How will the UK become a “business friendly” country for international data transfers?

The key takeaway

The UK Government has announced its intention to pursue “data-driven” growth in the economy. Under new post-Brexit data plans, it will prioritise data adequacy partnerships with the USA, Korea, Singapore, Dubai and Colombia, and is creating an international data transfer council of experts to consult on future policies.

The background

The Government had previously suggested in its National Data Strategy (NDS) that it would be reforming the UK data protection regime after the UK’s exit from the EU. Following a consultation, the Department for Culture, Media and Sport (DCMS) published a report earlier this year confirming that its new strategy would continue to maintain high data protection standards while reducing barriers to data transfers in the interests of promoting business. The aim of the reforms is to increase trade and improve public services with data sharing.

As part of its announcement, the DCMS named New Zealand’s Privacy Commissioner John Edwards as the UK’s next Information Commissioner. In interviews, Mr Edwards said that reform of data protection rules is “one of the big prizes of leaving” the EU” and that “there’s an awful lot of needless bureaucracy and box ticking and actually we should be looking at how we can focus on protecting people’s privacy but in as light a touch way as possible”.

The development

The package of reforms has now been announced including:

  • a new set of data adequacy partnerships
  • an international Data Transfers Expert Council, and
  • a fresh consultation on how the future data protection regime should function.

As the UK is no longer a member of the EU, the Government can now choose which countries to list as having adequate data protection laws in place. To determine the country’s adequacy, the Government will consider the rule of law, the existence of a regulator, and international agreements that that country has entered.

If a country is deemed adequate, organisations can transfer personal data freely between that country and the UK, provided that they comply with relevant adequacy decisions. The Government announced that it will be prioritising adequacy partnerships the USA, Australia, South Korea, Singapore, Dubai and Colombia. In its accompanying Mission Statement, the Government also set out its intention to use these partnerships as a driver for international commerce.

With regards to adequacy assessments the Government has published a UK Manual Template which contains questions that ensures that the relevant information is collected relating to a country’s data protection landscape and its adequacy therein.

The Data Transfers Expert Council will consist of 15 individuals from academia, industry and wider society and will work on ways to remove barriers to cross-border data flow. The aim is that the Council will provide diverse expert opinion to inform future Government policy.

Finally, the Government will reform the UK’s data protection regime and has announced a consultation on changes that can facilitate transfers of data responsibly and with a less significant burden on smaller companies and start-ups. The ICO announced its plans for this in the form of a consultation at the end of August.

Why is this important?

The UK appears to be pursuing a highly commercial, business friendly, approach to data protection, which may be welcome to many organisations. This represents, and requires, some significant divergence from the EU framework. The current proposals aim to maintain personal data protection and equivalence with the EU while removing certain barriers to transfer. However, the Government press release highlights that maintaining high data protection standards will be a priority.

The EU will be keeping a close eye on these developments for sure, particularly on the UK’s data adequacy status if the law in the UK diverges too far from the EU’s approach.

Any practical tips?

The UK’s data protection landscape is likely to change significantly over the next 18 months, and it is therefore important that all stakeholders within organisations that handle personal data keep up to date with any announcement and contribute to any consultations when offered the chance.