PRINT.IT
27
COMPLIANCE
Having clear
laws with
safeguards in
place is more
important
than ever
given the
growing
digital
economy
The UK would
be wise to
protect its
companies
from the
restrictions
and penalties
resulting from
these types
of heavy-
handed,
innovation-
limiting
regulations
would not directly apply to the UK.
But if the UK wants to trade with
the Single Market on equal terms,
we would have to prove ‘adequacy’.
In other words, UK data protection
standards would have to be
equivalent to the EU’s General Data
Protection Regulation framework
starting in 2018.”
“Having clear laws with
safeguards in place is more
important than ever given the
growing digital economy, and we
will be speaking to government to
present our view that reform of the
UK law remains necessary.”
This statement implies that our
new Information Commissioner
(Elizabeth Denham, who has a proven
history of backing and enforcing
consumer rights while encouraging
transparency within business) is
likely to encourage legislation that
mirrors the requirements of the
GDPR. It’s also worth noting that
UK privacy professionals were key in
shaping this legislation in the first
place – and that the view of what
constitutes good privacy doesn’t
change simply because we chose to
exit the European Union.
Reason 5: Trade negotiations…
an easy win.
Over the next few years, the pressure
to negotiate a strong trade deal
with the EU will drive the adoption
of supporting ‘mirror’ legislation
designed to minimise barriers to
continued trade. Some measures
(such as open borders) will be highly
contentious. However, it is unlikely
that improved privacy protection
would be seen as such. In fact, it’s
an issue that many could openly
support and encourage as an ‘easy
win’, which would provide increased
compatibility and security for UK-EU
trade and improved protection for
both groups of citizens.
Reason 6: It needs doing anyway.
It’s the right thing to do.
Most of the UK’s existing data
protection legislation was written
before the widespread adoption of
the internet and the globalisation
of trade – and the collection of vast
amounts of new data about data
subjects that followed. Internet-
based social media services, such
as Facebook and Twitter, didn’t
exist and currently enforced laws on
data protection were not created to
accommodate them.
It’s now easier than ever before
to build and infer much about
individuals from the data they
generate, often unknowingly, in
their day-to-day activities. We are
all entitled to a free and private life,
so we need laws that help protect
us – and the legal framework prior to
GDPR doesn’t cut it.
The GDPR, while far from perfect,
does offer an improved model for
data protection, and it is (perhaps
arguably) right and pragmatic for the
UK to adopt similar legislation.
Conclusion
So, while it’s true that we are going
to be living in uncertain times for
a few years to come, it is likely
that privacy will still be high on the
agenda. When the next high profile
data breach or misuse happens
(think TalkTalk), the public reaction
is likely be the same regardless
of Brexit. Ultimately, the pressure
for organisations to retain and
build trust will remain – as will the
pressure on regulators to govern.
Although the adoption of the
GDPR as mirroring UK legislation
is highly likely, we should also be
aware that Brexit will leave the UK
‘on the outside’ for the development
of future privacy legislation that,
in practice, may well apply to UK-
based organisations. The review
of the EU E-Privacy Directive has
now started and this is likely to
affect how UK businesses can use
data and e-mail, social media and
other communications to reach
EU citizens. It remains to be seen
whether we have influence over this
in the next couple of years. Even if
we do, our voice will be less powerful
than before.
requirement that by definition limits
the type of experimentation and
innovation that has become the
hallmark of the data economy.
In addition, the regulations
allow for penalties of up to 4% of
a company’s global revenue, which
means that the private sector will
be investi ng heavily in compliance
to avoid violations. These expenses
will divert funds from more useful
product development, raise costs for
consumers and force companies to
become risk averse.
The UK would be wise to protect
its companies from the restrictions
and penalties resulting from these
types of heavy-handed, innovation-
limiting regulations.
No guarantees
Second, even if the UK were to
fully implement the GDPR, there
is no guarantee that the EU would
determine its data protection
laws meet its adequacy standard
– a necessary precondition for
companies in the UK to continue
processing European data as they
do today.
After all, the biggest hurdle in
negotiating the successor to the
U.S.-EU Safe Harbor agreement
was not that the United States had
a different style of data regulation,
but rather that U.S. government
surveillance programs purportedly
put EU citizen privacy at risk. Yet,
some European countries have
passed more intrusive surveillance
laws than those in the United States,
such as those passed by France
following the Charlie Hebdo terrorists
attacks in Paris.
The EU has not held its member
states to the same standard as
it does non-EU countries. The
UK, which is set to pass its own
controversial surveillance legislation,
should not expect to receive a
pass even if it adopts measures
equivalent to the GDPR.
Legal mechanisms
Rather than seeking an adequacy
determination, the UK should take
the approach pursued by most
non-European countries and use
other legal mechanisms, such
as model contracts and binding
corporate rules, to enable lawful
transfers of personal data between
the UK and EU member states. Or
it could negotiate something akin
to the Privacy Shield agreement,
which was established to allow for
the exchange of data between the
United States and the EU.
Any of these approaches would
allow UK policymakers to establish
their own data protection rules that
balance the right to privacy with
other competing interests, such
as national security, economic
prosperity, innovation and public
health, while still maintaining free
trade with Europe.
Daniel Castro (@CastroTech) is
director of the Center for Data
Innovation, a think tank focused on
data and public policy.
