EU: In defence of UK data protection reform
If it ain't broke, don't fix it, the saying goes. The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is a young, developing framework which is increasingly becoming a role model for jurisdictions around the world. Many companies and organisations are already adopting GDPR compliance programmes as a global standard. Against this background, the UK is proposing an ambitious reform of its GDPR-based data protection framework that is pro-growth and innovation-friendly. Is this ill-conceived or pure genius? Conventional wisdom would suggest that now is not the time to change a regime that has barely had the opportunity to show its potential. However, why shouldn't the UK take the opportunity to devise a regulatory framework that more fully supports its policy objectives? Is there room for improvement within the GDPR and can the UK lead the way?
To properly assess and answer these questions, it is necessary to put to one side any sentiments that one may have towards Brexit. Otherwise, if you are a fervent Brexit supporter, you will think that anything that amounts to diverging from an EU creation is the best thing since sliced bread (which unfortunately was an American invention rather than British). But if you regard Brexit as nonsensical, the chances are that you will be very wary of any attempts to diverge from the EU GDPR. In fact, a strong argument to leave things alone is that diverging from EU data protection law may lead to the withdrawal of the much-coveted UK adequacy. However, while losing adequacy would definitely be bad for the UK, the likelihood of that happening needs to be assessed on the basis of the likely outcomes of the proposed reform, not the idea of it.
What some people may not remember (or even know) is that the reform that led to the adoption of the GDPR was in fact triggered by a bold move by former UK Information Commissioner, Richard Thomas. In 2008, Thomas took the view that although the essential principles of European data protection law set out in the Data Protection Directive (Directive 95/46/EC) were still valid, a more progressive and pragmatic approach was needed to be effective in tackling the emerging data challenges. At the time, many people thought that wasn’t the wisest move, but two years later the European Commission saw the light and the rest if history. This is to say that what may appear unwise might in fact become the opposite if sufficient consideration is given to it, and the needs, benefits, and risks are realistically and objectively weighed up.
The reality is that regulating the use of personal data is an evolving need. As new technologies develop, new opportunities arise, and new threats emerge. A legal framework that remains static losses its effectiveness. Reforming UK data protection law does not necessarily mean altering the essence of that law or reducing its relevance. In fact, much of that reform can probably be undertaken without changing the black letter of the law. From applying a non-protectionist approach to international data transfers to emphasising the risk-based approach of the GDPR, there is significant room for adopting a progressive interpretation of the law while preserving its rigour. To the extent that legislative amendments are pursued, these can serve to provide greater flexibility in the application of the framework without weakening its effect.
Objectively speaking, there is a strong case for allowing the UK data protection framework to take its own direction. However, the success of the proposed reform to the current regime lies in the UK Government's ability to strike the right balance between a progressive and realistic new framework, and the need for consistency with the global approach to the protection of privacy and personal data. Above all, this should be seen as an opportunity to lead in the development of a truly effective framework that protects individuals while unlocking innovation and digital prosperity - not just in the UK, but globally. And that's a challenge worth fixing.
Eduardo Ustaran Partner
Hogan Lovells, London