Cyber Security

Leaving GDPR Behind

Leo Hynett

The UK government is attempting to escape the grips of data protection regulations imposed by the EU which have been described as ‘too bureaucratic and overly prescriptive’. Britain has the opportunity to overhaul its privacy rules in the wake of Brexit and government officials are exploring what this could mean for the future of the UK’s data policy.

Oliver Dowden has said the change will ‘turbocharge the UK’s digital economy and allow data to be used more flexibly.’ For some, the idea of flexible use of their personal data is an unsettling one. Other internet users have rejoiced at the news and look forward to the internet being free of cookie popups.

The GDPR rules brought in by the EU in 2018 remain in place in the UK despite our exit, but it will be possible to break away from them if a new set of regulations can be drawn up. The UK government will not be entirely free to make their own rules though, ‘any changes will be constrained by the need to offer a new regime that the EU deems adequate, otherwise data transfers between the UK and EU could be frozen.’

Current UK rules already deviate mildly from typical European GDPR. The UK’s Data Protection Act of 2018 made some minor adjustments, including ‘a higher number of lawful bases for processing sensitive data.’ Whether the government’s new plan will involve more or less personal data sharing than current policy is yet to be seen.

Undergoing transformation

Coming up with a new set of rules won’t be easy, especially because they will need to still gain the approval of the EU. If the Brexit negotiations are anything to go by this will be a lengthy process. It is not only the EU that the UK needs to appease with these new regulations, the government has announced six target nations for adequacy agreements including the US, South Korea and Australia.

Creating new regulations will be a careful balancing act between decisions that benefit UK citizens and businesses whilst also continuing to act in the interests of the EU. If the government leans too far in either direction, criticism will be strong. There is equal potential for fresh tensions with the EU and public criticism, so the government must tread carefully.

‘A new information commissioner will be put in charge of overseeing the transformation. John Edwards, currently the privacy commissioner of New Zealand, has been named as the government’s preferred candidate to replace Elizabeth Denham, whose term in office will end on 31 October after a three-month extension.’

Elizabeth Denham has encouraged the pursuit of trust and transparency in the creation of these new plans. Eduardo Ustaran, a co-head of the global privacy and cybersecurity practice at the law firm Hogan Lovells, stated that ‘the protection of personal data around the world comes in different shapes and forms, but can still be effective,’ suggesting that the UK could be the first of many countries to create its own tailored privacy regulations.

The way the government has approached the public regarding these changes has been interesting, the focus has seemingly been on how much easier life will be without GDPR ‘box-ticking’ as opposed to exploring the potential security benefits.

Goodbye, cookie popups

Culture secretary, Oliver Dowden, said that the UK’s ‘freedom to chart its own course could lead to an end to irritating cookie popups and consent requests online’.

This is an odd way to look at the issue and has parallels with the concept of positive and negative liberty. Negative liberty is the absence of obstacles, whereas positive liberty is the freedom to make choices and take actions for oneself. This may be more familiar when phrased as ‘freedom to’ or ‘freedom from’ – something that has been recently popularised by Margaret Atwood’s The Handmaid’s Tale. In this story, people chose freedom from chaos and lost the freedom to make their own choices.

Framing the move away from GDPR as freeing people from ‘irritating cookie popups’ ignores the loss of freedom to choose how personal data is stored and used. It arguably also feels like a deliberate act of misdirection – by so loudly focusing on the benefits, the downsides can be swept under the rug. Cookie popups are admittedly irritating, but getting rid of them does not seem worth giving up the huge amount of protection offered by GDPR.

Privacy campaigners will undoubtedly be scrutinising the new regulations heavily as the UK attempts to ‘cement its position as a world leader in data.’

The end of mindless box-ticking?

Although the protections offered by GDPR are great, being prompted to set cookie preferences on every site we visit has led to many people simply ticking ‘accept all’ without reading what they have agreed to. Some argue that this has led to little meaningful protection for citizens and has potentially allowed companies to collect more data than before because the consumer has agreed to it.

Moving away from the current model and towards one that has stricter blanket rules on data gathering could result in better protection – and, yes, also remove those irritating cookie popups along with it.