UK overhauls privacy rules and moves away from Europe’s GDPR

When Britain left the EU, the UK's Data Protection Act continued to apply rules that were functionally equivalent to GDPR – but no longer.
30 August 2021

UK overhauls privacy rules post-Brexit. What’s next? (Photo by LEON NEAL / AFP)

  • Coming regulations will differ from Europe’s GDPR
  • The government will pursue data partnerships with countries including Australia, South Korea andUS as part of a post-Brexit data regime
  • That may lead to substantial changes to the UK’s data protection law

The UK has a new post-Brexit strategy for data and it begins with distancing from Europe’s GDPR that has been the data and privacy ‘law of the land’ for the last few years.

Fully known as the European Union’s General Data Protection Regulation, the controversial GDPR came into effect three years ago, and is still the blueprint of UK privacy law as they were introduced in the country’s 2018 Data Protection Act. The UK now plans to prioritize establishing new data deals with other countries now that it has left the EU including the US, Australia, Singapore, and South Korea.

As an EU “regulation”, GDPR became UK law the second it was put into effect, on May 25, 2018. If the government had left it at that, it would have ceased to take effect on January 1, 2021, when the UK’s exit from the EU was finalized. But the 2018 Data Protection Act, introduced by Theresa May’s government, rewrote the UK’s own data protection laws to mirror GDPR, so there would be no conflict between British and European law.

The new British data protection rules would differ from Europe’s GDPR, according to the government’s proposal published last Thursday. The nature of those changes will be crucial for determining whether the UK can maintain a separate data agreement completed in June with the EU, that requires British privacy standards to remain equivalent to the Union’s rules. 

Why the change of heart?

Announced last week by UK digital secretary Oliver Dowden, the proposed package of measures is intended to “seize the opportunities of data” to boost growth, trade and improve public services, but could mean significant changes in how the UK treats data. The freedom to chart its own course could also lead to an end to irritating cookie popups and consent requests online, said Dowden.

The government also mentioned there was potential to unlock more trade and innovation by reducing “unnecessary barriers and burdens” on international data transfers, which it hopes will result in faster, cheaper and more reliable products for UK consumers. In short, Dowden puts it as the UK plans to move away from EU data rules with overhauls ‘based on common sense, not box-ticking’.

So what happens when the UK stops mirroring Europe’s GDPR?

To begin with, any changes will be constrained by the need to offer a new regime that the EU deems adequate, otherwise data transfers between the UK and EU could be frozen. The June data adequacy agreement with the EU could be impacted if UK changes diverge too far from EU data and privacy standards. As it is, there are already issues when it comes to data transfers between the EU and the US.

It has also been reported that any future data regulation will also be aimed at convincing other nations that the UK’s data protection is adequate by their own standards, to allow for free and easy transfer of information across international borders. So far, the government has announced six target regions for a series of global data adequacy trials including Australia, Colombia, Dubai, Singapore, South Korea and the US. But the UK will look to prioritize the addition of India, Brazil, Kenya, and Indonesia to that list.

This would help overcome data protection barriers blocking trade, estimated to be worth £11 billion per annum. The proposal comes alongside a number of proposed measures to increase trade and innovation via tweaks to the UK’s data program, as well as the appointment of New Zealand’s current privacy commissioner John Edwards to be the UK’s next information commissioner.

There are inevitably loopholes to such maneuvers. Drastic changes to the UK’s privacy rules might not only jeopardize the EU data agreement, but might also mean companies that operate in the EU and Britain would need to spend more time and money to comply with both systems. Nevertheless, the government said it would open its proposals for public comments in the coming weeks before making legally binding changes.