The UK thinks it can fix GDPR. It’s wrong

The UK has left the European Union. It’s left the single market. And now it wants to leave behind the rules that require companies protect your personal data. The European Union’s General Data Protection Regulation (GDPR) has its flaws, as any middle manager required to rework processes and fill out paperwork about data handling ahead of its implementation in May 2018 knows all too well. This paperwork was singled out by Oliver Dowden, the UK’s culture secretary, who oversees the country’s digital policies, in a Telegraph interview announcing the UK would diverge from key parts of the GDPR last week. The government announced its proposed choice for the new head of the UK’s data regulator, the Information Commissioner’s Office at the same time. But the potential GDPR changes got the most attention. Among the targets of those changes? “Pointless bureaucracy”, “box ticking” and red tape.“The GDPR is by no means perfect, and charitably you could see the UK trying to take a lead in fixing some of the issues,” says Lilian Edwards, professor of law, innovation and society at Newcastle University. For instance, there's been a lack of enforcement action from data protection bodies across Europe. “Sadly, this is almost certainly a futile publicity seeking effort,” Edwards says of the UK’s nascent efforts. In practice, the UK’s plans to fix GDPR – which currently are extremely high-level and vague – could put it on a collision course with the European Union. Moves designed to stimulate new business could in fact bring to an end existing data-sharing deals. And the UK’s plan to “set world-leading, gold standard data regulation which protects privacy, but does so in as light touch a way as possible” is misguided. It simply won’t work, experts say.“God knows there are some areas of privacy law and data protection regulation we could tweak for the better of everyone involved,” says Heather Burns, policy manager at Open Rights Group, a UK campaign group protecting digital privacy. But Burns says the UK’s plans aren’t a good faith attempt to find a third way to solve data issues. “This is deregulating privacy laws and data protection safeguards in the commercial interest of industry.”Burns believes that the UK is trying to liberalise access to data to generate a broader market for it. “The British government’s vision is to create a market of applications that watch what you’re saying and doing it, and privacy rights and safeguards are a major obstacle to that.” Worst of all, Burns believes it’s fundamentally unachievable. “It’s classic Brexit cakeism,” she explains. “It’s having your cake and eating it, too.”The UK has spent the last several months trying to achieve data adequacy with the European Union, which has stringent rules over where data of its users can go. It managed to come to an agreement for a four-year adequacy deal in late June. The concept behind data adequacy partnerships is to prevent organisations having to introduce specific measures that show compliance to data rules by themselves – which the government calls “costly” – to share personal data. Instead, it’s given that signatories to adequacy partnerships are trustworthy and able to handle personal data safely. Alongside the European Union, the UK has adequacy partnerships with countries such as New Zealand, Japan and Canada – and wants to do more deals with other countries in the future.Yet each deal it does potentially weakens its adherence to pre-existing data adequacy agreements, including with the EU – many of whose members raised concerns about the risk of the UK diverging from those agreements, potentially imperilling EU users’ data. “We are talking here about a fundamental right of EU citizens that we have a duty to protect,” said Vera Jourova, EU vice president for values and transparency, in late June when the EU-UK deal was announced. “This is why we have significant safeguards and if anything changes on the UK side, we will intervene.” The UK’s agreement with the EU contains a sunset clause, or defined end date, which is unusual and, as one source says, was designed by the EU to head off the fear of exactly what the UK appears to be doing.The European Union may well find it has to intervene earlier than 2025, when the agreement comes to an end, given the UK’s announced plans. Take the countries the UK said were on its target list for signing new adequacy agreements: they include the United States, South Korea, Singapore, Dubai, Colombia and Australia. The United States’ data handling practices have long been an issue for the European Union, and are the subject of repeated, ongoing legislative battles – the Schrems and Schrems II cases, where Austrian lawyer Max Schrems fought for the right for his data to remain protected under European data rules when transferred to the United States. “When the UK was inside the tent, because of how the European project has gone, there was kind of an understanding that the UK-US data transfer stuff wouldn’t be worried about,” says Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, an independent lobby group.Now they’re outside the tent, that’s an issue for companies handling data that operate within the European Union. “While adequacy might be great for a UK controller doing business with [a] third country, it doesn't significantly change things for the ultimate data controller in the EU or solve the issue of onward transfers to countries not adequate from the perspective of the EU,” says Daniel Sereduick, counsel at Shift Technology, a Paris-based AI insurance optimisation company. Essentially, every time the UK brokers a new deal with a third country because it’s now able to outside the EU, it increases the likelihood that its own agreement with the EU is nullified. “This free flow of data between the EU, UK and US is obviously an issue,” Ryan says.And it’s an issue that’s amplified by the way the UK, and Dowden, presents itself. “Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK,” he said. “It means reforming our own data laws so that they’re based on common sense, not box-ticking.”The decision to diverge from European standards is unsurprising, one European insider told WIRED, given the broader sweep of geopolitics in post-Brexit Britain, and smaller clues such as the use of “personally identifiable information” (a US term) rather than “personal data” (a European one) in official documents. It was also noted by those outside the UK that the job advert for its new information commissioner focused more on helping businesses than protecting personal data. John Edwards, the proposed candidate for the information commissioner job, said he looked forward “to the challenge of steering the organisation and the British economy into a position of international leadership in the safe and trusted use of data for the benefit of all”. The lack of acknowledgement of personal data protection may be a concern for individuals.But what Oliver Dowden calls “common sense” is seen as absurd by others. “This is much bigger than data protection,” says Ryan. “Can the UK make itself a Singapore of Europe? Can it somehow gobble up the services market from Europe by lowering regulatory standards?” (A European Union source points out that unlike the UK’s current mooted plans, Singapore does, in fact, have a reasonable data protection framework.) If the UK does so, in pursuing more customers outside the EU, it looks likely to lose its bigger customer – the EU itself. The free flow of data to the European Union is worth £85 billion to the UK, according to the UK government’s own figures – equivalent to 13 per cent of all its global trade. “The [European] commission has signalled if it deviates from the data protection standards it’s supposed to pay lip service to, that adequacy agreement is going to fizzle out,” says Ryan. “It’s going to threaten the viability of the digital services industry in the UK.”It’s also a curiously out of step decision by the UK, says Burns. “It’s almost surreal when everyone from the United States to China is moving towards greater protections and privacy, that it’s just the UK moving in the direction of ‘scrap all that, get rid of it, let’s have fun with all the data.’ The notion that a nation of 70 million people can create a third way between China, the US and Europe is frankly delusional.”Businesses are likely to see that, too. While Dowden and the UK government may present their plan as a revolutionary honey trap that will see companies and countries swarm to take advantage, pragmatism is likely to win out. While getting rid of cookie banners on websites may seem like a saving grace – although it’s already being tackled by the European Union’s ePrivacy directive – the reality is that most companies will stick to the broader, stricter standards established by the European Union. Following the strictest rules is likely to mean a company is well-covered in all locations, rather than following multiple rules in different jurisdictions.“Multinational firms – which doesn’t mean just tech giants but also almost any firm that sells into the EU or abroad – will always prefer to have one set of laws to follow, almost no matter what they are, and the EU GDPR standard is not only mandated when contracting with the EU, but increasingly the global gold standard,” Edwards says.That’s what the European Union believes is likely to happen, WIRED understands. An absence of institutional knowledge about data protection within the UK government, coupled with a strong anti-European stance within the Conservative party, means the decision appears to be more ideological than rooted in technical consideration of user benefits. “The UK is treading a fine line with all this nonsense,” one EU source told WIRED. “I don’t think much deep thought has gone into this.”More great stories from WIRED🌎 Sign-up to WIRED’s climate briefing: Get Chasing ZeroHidden Arctic caves hold secrets about our past and futureFed up of your job? You could join the Great ResignationZoom dysmorphia is following us into the real worldOn YouTube, you’re never far from a dying kittenToo much Google? Try these Google search alternativesA radical plan to treat Covid’s mental health falloutThe 100 hottest startups in Europe in 2021🔊 Subscribe to the WIRED Podcast. New episodes every Friday