Digital secretary Oliver Dowden has outlined the UK government’s plan approach to data post-Brexit, indicating that it intends to strike new international data partnerships and broaden the remit of the next information commissioner to ensure data is used to achieve social and economic goals.
In an op-ed for the Financial Times, Dowden wrote that data has largely been viewed through the lens of risk in recent years, and that many businesses and organisations are reluctant to use it either because they do not understand the data protection rules or are afraid of inadvertently breaking them.
Claiming this outlook had “hampered innovation” and “prevented scientists from making new discoveries”, Dowden wrote that the UK government’s approach is “one that no longer sees data as a threat, but as the great opportunity of our time”.
As part of this new approach, Dowden has indicated the UK’s next information commissioner will have a much broader remit to help organisations maximise the utility of data.
“The next information commissioner will not just be asked to focus on privacy, but be empowered to ensure people can use data to achieve economic and social goals,” wrote Dowden.
“The pandemic was full of such examples, like hospital trusts sharing lung scans to improve coronavirus treatment methods. Data has many such wider societal benefits, and as we emerge from the pandemic, the UK has an opportunity to be at the forefront of global, data-driven growth.”
The shift in the role of the information commissioner falls in line with the government’s national data strategy, which aims to foster innovation while also increasing economic growth.
According to the information commissioner job description published 28 February 2021 on the Cabinet Office website: “The Information Commissioner’s Office (ICO) is now one of the most important economic regulators in the UK, responsible for supervising almost every organisation in the country, as well as the public sector.”
It added that the information commissioner, who will earn £200,000 per year, is a demanding and high-profile role, and that the candidate “must be willing and able to steer the ICO through a dynamic period of change, refining processes and decision-making” as well as play an active role in sustaining the regulator’s “world-leading reputation”.
The role specification added that the new commissioner is responsible for “supporting innovation and growth when discharging their duties”, which includes giving advice to members of the public about their information rights, taking action to improve information rights practices, and advising businesses on how to comply with data protection laws while minimising the regulatory burdens on them.
The new commissioner must also possess “commercial and business acumen, including an understanding of how the data protection regulatory environment impacts on business and how to help them”.
The current information commissioner, Elizabeth Denham, was appointed in July 2016 after serving as information and privacy commissioner for British Columbia in Canada. While her term was scheduled to end after five years in July 2021, Denham agreed to stay in the role until October while the recruitment process is completed, following a request from Dowden.
New international data partnerships
In the op-ed, Dowden added that with the UK having left the European Union (EU), it has the freedom to strike new international data partnerships with fast-growing economies around the world, and that it can do so much faster than the EU.
“There is a huge prize to be won here. According to initial government estimates, £11bn of UK service exports currently go unrealised due to barriers to international data transfers,” he wrote.
“The EU has been slow to act on this, declaring only 12 countries ‘adequate’ in the past few decades. By being more agile, the UK can capitalise on a multibillion-pound opportunity to boost trade in sectors where physical distance is no object. I will shortly announce our priority countries for data adequacy agreements.”
The purpose of data adequacy decisions is to determine whether a country, or sector within a country, outside the EU has essentially equivalent data protection standards to the bloc and therefore whether data can be shared with it
While UK ministers do have the power to revoke or determine their own data adequacy decisions under provisions in the EU Exit Regulations, the mechanism available offers little Parliamentary scrutiny and could undermine the UK’s own prospects of being deemed adequate by the EU if it is used to create new adequacy jurisdictions that do not match the bloc’s assessments.
Dowden further added while the UK government is committed to “maintaining world-class data protection standards now that we’re outside the EU”, it does not need to copy and paste the EU’s General Data Protection Regulation (GDPR) to do so.
“Countries as diverse as Israel and Uruguay have successfully secured adequacy with Brussels despite having their own data regimes. Not all of those were identical to GDPR, but equal doesn’t have to mean the same. The EU doesn’t hold the monopoly on data protection,” he wrote, adding that the UK’s commitment to high standards was recognised on 19 February 2021 when the European Commission published two positive draft adequacy decisions.
In July 2020, the Court of Justice of the EU (CJEU) struck down the EU-US Privacy Shield data-sharing agreement for failing to ensure that European citizens had adequate rights of redress when data can be collected by the US National Security Agency (NSA) and other US intelligence services.
The ruling, colloquially known as Schrems II after the Austrian lawyer who took the case to the CJEU, found that people must be given “essentially equivalent protection” for their data when it is transferred to the US and other countries as they would receive in the EU under the GDPR and the European Charter of Fundamental Rights, which guarantees people the right for private communications and the protection of their private data
While the European Commission has indicated its willingness to offer a data adequacy agreement for the UK under both the GDPR and Law Enforcement Directive (LED) – finding it’s data protection laws “ensure a level of protection for personal data… that is essentially equivalent” – both of these decisions will need to be scrutinised by the European Data Protection Board (EDPB) and receive sign off from EU member states before they can fully be adopted.
During this process, the EBDP and EU member states will need to take into account consideration of the rule of law, respect for human rights and fundamental freedoms, and relevant legislation, as well as its implementation – essentially meaning the UK’s laws will have to be assessed on how they work in practice, rather than just in theory.
In both adequacy cases, certain practices within the UK’s intelligence services and criminal justice sector (CJS) could undermine the country’s ability to secure a positive decision’s, but particularly under the LED which has stricter rules on how data can be transferred for law enforcement purposes.
These practices include the close relationship between the UK and the US due to the latter’s lower data protection standards, as well as the UK’s own intrusive surveillance regime, which has been enshrined in the Investigatory Powers Act 2016, otherwise known as the Snoopers’ Charter.
The growing use of US-based public cloud services by UK police and the wider CJS could also be a potentially huge problem for the UK’s ability to obtain LED adequacy because of the potential for remote access to that data and its onward transfer to a non-adequate jurisdiction.