Brexit shook up the UK’s data protection landscape, bringing with it a fair share of uncertainty, anxiety and confusion. One year on, the question that very much still remains unanswered is to what extent the UK will now diverge away from the EU’s data protection regime.
Lenitha Bishop, Head of DPOs at the DPO Centre, offers her thoughts on the year in privacy and data protection: “One of the biggest privacy and Brexit conundrums was whether the UK, once a third country, would be granted adequacy by the EU. Whilst perhaps initially considered it a foregone conclusion that the UK would be granted adequacy, this was jeopardised after the Schrems II decision invalidated the US-EU Privacy Shield based upon the US’ mass surveillance laws being deemed non-compliant with the EU GDPR – laws that are not dissimilar to the UK’s.
“Fortunately, after waiting with bated breath, the UK privacy industry’s prayers were answered and, again at the eleventh hour (a mere two days before the bridging period came to an end), the EU deemed the UK adequate in June… for now.
“Aside from the questions around the UK’s own adequate status, there was also ambiguity around which countries the UK would itself deem adequate, now that it could make its own adequacy decisions. Ultimately, the UK copied the EU’s homework and started by simply deeming adequate any country with an adequate status from the EU, plus the EU itself. However, we suspect it won’t be long before the UK’s list begins expanding at a far faster rate than its EU counterpart.
“If the DCMS’ recent consultation is anything to go by, not to mention the UK Secretary of State Nadine Dorries’ recent statement about “deepening the data partnership” between the UK and the US, it appears that there is clear intention to diverge quite dramatically. Whilst it remains to be seen how exactly this divergence will manifest itself, it is fair to say that when deciding how to move away from the EU’s restrictions, the UK will have in mind its goal of becoming a “global AI superpower”.
“In terms of how Brexit impacted other data protection laws, whilst it has always been clear that the ePrivacy Directive would continue to impact the UK post-Brexit, due to it being transposed into UK law through the Privacy and Electronic Communication Regulation (PECR), the UK now being free to diverge away from the Directive as it sees fit has brought with it uncertainty. How the UK will develop its laws in this area still remains to be seen, however, if the recent DCMS consultation is anything to go by, the UK may very well be disposing of many of the rules contained in the existing PECR. Questions also remain over to what extent, if any, the UK will choose to align its own regulation with the EU’s new ePrivacy and AI Regulations, which are both yet to come into effect. “
Lenitha continues, “The above uncertainties all also play into the wider question of whether the UK will keep its adequate status granted by the EU. Whilst the UK government has been extremely bold over recent months in their proposed reforms of UK data protection law, a delicate balance must be struck if it wants to keep its adequate status. If the UK does choose to implement the significant changes proposed in the DCMS’ consultation document, the UK’s adequate status will likely be left hanging by a thread. For now, we just have to wait to see the result of the consultation, as well as what else 2022 has in store.”