A new commissioner, a new lighter touch approach for data protection?

Change at the head of data protection regulation in the UK could herald a shake-up and a relaxation of the current rules around personal data.

The Information Commissioners Office (ICO), the UK’s data protection regulator, has, since the implementation of the GDPR in 2018, taken a belt and braces approach to data protection, but with the announcement that it will soon be headed up by the former New Zealand Privacy Commissioner John Edwards comes change, starting with cookie pop-ups.

Digital Secretary Oliver Dowden has stated that there are plans to de-regulate the use of cookies and end the requirements for companies to have “endless” cookie pop-ups on their websites, as well as asking for permission to store a user’s personal information.

It appears that the government and the soon to be head of the ICO are looking to take advantage of their new found freedom to manage data rights as they see fit, independent from EU scrutiny, and have stated that there would now be a balance between protecting rights and promoting “innovation and economic growth”.

The uncertainty here is what effect will this have on the adequacy decision made by the ICO, and how will this affect your business.

Adequacy decisions

So, what is an adequacy decision? The transfer of personal data outside the EEA, which is usually a ‘restricted transfer’, is permitted where the EU has found that country’s data protection and privacy regime to be ‘adequate’ and in line with the strict controls of the EU General Data Protection Regulation 2016/679.

The UK has had a post-Brexit adequacy decision with the EU since 30 June, but this can be revoked at any time without notice. If the changes made by the new Information Commissioner deviate substantially from the principles of the EU GDPR, the EU may decide to revoke their adequacy decision, which will have significant impact upon the freedom to share data between UK and EU based businesses.

In any event, any British business without an EU establishment which provides goods or services to individuals in the EU will still need to take steps to comply with EU data protection laws, regardless of changes made to UK data protection laws made by the new Information Commissioner. This means that, in practice, many will still need to ensure they comply with both UK and EU legislation.

Non-EU adequacy decisions?

Although the term adequacy decision applies strictly to the EU GDPR, it appears that the government is looking to use a similar term ‘data adequacy partnerships’. This term is being used to describe arrangements with countries that are outside the EU, who the UK deems to have adequate data protection legislation to allow for the transfer of personal data.

The government has outlined the key countries with whom it will prioritise striking these data adequacy partnerships. Unsurprisingly, these are key British allies and trading partners such as the United States, Australia, Korea, Singapore, and Dubai.

This is welcome news to a large number of UK businesses who rely on US service providers that often process personal data on their behalf. Since the EU-US Privacy Shield collapsed, companies have found it difficult to find a lawful basis upon which to transfer personal data to the US and have had to jump through a number of contractual hoops in order to do so.