Science, innovation and technology secretary Michelle Donelan has said that a more agile approach to handling data and privacy issues is needed to meet the challenges of the unfolding “technological revolution”, and committed to continuing her “open door policy” with industry.
Speaking at a data protection event hosted by the International Association of Privacy Professionals (IAPP), Donelan outlined the benefits of the UK government’s proposed data regime, which was introduced to Parliament the day before as the Data Protection and Digital Information (DPDI) Bill.
Noting that the bill had been co-designed with industry from the very beginning, Donelan said “industry engagement is my primary focus” and that she will announce more opportunities for exchange and collaboration of expertise and ideas between government and the private sector in the coming months.
“As part of that openness with industry, I will continue my open door policy that I’ve always taken as a minister, where new ideas and concerns are always welcome,” she said. “Data protection laws have changed absolutely dramatically [over the past two decades]. But this change was incremental, piece by piece, building on best practice and constantly improving on what came before – our data bill represents the next step.”
Donelan noted, however, that the data bill is not all about industry, and that prior to the bill being published, “many commentators made the mistake of assuming that prosperity for businesses and privacy for individuals is a zero-sum game”.
She added: “I don’t see it as a trade off at all. Successful businesses need competent consumers who are clear about what happens to their data and need to trust that it will be handled with transparency, with integrity and, of course, with responsibility.”
The “current one-size-fits-all, top-down approach” to data protection, Donelan said, focuses too much on “ticking boxes”, and has also led to “public disillusionment and confusion” that has ultimately damaged confidence and support for regulations such as the DPDI Bill.
“Outdated protection and privacy certainly does not work unless the public and businesses buy into it and agree that it’s proportionate, and they agree with its aims,” she said. “For too long, data privacy protections have been something to get around, to dismiss, or to not really understand or value.
“We want people to comply with our new data protection bill because they see and they understand the benefits for them and their businesses, not because they’re afraid of enforcement action, or bored of pop-ups – that’s why it’s really important we make it simple.”
However, she also noted the need for “real deterrence” to keep data safe in the UK, adding that the Information Commissioner’s Office (ICO) will be empowered under the DPDI Bill to levy fines up to 35 times larger than the current limit.
“We’re also modernising the Information Commissioner’s Office as a whole, ensuring that it has the capabilities and the powers that it needs, the freedom to allocate its resources and better accountability to both Parliament and of course the public,” she said. “The results of all of this will be overwhelmingly positive for the British public and our country.”
Reactions to the bill
Although the full effects of the bill in practice are yet to be understood, as the full text was only published 8 March, reactions so far have been mixed.
Alistair Dent, chief strategy officer at data science consultancy Profusion, said there was a lot to like in the announcement of the bill, particularly around the certainty it will provide for British businesses.
However, he noted that a key issue is whether the bill will live up to its goal of ensuring businesses can continue sending personal data overseas via existing international transfer mechanisms.
“This is very important to UK businesses, as failure to make it compatible with, for example, GDPR, will mean that companies which deal with EU citizen’s data will have to comply with both sets of legislation – which will significantly increase costs,” he said.
“This bill is obviously at a very early stage and there’s a lot of areas that still need clarification – not least how it will be adequately enforced. We must remember that, despite its flaws, GDPR has really helped to improve online privacy and increase accountability for businesses. The government is very keen to be seen to be cutting red tape and using ‘common sense’ in its rule making, but this must not come at the expense of protecting people online.”
Georgina Graham, a data and technology lawyer at law firm Osborne Clark, said: “Businesses will be pleased to see the new measures designed to reduce paperwork and increase flexibility around compliance – for example, records of processing have turned into an administrative burden for many businesses, so this proposed change might genuinely save businesses time and costs. Conversely, consumers will likely be pleased to see the increase in fines for nuisance calls and texts.”
She added that, with the EU-UK data adequacy decision scheduled for review in 2024, “the UK government will need to be mindful of the risks involved in diverging too far from the EU GDPR” if it wants businesses to continue sending data to Europe.
Commenting on the bill at the same IAPP event but on a different panel, former information commissioner Elizabeth Denham said: “The UK is walking that very fine line to make sure that we retain adequacy, and that’s what businesses in the UK want.”
She added, however, that she does not think the changes to the UK data protection regime are substantive, and would rather see the UK join other countries outside the EU with “full throated support for a new way” for regulating data protection.
During the same panel, Max Schrems, an Austrian lawyer who has been challenging the legality of various international data transfer mechanisms since the early 2010s, said the UK’s data reforms mean the country is no longer relevant from a European perspective when challenging poor data protection practices.
“If we go after a company, we’ll go after a UK company in Europe, we will go directly to Europe, it just is not relevant anymore from a litigation perspective,” he said.
Michael Queenan, co-founder and CEO of UK data company Nephos Technologies, said the UK government has “decided to sell-out personal data privacy for business benefit and innovation” with the bill.
“When you remove regulations, compliance becomes cheaper, but at what expense? This needs to be collectively addressed to genuinely encourage business growth, drive innovation and protect our data,” he said.
“The new DSIT in principle is a good step, but it has its work cut out. Currently, promises are being made without adequate funding or tools to deliver. Besides, anyone who trades with other countries, including EU countries, will still have to comply with their data laws to be able to use the data of citizens from that country so I don’t really know how they can claim it makes international trade easier.”