Prince Charles announces UK ‘data reform’ bill, throwing EU adequacy status into limbo

During the Queen’s Speech this week, Prince Charles confirmed reports that the government of the United Kingdom is in the process of reforming its data privacy rules, raising questions among experts about whether the country will still be in compliance with European Union regulations.

After Brexit, the EU adopted a “data adequacy” agreement with the U.K. that meant data could flow freely between the two jurisdictions since there was a roughly similar level of protections and safeguards in place in the U.K. to ensure that European citizens could have their GDPR rights respected.

But the rules have come under fire from conservative politicians and businesses that criticized them for being onerous and costly. 

On Tuesday, Prince Charles said the “the U.K.'s data protection regime will be reformed” and later said they would “create a first-rate data rights regime."

The speech comes after the U.K. government in September published a “consultation” that said the GDPR rules were a “regulatory burden” on businesses. It is part of a larger effort by the U.K. to cement the legal separation that was kickstarted by Brexit. 

Responses to the speech and the larger effort to reform the U.K.’s data privacy rules ranged, with some expressing concern about what the changes would mean for privacy in the country.

Cillian Kieran, CEO of privacy company Ethyca, said the effort to create a less stringent regulatory regime puts the hard won data adequacy agreement with the EU at risk.

"Without adequacy status with the EU, U.K. businesses could find themselves in a position that resembles that of U.S. companies doing business in the EU, relying on piecemeal legal agreements all while a multibillion-dollar industry remains in limbo,” Kieran said. 

Changes which seem to be mainly substantiated by economic research, funded by economic bodies, and with no consideration on the potential impacts of real people, their rights and their freedoms. Truly a dire day for the sector.

— Denise R. S. Almeida (@denisersalmeida) May 10, 2022

“Legal cases like Schrems I and II have defined a decade of uncertainty for thousands of businesses, with a central tension between U.S. government intelligence and EU data protections," Kieran explained. "The world is seeing how difficult it is to square distinct protection regimes, and the Data Reform Bill could introduce a similar issue in U.K.-EU data flows."

Kieran referenced the legal cases brought forward by privacy activist and lawyer Maximilian Schrems, who filed a complaint against Facebook Ireland for their practice of transferring data from the EU to the U.S. Schrems argued that because Facebook was involved in U.S. intelligence agencies’ PRISM mass surveillance program, it was in violation of GDPR rules. 

He eventually filed a second case and courts in Ireland ruled that European data protection authorities must stop transfers of personal data made under the standard contractual clauses by companies like Facebook.

John Hetherton, head of compliance at encryption firm Evervault, told The Record that given the current stalemate between the U.S. and EU over Schrems (ii), the U.K. would be unwise to deviate too far from the GDPR and risk losing its adequacy status. 

“Large Tech currently find themselves in the unenviable position of having to duplicate infrastructures already present in the U.S. into Europe in order to process EU citizens' data in line with GDPR, a fate that U.K. organizations are keen to avoid,” he said. 

While it appears rule makers want to weaken the rules around data for U.K. residents, Hetherton said the U.K.'s Information Commissioner's Office has traditionally been strict when it comes to levying fines against those who violate privacy rules. 

"It sounds like it, however, I wouldn’t see this as a carte blanche to be free and easy with personal data in the U.K.,” Hetherton explained. “If the law is truly simplified, it should be even easier to police, for example, organizations should be able to demonstrate they have foundational organizational controls in place to protect personal information.”

Ethyca’s Kieran joined others in criticizing those who claim the strict data privacy rules were an impediment to innovation, noting that the rules “offer huge efficiencies in terms of both resource and planning certainty for U.K.-based companies doing business in Europe.”

He added that any new rules may actually be more of a burden on U.K. businesses who will then be forced to spend years reworking data and data transfer policies as a result of losing adequacy with the EU. 

On Sunday, ahead of the Queen’s Speech, Prime Minister Boris Johnson slammed the rules and said the reforms were part of a package of seven bills designed to capitalize on the “immense opportunity that our newfound Brexit freedoms bring.”

'The Data Reform Bill will seek to improve the “burdensome GDPR” system and allow information to be shared more effectively and securely between public bodies'https://t.co/eRMTFEMOOX

h/t @POLITICOEurope

— Gavin Freeguard (@GavinFreeguard) May 8, 2022

Johnson went on to claim that the GDPR rules “don’t work” for the U.K. and said the Data Reform Bill will “improve the burdensome GDPR” to “allow information to be shared more effectively and securely between public bodies.”

But Kieran said jurisdictions need to be able to bridge their requirements for data processing in order to preserve data flows and promote collaboration. 

"It would be shortsighted to base a consequential shift in data protection standards on the high cost of compliance. Government and business must approach privacy and innovation as partners, not opponents,” he said. 

“These tensions are not an indicator that the standards are at issue; rather, they are a signal that our means for achieving those standards should be revisited and improved."