All is calm, if a little complicated

During the whole Brexit debate, there weren’t as many promises made about personal data as there were about fish. Whatever your views on Brexit, unless you are a privacy geek like me, you probably didn’t think much about the consequences for personal data.

The good news is that not much has changed on the surface (for now). Prior to the UK leaving the EU, the Data Protection Act 2018 (DPA 2018) came into force which effectively copied the EU General Data Protection Regulations (GDPR) and added some provisions around the role of the regulator in the UK (the Information Commissioner), law enforcement, the intelligence services, special category data (such as health data) and criminal convictions and offences.

However, to complicate matters, on 1 January 2021, the UK GDPR came into force which, again, copied the GDPR, but did things like change references to EU institutions to UK institutions. That means that a company in the UK potentially has to comply with the DPA 2018, the GDPR and the UK GDPR. 

The good news is, if you’ve been complying with the GDPR and continue to do the same, you should be just fine – for the moment.

The rolling waves

Just like fish, data doesn’t recognise national boundaries. Data swims from one place to another. Often we don’t know where it’s going, or where it’s been. 

And like our fish, we are very protective of our data. We don’t want just anybody being able to catch it and process it any way they like. And that is why the GDPR (and the UK GDPR) have provisions which restrict where an organisation can transfer personal data, and what it can use it for.

Prior to Brexit, UK personal data was allowed to swim freely in a big EU pond, a situation that has been agreed will continue until the end of June. To enable personal data to swim freely after this time, the UK and the EU have to agree what is called an ‘adequacy decision’. This is the way in which the EU deems some ponds as safe and some as unsafe. New Zealand’s pond is deemed safe by the EU; the USA’s pond isn’t.

A draft adequacy decision for personal data swimming from the EU to the UK has been announced by the EU, and the UK has already said that the EU is safe for its personal data. Hopefully, the EU will formally announce that the UK is a safe place shortly, although that will only be for four years and then the EU wants to check again.

Storm clouds approaching

So far, so sensible. UK fish swim in the EU pond and EU fish swim in the UK pond. The problems come because we want to catch each other’s fish. Politicians start talking about “taking back control”. Our fishermen hoped this would mean keeping French trawlers out of UK territorial waters and more UK fish for UK fishermen. But EU fish swim into UK waters. It’s all one big pond. 

In personal data terms, we need to recognise that personal data swims between the UK and the EU and vice versa. We need to recognise that there is value for all of us in protecting that personal data. As Ali Shah of the ICO said in the DCMS/ICO joint announcement on data sharing 19 March 2021: “Data is the lifeblood of the digital economy, and the sharing of personal data is key to opening up new opportunities”.

The long term forecast

An adequacy decision should be agreed because it makes economic sense. This won’t stop politicians in both the EU and the UK posturing. Such posturing rocks the boat. Take UK Government minister Oliver Dowden’s comments in his article in the Financial Times on 27 February 2021. He says that the GDPR “has hampered innovation and the improvement of public services, and prevented scientists from making new discoveries”.

Dowden doesn’t say what innovation has been hampered, which public services have gone unimproved and which scientific discoveries have been prevented by the GDPR. He needs to be careful. We don’t want the EU thinking that the UK GDPR is going to move away from the GDPR; that the UK is no longer going to be a safe pond. Otherwise we may find ourselves in the same position as the USA.

Data does, indeed, have value, and personal data can have a lot of value. Is there something specific in the GDPR which is holding the UK back? Is there something that the UK could come up with that would be better for individuals or businesses? Is there anything more behind the rhetoric of “take back control”. I doubt it. Probably better if the government holds back on the rhetoric, saves the value of our data economy and focuses its attention on salvaging our fishing industry.