Post-Brexit, UK Plans to Create Its Own Privacy Regulations

Since leaving the European Union, the UK government, which has inherited the EU’s General Data Protection Regulation (GDPR) that went into effect in 2018, is now faced with creating its own privacy laws in order to enact data transfer agreements with other nations. The EU stated that the new UK regulations must feature those that are equivalent to the GDPR. So far, the UK government has said that its privacy rules will be “innovation-friendly” and permit easier data sharing but eliminate the EU’s “box-ticking” requirements.

The Wall Street Journal reports that, according to UK digital secretary Oliver Dowden, “the EU GDPR requires websites to display onerous banners asking for consent to track visitors’ data.”

The UK proposal plans a “revised approach to data sharing [that] would help develop better scientific and technology research … referring to the country’s public healthcare database of hospital patients’ X-rays and images that helped researchers understand the disease and quickly develop treatment during the COVID-19 pandemic.”

Companies that operate in the UK and Europe are concerned. “If the EU revokes the data sharing agreement with the UK, costly and burdensome alternative transfer mechanisms will need to be put in place for personal data to continue to flow, creating additional barriers, costs and bureaucracy,” said NHS Confederation senior policy manager Rosie Richards.

BritishAmerican Business executive director Emanuel Adam said that, “legislative changes to make the GDPR rules more flexible would be good for businesses and innovation” but “many companies don’t want to diverge too much from the GDPR.”

A UK government-commissioned report “recommended replacing the GDPR with a system that is less intrusive,” and the European Commission is “closely monitoring developments related to the UK’s data-protection rules and can suspend or end the EU-UK agreement.” The UK is prioritizing the U.S., Australia, Columbia and South Korea among 10 countries to “quickly and creatively” finish the new data-transfer agreements.

The Guardian reports that UK information commissioner Elizabeth Denham, whose term ends in October 31, will be replaced by John Edwards, currently New Zealand’s privacy commissioner. It notes that, even after Brexit, “the GDPR data protection rules introduced by the EU in May 2018 are part of UK law.” The UK government has talked about a rewrite of the privacy laws in order to “boost growth, especially for startups and small firms, speed up scientific discoveries and improve public services.”

At law firm Hogan Lovells, co-head of the global privacy and cybersecurity practice Eduardo Ustaran stated that, “the UK is starting to show that there is room for diversion from EU data protection law whilst still retaining the GDPR as a framework.”

“What this means in practice is that the way in which international data flows are approached is not identical to the way the same data flows are treated in the EU, but this doesn’t necessarily mean that the protection is going away,” he added.