cited as a country to emulate). However, it is entirely in the EU’s power to withdraw the critical data adequacy agreement that it has with the UK – which is provisional – should the UK depart from the terms of GDPR.

This is no minor concern. According to government figures, in 2021 the EU accounted for 42% of all UK trade, down from 46% in the previous year. While the US is Britain’s biggest national trading partner (with 13% of exports), eight of the top 10 are in the EU, including Ireland. This is what makes the EU by far the UK’s biggest market – along with its proximity, of course.

And that’s not all.  Some 80% of UK economic output is in the services sector, again according to government figures. This makes UK trade deeply reliant on the free flow of data with the EU. Put simply, data adequacy is critical to UK economic prosperity.

At a time of high-handed rhetoric from the government towards its European allies and, conceivably, a looming trade war triggered by UK plans to tear up the Northern Ireland Protocol, the UK’s assumption that its data adequacy agreement with the EU is both future-proofed and guaranteed is, in reality, built on quicksand.

Data adequacy is dependent on mutually agreed regulations – on GDPR, which the UK has signalled it wants to set aside or modify. And it is also built on trust. At the moment, international trust in the British government is in short supply, given No 10’s cavalier attitude to its own, recently signed, agreements.  

Even the US has warned Westminster not to tear up the Northern Ireland Protocol – a plan that Irish Taoiseach Micheál Martin has described as “economic vandalism”. But there is no sign that the UK is listening. All of this puts data adequacy at risk.

Look at clouds from both sides now

And there’s another concern in this regard, one which often appears lost on Whitehall policymakers: the cloud.

As diginomica likes to remind its readers, ‘the cloud’ is data centers built on land under local and regional regulations. It is not some free-flowing fog of code that floats across national borders at will.

For UK organizations – including multinationals and British companies that have set up shop in the EU to sidestep Brexit bureaucracy – many of those data centers are in Europe, and not on British soil. Wherever it’s cheapest for their owners, in fact, and wherever is the shortest distance from the most customers.

While the UK is second only to Germany as a national home for data centres and colocation facilities in Europe (448 versus 453, according to Statista figures) there are nearly 2,000 data centres across Europe as a whole. Many of those are operated by major IT and cloud services providers, including the likes of Microsoft, Amazon, IBM, Salesforce, Oracle, Google, Apple, et al.

This means one thing that cannot be ignored by the government: most UK organizations’ data is hosted, processed, and/or stored in Europe at least some of the time, or passes through it en route somewhere else.

And in a global, increasingly cloud-based or hybrid economy, many organizations have no idea where their data is at any given point. Those organizations rely on their cloud providers to sort out such complexities, but at the moment they do so with the UK/EU data adequacy agreement in place.

Therefore, the risk of losing data adequacy with Europe at some point in the future (when the UK has, hypothetically, gone too far beyond the terms of GDPR) would spell disaster for British organizations. Critical data – including UK government data – might at any point become marooned in Europe with no means of getting it back. The ICO has warned about this scenario many times in the past.

The sense that the UK blames the EU for what it perceives to be unreasonable economic barriers is palpable, despite the UK erecting them by not only leaving the EU (the political union) but also, bafflingly, the Single Market. The report says:

Our reforms will mean that UK scientists are no longer impeded by overcautious, unclear EU-derived rules on how they can use people’s personal data. We will provide scientists with the clarity and confidence they need to get on with life-enhancing and life-saving research.

We will simplify the legal requirements around research so scientists can work to their strengths. Having legal clarity on what they can and can’t do means they can pour more effort and resources into innovating.

What data?

There’s also a lack of awareness in the document that the UK has walked out of one of the largest data sets in the world: the EU, which has data on nearly 450 million citizens.

On its own, the UK has data on just 67 million people, much of it in silos. Seeking to commercialize that unavoidably places the NHS at the heart of a future data economy: a unique public sector data set unmatched by healthcare data in other countries.

On trust and transparency, the government says:

We are committed to maintaining these important principles. We will ensure that high standards of data protection and the UK’s historic commitments to upholding these to maintain public trust in use of personal data will continue to be at the heart of our regime, while providing greater flexibility to organizations to find the most effective and proportionate way of protecting people’s personal data.

The UK’s data protection regime will be future-proofed, by enabling organizations to focus on investing time and effort in delivering what matters – important privacy outcomes – rather than ticking boxes. This will enable our laws to keep pace with changes to the technological landscape without disrupting regulatory certainty.

Few would argue that GDPR is perfect. Its public face has long been the endless tick boxes and consent forms that we have to click through online, not to mention the occasional blank page from US sites that don’t conform to its provisions. But those irritating screens mask the better aims of GDPR: to protect citizens against the might of data-hoovering behemoths like Facebook, Google, and Amazon.

Indeed, the fact that some companies make their consent screens deliberately time-consuming to fill in (so users click ‘Accept all’) arguably suggests that they can’t be trusted with personal data. After all, they are trying to bounce people into divulging it.

Despite all this the government claims:

Almost all organizations that comply with the UK’s current regime will comply with our future regime. The limited number of new requirements are things that are already good or best practice and that many businesses already have in place.

The UK’s data protection regime will deliver concrete advantages for the UK while preserving data subjects’ rights and the independence of our regulator, creating a net benefit for businesses and society as a whole.

Positive feedback

According to the government, the consultation found broad agreement with many of the proposal’s aims, including changes to research provisions, reform of the ICO, and increasing clarity and transparency in the police use and retention of data.

However, it acknowledges that concerns have been raised about some proposals. These include:

• charging a fee for subject access requests

• whether the government should have a role in enabling data intermediaries

• removing the need for data controllers to carry out a ‘legitimate interests balancing test’ when children’s data is involved

• removing the right to human review of automated decisions

• the potential exclusion of political parties from rules on direct electronic marketing

• and the impact of these reforms on the ICO’s independence.

Some of these are witless, grubby ideas: charging a fee for access requests, for example. But others are more troubling, particularly removing the right to question automated decisions – dangerous in the extreme – and excluding political parties from rules on direct electronic marketing.

Potential encroachment on the ICO’s independence is a worrying development, at a time when the government has stated it wants its data regulator to be more enabling of commercialization, and less focused on citizens’ privacy.

My take

In total, this lengthy, bold, and (to its credit) open and discursive document is both ambitious and betrays a worrying naivety and cynicism. More, it places excessive trust in private business when it comes to the handling of personal data.

The direction of travel is, albeit slowly, towards the type of data economy that an Amazon, Google, or Facebook would celebrate, which was precisely what GDPR was designed to prevent. If pursued further, this alone suggests that the government may put at risk data adequacy and our trading relationship with the EU – and with it, the UK’s data economy and services sector.

This morning Dr Andrea Coscelli, CBE, CEO of the Competition and Markets Authority (CMA), warned that the UK is falling behind Europe in reining in the power of Big Tech.

We all want the UK to have a thriving, modern, data-led economy – and it’s not impossible that the EU might follow suit by adapting its own regulations, though that seems unlikely. But Whitehall urgently needs to lose its cavalier disregard for detail. Unless it better understands the data economy it seeks to boost, the government may put the whole thing at risk.

It's not like a destructive lack of attention to detail has never happened before in Westminster. And we are all still living with the consequences of that.