In May of this year the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) published a report highlighting the governments intent to replace the GDPR with a new UK framework for data protection. In what has been seen as a poor choice of words, this recommendation referred to personal data as “currency” and outlined multiple targets including creating a more “business friendly” environment.
On August 26th this intent took form in a statement outlining a series of changes chief of which is a new list of countries (data partnerships) where personal data collected from UK residents could be transferred without the need for additional controls.
In holding with earlier poor comms choices in the TIGRR report, the list of countries appears on a map provided by the UK government (see figure 1) where the only aspect highlighted is a value in Pounds for each new country proposed, underlining that the key driver for the government is income.
The most contentious country on the list is the United States which lost its data adequacy ruling with the EU when Privacy Shield was struck down by the European Court of Justice. The court deemed that US law fails to protect European data in line with the GDPR.
The impact to businesses
- Organizations will be able to transfer personal data collected from UK residents to an expanded list of countries without the need for a transfer mechanism.
- Organizations will have to continue applying EU cross-border transfer requirements for personal data collected in the EU and stored in the UK.
- For countries that do not appear on the list, the UK Information Commissioners Office (ICO) started a public consultation on the new international data transfer agreements (IDTAs) that will replace the EU standard contractual clauses (SCCs). Once in place organizations will have to juggle two sets of paperwork: SCCs and IDTAs depending whether the data is collected from EU residents or from UK residents.
- If the UK diverges too far from the GDPR it may lose its EU adequacy ruling (granted in June 2021) which is due for review at the two-year mark. This potential risk will cause many organizations who rely on the ruling to store personal data in the UK to transition to EU storage, further impacting the UK cloud business which has suffered substantially following BREXIT.
The impact to UK residents
As UK residents, we will have to wait and see the full government proposal intended to replace the DPA.
But given that the government has green-lit transfers to countries that the EU has specifically restricted indicates that UK residents will be getting diminished privacy protections under the new legislation.
Many will be looking to the ICO for guidelines detailing the operational criteria and associated oversight that will accompany these changes.