The UK Guardian newspaper today runs the title “Boris Johnson to try to regain control with Brexit bill and policy blitz”. One such target of the blitz is the EU General Data Protection Regulation(GDPR).
As a seasoned data protection practitioner, and academic, of the UK and EU Data Protection Law – this is old news. The UK announced its intention to review opportunities to ease the burden on data controllers, and unleash the potential of data, in 2021. The UK government is launching a consultation exercise called “Data, a New Direction”.
I am in favour of reducing the burden of compliance on the Data Controller, and balancing the data protection scales with the data subject, providing rights are not diluted.
Whilst the rhetoric around this is mainly political, the practical aspects of such a “blitz” are more complicated in a global world where data is transmitted at great speed across international borders, into and out of many countries with differing data protection laws.
The UK Government can of course set its own domestic law for personal data flows within the UK, however, the minute personal data flows, to say, Dublin, then that flow maybe subject to GDPR. In the USA, things become more complicated as each state has its own law, and so the Global law challenge goes on.
At the moment UK organisations can transfer data to the EU unfettered, because of the similarity of strength in the UK-GDPR, in an arrangement called adequacy. The potential dilution of the UK-GDPR would risk this arrangement, and the alternative arrangement, for data transfers would be expensive, including clunky lawyer driven contracts that would in essence create more work on data controllers than at present. This hardly unleashing the power. The UK has the gift of unleashing the power of data, using existing tools such as guidance and referencing to the UK Courts past decisions.
In fact, the UK Courts have provided data controller with clarity and in some cases a dilution of the laws through interpretation surrounding data protection since the inception of the first UK Data Protection Act, in 1984. Moreover, the UK regulator has provided guidance on compliance and could achieve many of the “wins” the government seek to achieve without the need for clunky new legislation and increasing the burden on controllers to meet a political headline.
As a representative of many data controllers, it is imperative that the balance is achieved. This must not be achieved at the expense of increasing the burden in the ability for data to flow unfettered across the EU. Data controllers would be required to fund the cost of a new compliance regime, and this would be a quixotic win for no one.
I watch with interest the UK governments proposal.
 Data: a new direction https://www.gov.uk/government/consultations/data-a-new-direction