The government has announced plans to reshape the UK’s data laws such as GDPR requirements in an effort, it claims, to boost growth and increase trade post-Brexit. The digital, media and culture secretary, Oliver Dowden, says the UK wants to shape data laws based on “common sense, not box-ticking”.
What is GDPR?
The General Data Protection Regulation was a replacement for the EU’s 1995 Data Protection Directive, which had until then set the minimum standards for processing data in the bloc. GDPR significantly strengthened a number of rights: individuals found themselves with more power to demand companies reveal or delete the personal data they hold; regulators were able to work in concert across the EU for the first time, rather than having to launch separate actions in each jurisdiction; and their enforcement actions had real teeth, with higher maximum fines for breaches.
Why does GDPR matter if we’ve left the EU?
As a European “regulation”, GDPR became UK law the second it was put into effect, on 25 May 2018. If the government had left it at that, it would have ceased to take effect on 1 January 2021, when the UK’s exit from the EU was finalised. But the 2018 Data Protection Act, introduced by Theresa May’s government under the then media and culture secretary Matt Hancock, rewrote the UK’s own data protection laws to mirror GDPR, so there would be no conflict between British and European law.
This meant that when Britain left the EU, the Data Protection Act continued to apply rules that were functionally equivalent to GDPR – but it is now in the government’s power to alter those rules.
What is stopping the government from ripping up the rulebook entirely?
International transfers of data rest on what are called “adequacy agreements”. People cannot transfer data internationally unless their government agrees that data protection rights in that country are at least as good as their own.
Those agreements are crucial. The EU, for instance, has spent years tussling with the US over whether the country provides adequate safeguards for EU citizens’ data, particularly when it comes to protection from government surveillance. The Edward Snowden revelations torpedoed the previous “safe harbour” finding that the US was good enough, and the resulting ramifications are still being felt today.
If the government goes too far in changing the rules, it would run a similar risk. It knows adequacy is important: alongside Thursday’s announcement was a promise that the UK would seek such an agreement with six countries, including the US, South Korea and Australia, as well as the confirmation that the probable next information commissioner, the New Zealand privacy commissioner, John Edwards, has “vital” experience bringing his own country in line with the EU’s requirements.
But what about the cookie banners?
Despite being the public-facing image of GDPR, cookie banners have little to do with the regulation. In fact, they predate GDPR itself, going back to the EU’s 2002 ePrivacy directive. But the government could, as part of its overhaul of the UK’s data protection rules, strip away the requirement for websites to ask permission for low-impact uses of personal data, Dowden has suggested.
Less clear is whether removing that requirement would have much effect in practice. Websites will continue to need to implement cookie banners for European users and similar legislation applies in California. Many may consider it easier to simply continue to ask British users for their consent to tracking, even if they no longer have to.
