UK government plans to shake up national data protection regime

With the change from an EU-based regulatory environment to Brexit, the UK government has had occasion to revisit some international initiatives that were tied to EU regulations, including cross-border management of personal data.

Recently the Department for Digital, Culture, Media & Sport (DCMS) released details about the UK post-Brexit strategy for data management. The announcement outlined how the UK plans to support trade, drive international investment, prevent cyber crime, and deliver public services and critical scientific research.

This announcement also coincides with the Court of Justice of the European Union (CJEU) decision in the Schrems II case. In Schrems II, The CJEU decided that the EU/U.S. Privacy Shield was insufficient, and that U.S. safeguards regarding national security surveillance are inadequate. Specifically, the court found that the U.S overstepped in surveillance, failing to conduct only the surveillance that was “necessary and proportionate.”

In developing new data privacy standards, the DCMS has continually referred to the UK’s high expectations for data protection, stating that, ‘the aim is to make the country’s data regime even more ambitious, pro-growth and innovation-friendly, while still being underpinned by secure and trustworthy privacy standards.”

As the two countries work to define international standards for data protection in the wake of the Schrems II ruling, the new legislation cites estimates that barriers to data transfer may account for up to £11 billion worth of unrealised trade. As a result, the UK government has outlined a strategy of prioritising data adequacy partnerships with the U.S., Australia, Republic of Korea, Singapore, the Dubai International Finance Centre, and Colombia,

Phase II data adequacy partnerships will include countries such as India, Kenya, Brazil, and Indonesia.

At the official start of Brexit, the UK and EU installed a data protection agreement, but that initial agreement was only intended to be temporary. After months of negotiations, the EU determined that the Uk adequately protected sensitive personal data, and approved an open flow of such data between the EU and UK.

The EU-UK agreement will remain in place for four years, unless UK protocols change significantly.

Between the agreements with the EU, and the Phase I and II strategies for data flow in the greater international market, the UK has two separate initiatives to manage. First, it must maintain the stringent standards set forth by the EU/UK agreement. On the other hand, the UK seeks to promote international data trade with favorable policies.

The future of UK data protection regulations will likely include new specifications on data flow between the UK and Phase I countries, including the U.S. This includes the very real possibility that the Schrem II decision will be overturned, and the UK will find that the U.S. does, in fact, provide surveillance that is “necessary and proportionate” to national security.

Additionally, the DCMS has hinted at a more comprehensive review of the UK data protection law, which may include some “common-sense” adaptations of the existing regulations.