Improving the attractiveness of the UK to technology and innovation is one of the topics of the Conservative Party's bid for brexit, which is also reflected in the UK's national data strategy. The strategy aims to refocus national legislation on data as an opportunity and driver of economic growth. After brexit, the strategy became the UK's global data plan. The plan sets out the ambition of making the UK a "technological superpower", puts forward the goal of establishing a global data partnership with major international partners, and consults on a new data system.
The UK's data reform plan has raised concerns in the EU that it may lead to the transfer of EU personal data to third countries with imperfect privacy standards.
On May 10, 2022, Prince Charles delivered a "speech to the Queen's parliament" on behalf of Queen Elizabeth, including 38 bills expected to be passed in the new year, including the data reform bill.
The bill, which aims to guide the UK to deviate from EU privacy legislation, will be used to reform the existing general data protection regulations (gdpr) and data protection act in the UK.
At present, the UK's data protection law draws lessons from the EU's general data protection regulations (gdpr). However, it expressed disappointment at the overall complexity of past regulation After brexit, lawmakers are seizing the opportunity to create what they call a more results oriented and flexible data protection system
1、 Background: get rid of the strictness and redundancy of gdpr
Data is one of the most important resources in the world. It not only promotes the development of global economy, but also promotes science, innovation and various technological changes After leaving the EU, the British government will have the right to establish a new data system to benefit British citizens and British enterprises, while maintaining high standards of data protection
The press briefing of the Queen's speech provided key information on the goals and objectives behind the data protection reform, but there were no details on the actual legislation.
The British government has seen brexit as an opportunity to get rid of the strict and onerous gdpr system The UK has previously expressed dissatisfaction with EU data regulation, but also showed its intention to establish a better framework.
In particular, Prime Minister Boris Johnson's legislative goal is to provide a "growth promoting and trustworthy" framework that does not encourage unnecessary paperwork as existing laws do, nor does it add too much "burden" to enterprises.
The UK government hopes to take some legislative interventions to develop the UK gdpr system to make it more suitable for the 21st century and the digital / data economy. The ultimate goal is to establish a data system more conducive to growth and innovation, while maintaining the UK's world leading data protection standards.
2、 UK data reform values "results" and reduces the burden for enterprises
The summary of the Queen's parliamentary speech outlined the purpose of the data reform act:
*Reduce the burden of corporate data compliance: * improve the competitiveness and efficiency of UK organizations by reducing the burden faced by UK organizations in terms of data, including "creating a data protection framework focusing on privacy results rather than single choice questions", and the research rules and data used in research will also be "simplified", so as to help scientists innovate and improve the living standards of British people.
*Information Commissioner's office ) Modernization level: * empower ICO to take stronger action against violators and make it more accountable to Parliament and the public.
*Empowering citizens: * through the smart data schemes, appropriately expand the use of medical and social security data, effectively provide public health care, security and government services, empower citizens and small businesses to control their data more, and help those in need of medical assistance.
*Regulatory environment: * the government's goal is to create a "clearer" regulatory environment for personal data, which they say will "promote scientific progress" and produce "responsible innovation". In addition, the bill aims to ensure that regulators "take appropriate action" against organizations that violate data rights.
In addition, the concluding part of the speech also pointed out that since some measures are only extended and applied to England and Wales, the application of the data reform act is mainly within the territory of the UK.
The speech listed some key facts to promote data protection reform. For example, the Ministry of digital, culture, media and sports carried out relevant analysis. According to the analysis report, by reducing various burdens of enterprises, these reforms saved enterprises more than £ 1 billion in one year**
3、 UK data reform may conflict with gdpr, resulting in negative consequences
As early as December 2020, the British government proposed the national data strategy, which set out its goal of releasing data value and promoting responsible growth by reducing the administrative burden of technology innovators and digital entrepreneurs. The strategy raised concerns that the UK's new data policy might violate the EU's general data protection regulations.
Gdpr sets a very high data protection threshold for companies within the EU
In July 2021, the European Commission officially granted the UK sufficient status to access EU data through the adequacy decision based on gdpr and law enforcement directive (LED) for UK data protection. This proves that the UK legal framework provides sufficient protection compared with EU privacy standards.
At present, the free flow of data is based on the agreement signed by the EU and the UK last year. This also means that personal data can flow freely between the EU and the UK for at least the next four years**
However, any change to the status quo will lead to a review of the agreement. Without such protection, data will not be able to flow freely between the EU and other relevant countries. The EU's reason is that this can ensure the security of EU citizen data**
The UK made no secret of its ambition to establish other cross-border data flow partnerships and pointed out that Australia, Colombia, Dubai International Financial Center, South Korea, Singapore and the United States would be their top priorities. The UK also plans to forge partnerships with Brazil, India, Indonesia and Kenya in the long term.
These priority lists have attracted the attention of the EU because privacy protection standards in countries such as Australia, Singapore and the United States are far from gdpr. Therefore, the EU is concerned that the UK may cause the transfer of personal data of EU data subjects to jurisdictions without adequate protection measures.
In view of this, the European Commission decided to allow the Commission to reverse this decision in the event of major changes in UK policy**
For example, the "sunset clause", which will automatically invalidate the data adequacy decision in 2024, will depend on whether the UK can maintain equivalent privacy standards.
The greater the adjustment made by the UK before renewing the adequacy agreement with the EU, the greater the danger signals and risks.
Relevant research points out that the loss of data adequacy identification may lead to the total relevant costs of British companies reaching £ 1.6 billion, which mainly comes from the administrative and legal costs related to the alternative transfer mechanism of standard contract terms.
The EU's Adequacy decision does not require the formulation of the same rules in third countries, but requires basically similar data protection results Losing its full status in the EU could reduce Britain's attractiveness to technology entrepreneurs According to a study by the house of Commons, 43% of large EU technology companies are founded in the UK, and 75% of UK cross-border data come from EU countries.
Some UK data compliance professional institutions believe that according to the method promised by the government in the data reform act, the current compliance model may not need to be completely reformed, but it may mean that UK organizations can adapt to adopt more flexible data protection compliance methods.