Changes in data protection regulations are on the horizon, with John Edwards, the incoming head of the Information Commissioner’s Office (ICO), charged with overseeing a post-Brexit shake up in the rules.
Edwards, currently the New Zealand Privacy Commissioner, has something of a reputation as a tough talker. Following the Christchurch mosque shootings in March 2019, he described Facebook as “morally bankrupt pathological liars who enable genocide [and] facilitate foreign undermining of democratic institutions.”
When he moves into the role, Edwards will reportedly have the mandate to go beyond the traditional function of the ICO. Edwards will be tasked with focusing on data protection while also promoting innovation and economic growth.
One concern already rearing its head is that Edwards’ appointment, along with the government saying it favours “light touch” regulation, could lead to a relaxation in data protection standards.
What changes are in the pipeline?
The government’s comments seem to indicate that it’s looking to reduce the burden on businesses, particularly around how data is collected.
One example given by Digital Secretary Oliver Dowden in an interview with the Daily Telegraph was cookie pop-ups on websites. Dowden argued many of these were “pointless.” Despite the current General Data Protection Regulations coming into force in 2018 – and the UK adopting the Data Protection Act 2018 to align with the European Union – Dowden described data protection reform as “one of the big prizes” of Brexit.
Dowden did, however, state that data protection would remain a priority. He told the Telegraph, “There’s an awful lot of needless bureaucracy and box ticking and actually we should be looking at how we can focus on protecting people’s privacy but in as light a touch way as possible.
“Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK.
“It means reforming our own data laws so that they’re based on common sense, not box-ticking.”
While Dowden focused on web cookies in his interview, the proposed reforms will apply to various types of data.
Is consumer data likely to be at more significant risk?
As part of these potential data protection reforms, the government plans to create new “data adequacy” partnerships that will allow data to be sent abroad.
While it is almost certain that businesses will continue to need your permission to use your data, there is certainly potential for a relaxing of rules in some areas to lead to lax practices in others. For example, if there is some sort of “assumed permission” for things like web cookies in any future legislation, what else might businesses assume?
The potential data regulations shake-up is unlikely to increase the potential of malicious data breaches occurring. However, it could certainly lead to an avalanche of cases of businesses using our data against our wishes or without seeking our permission, especially if “light touch” regulation is accompanied by light or invisible enforcement.
What happens next?
It’s vital to note that the proposed changes to data protection laws are just talk right now.
The government has promised it will launch a consultation regarding the evolution of data protection laws in the near future. There is likely to be significant scrutiny around whether the changes are seen to be favourable to businesses or consumers or manage to strike a balance of being beneficial to all parties. The government’s report providing an overview of the proposals claimed that £11 billion of trade “goes unrealised around the world due to barriers associated with data transfers,” which may be an indication of the direction it is likely to take.