BRITISH BANKS, manufacturers and telecommunications companies all have to process information about European customers and suppliers. Ensuring that they could continue to do so was one of the main considerations of the government when negotiating the withdrawal of the EU. In June, six months after her final departure, Great Britain learned that its data processing rules had been deemed “adequate”, i.e. sufficiently similar to EUGeneral Data Protection Regulation (GDPR) that data could continue to flow freely.
Enjoy more audio and podcasts on ios Where Android.
But three months later, the government opened a consultation on changing these rules. He underscored ambitions to create an “innovation-friendly data protection regime” that would facilitate “responsible” use of data and allow organizations to comply with “flexibility”. Its call for answers closed on November 19. One came from Lord David Anderson, lawyer at Brick Court Chambers and expert in European law. In short, he believes the proposals risk tipping Britain out of alignment with EU law, thus putting the adequacy and the flow of data at risk.
As Lord Anderson’s 25-page legal opinion explains, the government’s proposals would be tantamount to going in the opposite direction of the EU, towards more rights for the companies holding data and less for the individuals who GDPR treats like the owners. The use of personal data for political advertising purposes, or for purposes other than those initially envisaged, would become easier. The category “legitimate interests”, ie the uses to which the data can be used without asking permission, would be broadened. That, depending on the technologyUK, a trade association that represents Google and Facebook among others, would facilitate all kinds of useful things, from fraud detection to securing networks.
Tech companies do not seem worried about risks of the type mentioned by Lord Anderson. They seem convinced that politics and economics are on their side. If Britain lost frictionless access to EU data, it would be a mutual disaster. Businesses in both locations would face new costs, either by drafting complicated new contracts that create a workaround, or, in the worst case, having to relocate. This would seriously hamper the kind of data sharing that police and national security agencies on both sides rely on. And so the European Commission, which is responsible for adequacy decisions, is unlikely to find Britain willing. TechnologyUKMembers of s seem to rely on pragmatism to protect them.
But Lord Anderson is far from alone in his view of the risks. November 22 the EUData protection supervisor Wojciech Wiewiorowski, who sits on the board that advises the commission on data protection matters, said Mlex, a trade publication that covers regulatory issues, that if the proposed changes become law, a discussion of Britain’s suitability will certainly be sparked. And as for pragmatism, the courts are not known for that. An adequacy challenge before the European Court of Justice could be successful. Such a case might not be filed, let alone won, but the UK government’s plans make one more likely.
Any change to UK data protection rules minor enough to maintain their adequacy would be a waste of effort, says Hussein Kanji, partner at Hoxton Ventures, a London-based venture capital firm. Having to comply with two sets of rules instead of one would be tantamount to a “small business tax”. The enormous regulatory and compliance burden created by such a dual regime could only be absorbed by the largest corporations, says Poppy Wood of Reset, a nonprofit that focuses on tech policy (and has played a role in commissioning Lord Anderson’s opinion through his retained law firm, AWO). For startups, these additional costs could be the difference between success and failure.
What might satisfy techies like Mr Kanji and Ms Wood, as well as UK businesses and even the UK government, would be a judicious reassessment of GDPR. It is now, for better or for worse, the de facto global standard. With Brexit, however, Britain lost all influence over the EUdata approach. In his attempts to regulate better than the bloc, he should at least be careful not to make the lives of his own businesses worse. ■
This article appeared in the Great Britain section of the print edition under the headline “Is ‘adequate’ good enough? “