Britain will attempt to move away from European data protection regulations as it overhauls its privacy rules after Brexit, the government has announced.
The freedom to chart its own course could lead to an end to irritating cookie popups and consent requests online, said the culture secretary, Oliver Dowden, as he called for rules based on “common sense, not box-ticking”.
But any changes will be constrained by the need to offer a new regime that the EU deems adequate, otherwise data transfers between the UK and EU could be frozen.
A new information commissioner will be put in charge of overseeing the transformation. John Edwards, currently the privacy commissioner of New Zealand, has been named as the government’s preferred candidate to replace Elizabeth Denham, whose term in office will end on 31 October after a three-month extension.
Dowden said: “Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK.
“It means reforming our own data laws so that they’re based on common sense, not box-ticking. And it means having the leadership in place at the Information Commissioner’s Office to pursue a new era of data-driven growth and innovation. John Edwards’ vast experience makes him the ideal candidate to ensure data is used responsibly to achieve those goals.”
The GDPR data protection rules introduced by the EU in May 2018 are part of UK law even after Brexit, under the Data Protection Act.
The regulation imposes strict restrictions on what data controllers can do with individuals’ personal data. It has been criticised by many for its over-reliance on consent-based permissions, which some argue has led to a boom in box-ticking but little meaningful protection of citizens.
The government hopes to prioritise “innovative and responsible uses of data”, a spokesperson said, so that it can “boost growth, especially for startups and small firms, speed up scientific discoveries and improve public services.”
Any future data regulation will also be aimed at convincing other nations that the UK’s data protection is adequate by their own standards, to allow for free and easy transfer of information across international borders. The government announced six target nations for such adequacy agreements, including the US, South Korea and Australia.
Eduardo Ustaran, a co-head of the global privacy and cybersecurity practice at the law firm Hogan Lovells, said Edwards’ appointment boded well for the government’s plans.
“The UK is starting to show that there is room for diversion from EU data protection law whilst still retaining the GDPR as a framework. What this means in practice is that the way in which international data flows are approached is not identical to the way the same data flows are treated in the EU, but this doesn’t necessarily mean that the protection is going away,” Ustaran said.
“What the UK government is testing is our ability to recognise that the protection of personal data around the world comes in different shapes and forms, but can still be effective. The appointment of John Edwards as the next information commissioner is a vote for no-nonsense and pragmatism for the future of data protection regulation.”