As with anything Brexit-related, the UK government is facing a dilemma in relation to data protection law. Shall we follow the direction of travel of the past 25 years and opt for the continuity and certainty provided by the GDPR or shall we use the departure from the EU to make radical changes to the regulation of data uses and privacy? On the one hand, it would be reassuring to know that despite Brexit’s uncertainties, the current framework is here to stay and it will develop in a familiar way. On the other hand, it must be tempting to use this opportunity to completely re-think what is in the best national interest. For an area of law and policy that is so closely related to technological development and prosperity, it would be foolish not to consider whether a different formulation would lead to better outcomes. A dilemma indeed.
An important consideration to take into account in this process is what is happening across the rest of the planet. In today’s uber-connected world, data is by definition global. So its regulation is spreading in consistent ways around the globe. Right now, the California Consumer Privacy Act (CCPA) is a huge focus of attention. The CCPA has a very different pedigree from the GDPR but it is essentially about giving people control over their data and the ways it is used by others. Looking at other countries that are actively developing new privacy legislation – from Brazil to India and from Bermuda to New Zealand – there is a visible thread towards strong accountability and powerful regulators. Each jurisdiction faces its own political nuances and social needs, but the emphasis is on comprehensive laws that follow a global trend.
If Brexit is about taking back control, in data protection terms, it must mean looking at where UK data protection law would be likely to be heading in the absence of any EU interference. In other words, if one looks at the history of UK data protection as a reflection of the country’s ambitions and public policy goals, where would it make sense to be heading at this moment in time? Recalling 34 years of practice in this area, Jonathan Bamford, former Director of Strategic Policy at the Information Commissioner’s Office, recently pointed out that data protection law was set up to encourage public trust and confidence, and that this objective is still alive today. As he put it, at the heart of all the legislation in this area are the same simple principles of looking after people’s information properly and in ways they would understand. That was and will always be the British approach to practical and workable data protection.
Speaking of being practical, Brexit is also about departing from the EU in an orderly and non-chaotic fashion. The Political Declaration that accompanies the much debated Withdrawal Agreement agreed between the UK Government and the European Council already confirms what the approach will be. According to the Declaration, both the UK and the EU are committed to ensuring a high level of personal data protection to facilitate data flows between them. The Declaration goes on to say that the European Commission will start the adequacy assessment with respect to the UK as soon as possible after the UK’s withdrawal, endeavouring to adopt its decision by the end of 2020, if the applicable conditions are met.
So what’s the right way forward for the future then? The UK cannot afford to go alone to achieve the best of all possible worlds: economic progress and protection for individuals. The UK must follow its instinct and lead the way by promoting progressive regulation that is in sync with a digitally borderless world. In doing so, it should look at what other leading democracies are doing and be prepared to be aligned in approach. In its relation with the EU, it should find a magical yet pragmatic way of achieving a mutual recognition of frameworks that paves the way for seamless data flows. With its mature law, robust individual rights and influential regulator, the UK is in an extremely strong position to get there. The future of UK data protection law looks distinctively forward thinking, but above all, it should be anchored on responsibility and democratic values.
This article was first published in Data Protection Leader in January 2020.