Back in 2018, long before we’d ever heard of wet markets, pangolins and a mysterious bug called the coronavirus - or indeed a psychopathic madman had decided that he is Peter the Great and therefore entitled to invade a neighbouring country and have his soldiers slaughter anyone who gets in their way - we were preoccupied by more mundane things. Let’s be honest, the events of the last few years have rather put these largely boring aspects of business life in perspective, but that doesn’t mean that they aren’t in their own way important.
One of these mundane things was the introduction of the EU’s General Data Protection Regulation (GDPR). At the time, it seemed a good idea and, to be fair, the thinking behind it made a lot of sense. However, that doesn’t mean it wasn’t without its flaws, as this 2018 blog argued, noting that the vast majority of us simply can’t be bothered with going through the rigmarole of having to personalise cookies and saving our preferences every time we log on to a website, even one we visit many times.
One of the much-touted changes that became possible after Brexit was an overhaul of the way in which GDPR works in the UK. The thinking was that replacing the current regulations with a new set of data protection (DP) laws that are more flexible will reduce the administrative and legal burden placed on businesses.
However, because the bulk of the DP laws that are accepted worldwide use GDPR as their template, the UK signed an agreement with the EU to allow data to flow between the EU and the UK unhindered. That said, we know that relations between some countries in the EU and the UK are not great just now and this accord depends on the former continuing to recognise the UK’s data protection laws as providing the same degree of DP as those in Europe. Consequently, any attempt to make UK-wide changes has had to bear this in mind.
Now, the government has unveiled its plans for just such changes. It is a difficult balancing act: the aforenoted requirement not to rock the boat too much with the EU has to be counterbalanced by the wish to ensure that people can have real control over their personal data, whilst, at the same time, reducing the demands (and costs) for businesses, researchers and civil society.
To illustrate how these changes might work, under the current system, users must give their explicit consent for data to be processed for a specified reason, say for a research project into alcoholism. If the purpose of the research changes, the data previously collected cannot then be re-used without re-acquiring consent. Under the proposed new system, researchers will only need to specify they’re using data in, for example, alcohol-abuse research generally as opposed to a particular study of alcoholism.
Crucially, the ICO (Information Commissioner’s Office – the body responsible for administering DP laws – is on board with the proposals. Information Commissioner, John Edwards, is quoted in the media as saying, "This is good news for data flows between the EU and the UK, as these more modest reforms mean the EU Commission is less likely to revoke the UK’s adequacy finding, which would have caused significant disruption." This is important because Edwards had previously warned the government against making too many changes.
The UK Government’s Data Reform Bill was announced (last week) at London Tech Week. In the PR for the launch, Digital Secretary Nadine Dorries said: “Today is an important step in cementing post-Brexit Britain’s position as a science and tech superpower … Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection.”
This all sounds fine and dandy, however, the government hasn’t exactly covered itself with glory and many of its own supporters believe that, as they see it, most of the potential benefits from Brexit are yet to be delivered. Let’s see whether the rhetoric lives up to the reality in this case…