sdecoret - stock.adobe.com
News about tech wars and data protectionism highlights the geopolitical nature of technology and data in today’s global economy.
Given the different national interests and socio-economic norms involved, it is unsurprising that some resist data accessibility while others seek interconnectivity. It is within this shifting sand that companies navigate “on the ground” implementation of compliance measures and governance processes, which often involves working within multiple, divergent data regimes globally.
The UK government’s strong statements about “unlocking data flows” and removing “box ticking” compliance do not mean that the UK is ushering in a new data free-for-all. Removing ambiguity to encourage responsible data handling and innovation is the priority – but the UK must be very careful not to undermine its global credibility.
Last month, the UK government laid out bold plans to establish the UK’s post-Brexit data strategy. The announcement envisions the UK leading digital trade globally, increasing international data partnerships and removing “unnecessary” barriers to international data flows.
These detailed explanations focus on reducing ambiguities and barriers to responsible innovation.
Data protection is, in some ways, about creating barriers to protect data. One barrier is bordering data flows to maximise its protection as it flows around the world. The European Commission recently issued a decision that allows data to flow to the UK from the EU without restrictions. That “adequacy” decision is based on the UK’s data regime being essentially equivalent to the EU’s.
Naturally, there is concern that these changes could threaten that hard-won adequacy and cause huge headaches for companies (and their technologists) that have previously benefited from relatively free-flowing data transfers between the UK and the rest of Europe.
Digital trade focus
The UK’s announcement is particularly fascinating in reframing the data debate around digital trade and responsible innovation.
The plan fully recognises that data is a trade asset, with data exports to non-EU countries valued at about £80bn every year. The UK is prioritising partnerships with data players like the US, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre and Columbia.
In a second phase, the UK will seek to prioritise India, Brazil, Kenya and Indonesia. That is noteworthy, particularly because there is a pursuit of partnership with countries that are leading the next wave of responsible and accountable data use globally.
A third way?
The government estimates the reforms would deliver a net benefit of £1.04bn over 10 years.
Some accuse the UK government of deregulation in pursuit of commercial interests at the expense of individuals. However, we must question the underlying assumption that simplifying requirements inevitably lowers standards.
The UK government is raising the valid issue that the “how” of doing the “right thing” isn’t always obvious under the myriad of global data protection laws.
And appearing to do the right thing doesn’t mean the right thing is being done.
Take cookies – those data files that store personal information of varying degrees of sensitivity. Sometimes cookies are used in ways that people don’t expect, like targeted ads or cross-platform monitoring. Sometimes there are more important things we worry about. Generally, people will be less concerned when a cookie is used to let them use a website.
Since the e-Privacy Directive and General Data Protection Regulation (GDPR), tech teams have been relentlessly subjected to requests to implement pop-ups or web blockers, which can impede user experience under the guise of protecting their data if not implemented thoughtfully.
Companies are afraid of not complying with privacy or cookie requirements, so some end up adding obstructive banners or layering notices in a way that ends up confusing or frustrating people regardless of the sensitivity of the underlying data processing.
We do not see a world where cookie transparency will disappear. This would not be any real solution for multinational businesses that will need to comply with rules outside of the UK and inspire trust from the people whose data they handle.
But is there a “third way”? Can we have both transparency and simplicity?
The UK’s data regulator, Elizabeth Denham, says “no single country can tackle this issue alone”, calling on the G7 members’ convening power to find practical solutions. A global perspective must be taken. And this is the common ground that data authorities from Canada, the US, Germany, Italy, Japan, the US and the UK agreed on at the recent G7 data meeting.
The government says approximately 40% of UK businesses report lacking certainty on key definitions in the UK’s data protection regime, what people’s data rights are and how and when to report a breach.
However, formalising data partnerships and updating the UK’s data rules will not be straightforward.
Clearly, the UK should not prioritise innovation and commercial interests at the expense of meaningful regulation, but the objectives of creativity and keeping people safe are not mutually exclusive. The real challenge is how to appropriately combine these objectives while maintaining the trust of both individuals and overseas data protection authorities whose decisions will be key in determining whether the aim of simplifying data transfers can be achieved.
John Edwards, the proposed next UK privacy chief, has his sights on this prize. He has stated before UK Parliament that there needs to be a “very muscular and assertive regulator to protect rights” as failing to do so could lead to a lack of trust.
How do we tackle this?
Targeted intervention will be a key part of the UK’s strategy. The UK’s age-appropriate design code, which came into force this month, is one example of the UK identifying areas that really matter and taking a position that drives change globally – in this case in relation to the protection of children online.
So too will be listening to the public and to those dealing with compliance realities – making the government’s plan to consult before acting is the right next move.
The UK can’t afford to get this wrong – the world is watching.
Rita Flakoll is global head of tech knowledge and Herbert Swaniker is senior associate at Clifford Chance.