In the fight for data privacy, the battle lines are rarely clearly drawn. Deciding when a company’s legitimate interest to process data outweighs an individual’s right to privacy can be exceedingly complex.
Elizabeth Denham, the information commissioner, deals with these issues on a daily basis, issuing fines virtually every week. She has built the UK Information Commissioner’s Office into a world leader in data protection and commerce, earning a reputation for clarity and fair dealing.
The ICO has done much of the heavy lifting in streamlining Europe’s data protection rules, giving Britain significant influence over the General Data Protection Regulations that come into force in the European Union in May. Ms Denham’s work has also influenced the UK’s Data Protection Bill that will ensure continued compliance with the EU after Britain leaves.
These measures will allow digital data to flow between the UK and EU countries after Brexit, an essential precondition for so many businesses, from the small ecommerce companies selling products to France to the consumer goods multinational targeting advertising all around Europe.
As part of its Brexit negotiations, the government has sought an “adequacy decision” from the EU to say that it accepts that our data protection will be “essentially equivalent” to that provided in EU law. Thanks to the ICO’s work, the UK should more than meet this test, although nothing is assured. Should adequacy be agreed, data should continue to pass freely between the UK and Europe after Brexit as usual.
Without an adequacy agreement, data flows will not stop abruptly. PWC, among others, has pointed out that British organisations already use other legal principles, such as contractual necessity, to transfer personal data to third countries. But such arrangements are likely to be more expensive and burdensome, particularly for smaller players.
A more significant “unknown” is the nature of Britain final data arrangements with the EU, specifically whether the ICO will have a seat on the European Data Protection Board that will interpret data protection across the EU post-Brexit. If so, will she get voting rights or merely have observer status, like Norway and Iceland?
The advertising lobby, notably the Direct Marketing Association and the Advertising Association, are pushing for full voting rights on the new board. They have been joined by global technology players such as Facebook, Google and Twitter. None of these parties is known for cosying up to regulators. But even they argue that supporting General Data Protection Regulations and securing a voice for Britain in Europe on data would be a big win for their industries and for consumers.
This view is not universally popular in Theresa May’s cabinet, where some voices suggest that if the UK continues to align itself with the EU on data protection after Brexit this will harm the ability to trade with third-party countries. They would rather see the UK draw up its own rules, more closely aligned with the US, with fewer data privacy protections for individuals.
For now that view does not seem to be gaining ground. In Germany last week Mrs May argued strongly for “an ongoing role for the UK’s Information Commissioner’s Office” in Europe after Brexit. Significantly, she called for a “bespoke arrangement” on data that would guarantee Britain a seat at Europe’s data protection table.
Full membership may be too much to hope for, but the prime minister is right to push for it. As no other third country will be in this position, it would give the UK a unique edge and would ensure minimal disruption for businesses operating across EU borders and maximum protection for consumers.
Source: The Times