Data adequacy with EU ‘high priority’ for UK government

Owen Rowland, deputy director, domestic data protection policy, at the Department for Digital, Culture, Media and Sport (DCMS), told the conference last week, which focused on UK data reform, that retaining adequacy was a “high priority”.

Rowland said that the new data protection and digital information bill, which is currently being redrafted, will be released relatively soon and was looking at introducing a “business and consumer friendly data protection system”.

The EU was being kept up-to-date on progress, Rowland explained, and said there were no “red lights flashing” with regards to the proposed reforms to UK data protection legislation.

“We will continue to approach our relationship with them as sovereign equals, and we are really keen to keep them updated on our future plans,” he said.

“We are confident we are taking a considered and careful approach while making it ambitious in ways we can make the regime more pro-growth and innovation friendly.”

A data adequacy deal between the UK and EU, which aims to ease movement of data between the two entities, was agreed last year after the completion of Brexit negotiations.

However, the European Commission introduced a ‘sunset clause’ that could mean the adequacy agreement ceases after four years if the UK does not maintain an adequate level of data protection.

Reforms to UK data protection law were due to have been introduced into parliament in September this year, but have been held back to allow the new government time to assess the proposals.

At an earlier panel session at the Westminster conference, Mariano Delli-Santi, legal and policy officer at the Open Rights Group, said that proposed changes in the previous bill were “so disruptive” that “there is no realistic scenario where this law is implemented and the adequacy agreement is maintained”.

He said one of the main reasons was the bill allowed the secretary of state to decide what is legitimate or not legitimate use of data “arbitrarily, and regardless of the impact this has on data subjects”.

“This is simply not going to be compatible with the concept of European data protection law,” Delli-Santi added. “Most importantly, it does not even provide the legal clarity you are looking for.”

Other speakers highlighted the importance of data adequacy. Chris Combemale, chief executive at the Data & Marketing Association (DMA), said: “Maintaining adequacy with the EU is the number one imperative. Any loss of adequacy is an anti-growth measure.”

He added that he felt that greater certainty in how to apply the General Data Protection Regulation (GDPR) legitimate interest provisions would be welcome.

“There are not flaws in the way it was written by the EU,” Combemale added. “There have been flaws in the way it has been interpreted and implemented in the UK. Some of the changes we have recommended will give greater clarity to marketers across the country.”

Julian David, chief executive at Tech UK, said he thought the data protection reforms  were “well thought out” and the “right balance”.

“We think the opportunity to improve on the European legislation is something that should be grasped,” he added, although he warned that losing EU adequacy would cost business £1.5bn, due to people not transferring data as they are worried about the situation.

However, David said the bill could be improved, including providing greater clarity and certainty around using data, with some businesses unsure about the dividing lines between what can and cannot be processed.

Automated decision-making also needed to be covered in the data protection reforms, David added, or the law risks being outstripped by technological developments.

“We think now is the time to take the steps to make sure the law will be able to keep up with technological development, such as the rise of artificial intelligence and automation,” David said. “We can not only get the right system for the UK, but also influence abroad.”

Martin Kelly, senior legal counsel at Mastercard, said: “Any reforms should maintain a global trust in UK privacy laws. Maintaining EU adequacy is really important for organisations operating in the UK.

“That’s not to say we can’t have changes. It is good to keep data protection regulation under review, because technology develops and different approaches to data develop. The European Commission would expect us to keep our data legislation under review.”