The UK thinks it can fix GDPR. It’s wrong

The UK has left the European Union. It’s left the single market. And now it wants to leave behind the rules that require companies protect your personal data. 

The European Union’s General Data Protection Regulation (GDPR) has its flaws, as any middle manager required to rework processes and fill out paperwork about data handling ahead of its implementation in May 2018 knows all too well. This paperwork was singled out by Oliver Dowden, the UK’s culture secretary, who oversees the country’s digital policies, in a Telegraph interview announcing the UK would diverge from key parts of the GDPR last week. The government announced its proposed choice for the new head of the UK’s data regulator, the Information Commissioner’s Office at the same time. But the potential GDPR changes got the most attention. Among the targets of those changes? “Pointless bureaucracy”, “box ticking” and red tape.

“The GDPR is by no means perfect, and charitably you could see the UK trying to take a lead in fixing some of the issues,” says Lilian Edwards, professor of law, innovation and society at Newcastle University. For instance, there’s been a lack of enforcement action from data protection bodies across Europe. “Sadly, this is almost certainly a futile publicity seeking effort,” Edwards says of the UK’s nascent efforts. 

In practice, the UK’s plans to fix GDPR – which currently are extremely high-level and vague – could put it on a collision course with the European Union. Moves designed to stimulate new business could in fact bring to an end existing data-sharing deals. And the UK’s plan to “set world-leading, gold standard data regulation which protects privacy, but does so in as light touch a way as possible” is misguided. It simply won’t work, experts say.

“God knows there are some areas of privacy law and data protection regulation we could tweak for the better of everyone involved,” says Heather Burns, policy manager at Open Rights Group, a UK campaign group protecting digital privacy. But Burns says the UK’s plans aren’t a good faith attempt to find a third way to solve data issues. “This is deregulating privacy laws and data protection safeguards in the commercial interest of industry.”

Burns believes that the UK is trying to liberalise access to data to generate a broader market for it. “The British government’s vision is to create a market of applications that watch what you’re saying and doing it, and privacy rights and safeguards are a major obstacle to that.” Worst of all, Burns believes it’s fundamentally unachievable. “It’s classic Brexit cakeism,” she explains. “It’s having your cake and eating it, too.”

The UK has spent the last several months trying to achieve data adequacy with the European Union, which has stringent rules over where data of its users can go. It managed to come to an agreement for a four-year adequacy deal in late June. The concept behind data adequacy partnerships is to prevent organisations having to introduce specific measures that show compliance to data rules by themselves – which the government calls “costly” – to share personal data. Instead, it’s given that signatories to adequacy partnerships are trustworthy and able to handle personal data safely. Alongside the European Union, the UK has adequacy partnerships with countries such as New Zealand, Japan and Canada – and wants to do more deals with other countries in the future.

Yet each deal it does potentially weakens its adherence to pre-existing data adequacy agreements, including with the EU – many of whose members raised concerns about the risk of the UK diverging from those agreements, potentially imperilling EU users’ data. “We are talking here about a fundamental right of EU citizens that we have a duty to protect,” said Vera Jourova, EU vice president for values and transparency, in late June when the EU-UK deal was announced. “This is why we have significant safeguards and if anything changes on the UK side, we will intervene.” The UK’s agreement with the EU contains a sunset clause, or defined end date, which is unusual and, as one source says, was designed by the EU to head off the fear of exactly what the UK appears to be doing.