BCL partner Julian Hayes‘ article titled ‘The UK’s National Data Strategy – Too Much Love?’ has been published by Global Banking & Finance Review.
Here’s an extract from the article:
“We want the UK….to be the best place in the world to start and grow a digital business”. With this ambitious aim, the Government has laid out its National Data Strategy, focusing on unlocking the value of data, establishing a pro-growth data protection regime, and championing international data flows to promote economic development. Already a feted success, the UK’s digital sector now stands behind only the US and China in global venture capital funding and directly employs more than 1.5 million people in London and other major UK cities. Despite its laudable aspiration, however, the Data Strategy signals post-Brexit regulatory intentions which risk inhibiting and choking off the future growth of this successful UK industrial sector.
Bonfire of data obligations?
Though it emphasises the importance of public support and maintaining trust in how personal data is used, the Data Strategy highlights business’ lack of clarity about current data protection rules, takes implicit aim at the burden of the current data regime on innovators and entrepreneurs, and laments costly over-compliance and consequent risk aversion. In response, the Data Strategy foreshadows alleviating data compliance obligations, particularly for SMEs, once the Brexit transition period ends on 31 December 2020. Although the Data Strategy carefully avoids specifics, the complexity of the GDPR’s principles-based system and one-size fits all approach have long been a bugbear for micro-enterprises. Indeed, acknowledging concern in its recent two-year review of the GDPR, the European Commission (EC) itself urged national data regulators to lend SMEs a helping hand by offering ready-made templates, training and consultancy helplines. Nevertheless, the EC rejected calls to exempt smaller businesses from GDPR obligations, arguing that data risks were not dependent on an operator’s size.
Cross-border transfer dilemmas
Equally contentious is the Data Strategy’s approach to cross-border data transfers, cited as being of fundamental importance for economic development. The Data Strategy complains that such transfers of personal data are currently being inappropriately constrained and celebrates that the UK will be able to make its own ‘data adequacy’ decisions to allow for extra-territorial personal data transfers in a post-Brexit world. Unlike EC adequacy decisions which involve consultation between the Commission, the European Data Protection Board (EDPB) collectively representing EU data regulators, and member state representatives, UK adequacy decisions will be in the gift of the Secretary of State, subject only to Parliament’s rarely used negative resolution procedure. The Data Strategy effectively suggests UK adequacy decisions will be ‘up for grabs’ in future bilateral trade negotiations.
The transfer of personal data from the EU to ‘third countries’ has been a running sore in relations with the US which has not been granted an EC adequacy decision. The European Court of Justice (CJEU) has twice torpedoed hard-negotiated EU-US personal data transfer mechanisms, first ‘Safe Harbour’ and most recently the ‘Privacy Shield’ on which an estimated $7.1 trillion of annual transatlantic digital trade relied. US-UK trade documents leaked to the media in late 2019 suggested the US was seeking to weaken European data protection in its ongoing free trade negotiations with the UK.
This article was published by Global Banking and Finance Review 29/10/20. You can read the full version on their site.