It was announced last week that New Zealand’s privacy commissioner, John Edwards, has been named as the UK Government’s preferred candidate for the next Information Commissioner.
Why is this significant? Well, the Government has announced that with a new Information Commissioner will come a shake-up of current data rules. On 1st January 2021, the official “transition period” governing the UK’s departure from the EU ended. With the UK set to take more steps to depart from the General Data Protection Regulation (GDPR), Digital Secretary, Oliver Dowden, announced plans to reform the UK’s data laws “so that they are based on common sense, not box-ticking”.
“Common Sense, not Box-Ticking”: What Will Change?
With the Government set to launch a consultation into what our data laws should look like, a reform contemplated by the Government is to eradicate the “endless” cookie pop-ups featured on large websites which seek permission to store the user’s data. For “high-risk” sites such pop ups will remain necessary, but that for a large majority of websites the pop-ups are “pointless” and are nothing but a marketing tool.
Key for the Government in ensuring the UK’s data protection legislation is based on common sense and not box ticking is to prioritise making new "data adequacy" partnerships with places such as the USA, Australia, South Korea, Singapore, the Dubai International Finance Centre (DIFC) and Colombia.
A “data adequacy partnership” will mean the UK entering into an agreement with countries whereby it is agreed that the protections in place in each country are similar. The idea is that it will enable the UK to transfer personal data internationally while ensuring the personal information remains safeguarded. Safety can be ensured as the protections in each country are similar in nature.
The Government have also announced their aims for further agreements in the future – to seek data partnerships with India, Brazil, Kenya and Indonesia - with a view to boosting trade by up to £11 billion.
What is an adequacy agreement?
While such reform seems like a positive, there is some concern that parting from the GDPR could threaten UK-EU data transfers. Any changes to the UK’s data protection regime would require adequacy status from the European Commission who can deem any country as operating at an “adequate” level.
Adequate status means the country’s data protection legislation sufficiently meets the EU data protection standard without the need to implement additional safeguards. This would allow the transfer of personal data each country to flow freely and without change. The UK currently has a data adequacy agreement with the EU, but this will need to be renewed in the future and may be subject to change if UK legislation diverges too far from EU rules.
It was anticipated that post-/Brexit there would be some change to data laws within the UK, however this latest announcement signals the potential for bigger changes than most anticipated and potential changes to how data is managed, stored and shared. Should you have any questions relating to all things Data Protection, please contact our team.