The UK’s Reforms Could Build A New Data Protection Gold Standard – Center for Data Innovation
The British government announced a broad and ambitious package of data reforms last week that could spur a new global framework for data protection and cross-border data flows. The United Kingdom’s data governance strategy aims to correct specific pain points around data governance created by the EU’s GDPR. The end result could significantly boost the UK’s digital economy, offer nations around the world a path forward that balances data protection with digital free trade, and provide a superior data protection framework for the region.
One of the core pillars of the UK’s new data strategy is to build and promote an extensive web of data flow agreements with other countries. In keeping with the country’s long-standing embrace of free trade, the government has decided that dismantling digital barriers to trade can create new sources of growth for the UK’s highly successful tech sector. Data transfer agreements with ten countries are in the works, including the United States, Australia, South Korea, India, Colombia, and Brazil. Notably, the UK plans to develop these data partnerships quickly. In contrast, the EU’s adequacy process is slow, opaque, and politicized—for example, the United States is held to a higher standard than EU member states. The EU takes years to finalize adequacy determinations—managing merely a dozen in almost two decades—and even these agreements risk being struck down by European courts, contrary to the principle of pacta sun servanda in international law by which states commit to abide in good faith by treaties they freely sign up to.
The United Kingdom has long identified digital free trade and data-driven innovation as key areas of differentiation from the rest of Europe. The depth of the country’s digital links with the EU creates the need to balance GDPR adequacy whilst carving out an independent approach to data policy. Threading this needle will be difficult, as Brussels treats the GDPR as a sacred cow, refusing to balance data protection with other goals such as economic growth and innovation. Moreover, its reluctance to award adequacy decisions undermines the oft-flaunted argument that the EU is the global standard-setter on data protection. The UK represents a major challenge, and threat, to the EU’s global data ambitions: if the EU won’t deem a former member state adequate, how can any non-EU nation reasonably expect to meet the bar?
Therein lies the rub, as far as the UK is concerned: crafting a way forward that allows for new data partnerships to be signed, on the basis of the UK’s existing, GDPR-equivalent laws, but without the procedural and philosophical flaws of the EU’s adequacy process. The government has released the template it will use to assess the data protection regime of third countries, and its approach suggests a viable and pragmatic path forward for building out a network of data partnerships: treating the key principles of the UK’s data protection safeguards as a baseline, but accepting that countries protect personal data in different ways—a circle the EU has shown itself unable to square.
While the EU may believe the GDPR effectively protects consumer data, the law has also unquestionably limited data-driven innovation in the EU and paralyzes the transatlantic data flows that power the West’s digital economy, thereby undermining European growth and progress. Data localization is protectionism in sheep’s clothing, threatening to rob the global Internet economy of the efficiency that makes it so valuable, and risking the Balkanization of online services as well as strengthening the autocratic model of governance that demands complete government control over data flows. The protectionist danger of data localization is something even the EU acknowledges as negative, despite itself driving the trend.
The UK’s new data strategy is a welcome change from the trend of increased data localization. Instead of focusing on exporting its data protection regulations, the UK is focused on the more pragmatic issue of ensuring its businesses can exchange data in global markets. While Japan has spurred the G7 to endorse the concept of “data free flow with trust,” the UK may be the first nation to move from principles to action and may spur on others who want to draw up a multilateral system of regulating data flows in a manner that maximizes the benefits of digital trade whilst keeping data safe. The UK will also explore the potential to strike sectoral data flow agreements that apply only to specific industries such as finance—something the EU has so far failed to do.
Another goal of the new data strategy is to reform its data protection rules to not only focus on protecting consumer rights, but also fostering innovation and economic growth. The EU acknowledges that data is critical for innovation, but has proceeded to enact laws and regulations that make it extremely difficult and costly for organizations to actually use data. To address that problem, the UK will run a public consultation on reforming the country’s data protection laws. What’s particularly promising is that the government wants to achieve the same consumer protection without the prescriptive policies that have unnecessarily hamstrung many organizations The aim is to reform regulations to account for the nuances of the modern data economy. For instance, GDPR doesn’t recognize the concept of pseudonymization—making it near-impossible to use existing health datasets for additional research that could generate new treatments. GDPR’s reliance on purpose limitation and explicit consent prevents machine learning experimentation by data processors that could lead to consumer benefits and technological advancements. These are just some of the many obvious flaws in the GDPR which the EU so far has been unable or unwilling to fix, and which the UK now has a chance to rectify.
The UK’s domestic and global digital strategy provides much-needed ambition, creativity, and flexibility that has been sorely lacking. There are many opportunities to reform data protection without undermining user privacy and safety, and if the UK can show the way for how to reform GDPR’s core flaws and unlock more data-driven growth and innovation—both at home and globally—other countries will likely follow.
The challenge for the United Kingdom will be to move the conversation from the strategic level— which is typically characterized by fear-mongering and hysteria among privacy fundamentalists and likeminded parts of the media and academia—to the nitty-gritty level of weighing up the pros and cons of each provision that make up current data protection laws. That will take sustained engagement with the public and a willingness to stand up to those who prefer to drown out any effort to develop pragmatic solutions that balance consumer protection with innovation.