- Solicitors For Business
- Solicitors For You
- About Us
- News & Events
GDPR Adequacy Decisions and the Only TIGRR1st July 2021 Commercial Litigation
The European Union this week confirmed the data adequacy decision for the UK under the General Data Protection Regulations. This means that the personal data of EU residents can be freely transferred for processing in the UK. This was already the case due to the interim arrangements entered into as part of the withdrawal deal but this adequacy decision makes the position more permanent. However, notably they have also taken the unusual step of putting a sunset clause in the adequacy decision which means it expires in exactly four years from being made if it is not renewed. The decision also came with a warning that it could and would be reviewed if the UK strayed too far from its current version of the GDPR, which has a high level of commonality with that being used by the EU.
Which makes the current approach of the UK government seem very odd. While welcoming the adequacy decision the UK government took pains to state that it was committed to entering into more adequacy arrangements as part of its trade deals and that it would be seeking to limit the burdens imposed by the GDPR on business. As I have discussed elsewhere this may not be a big deal as it first appears as much of what the government is saying it will do can be done within the framework of the existing GDPR.
More concerning is the recent report of the Prime Minister’s Taskforce on Innovation, Growth, and Regulatory Reform, known as TIGRR (not Tigger like in Winnie the Pooh). It has recently produced its final report which has a segment on data protection.
Rather than pussy-footing around I will come straight out and say that I think the ideas in this report on Data Protection are nonsense. The direction of travel is crystal clear from the title of the Data Protection section which is headed “Replace GDPR with a new UK framework for data protection”.
Frankly, it does not inspire confidence when the report goes on to talk about the “UK General Data Protection Regulation 2018”. There is no such thing. There is the EU General Data Protection Regulation and there is the Data Protection Act 2018. The UK modified the GDPR for its own use by way of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. I accept that this is a pedantic point but the GDPR is a detailed piece of regulation and if you are serious about engaging with and replacing it then that detail really matters.
The main criticisms TIGRR levels at the GDPR are similarly wrong. They say that the GDPR is “prescriptive, and inflexible and particularly onerous for smaller companies and charities to operate”. This is the exact opposite of the complaints and criticisms I hear in my work. Most organisations I deal with complain about the lack of clear rules within the GDPR and the fact that they are not totally sure how to deal with data. In fact, this lack of prescriptiveness is why there is so much guidance on it and why that guidance is so important.
A better criticism is the one made that consumers are not really able to effectively manage their data using the GDPR as they are presented with large and complex privacy policies with tick-boxes for consent. However, this misunderstands the GDPR. Consent can always be withdrawn and so individuals are able to come back and revise consents they may have unwisely given at any stage. The actual problem is that many organisations have not adapted their processes to deal with the GDPR and are still operating under a pre-GDPR system whereby they believe that they can seek consent and then operate largely as they please. A solution to this problem is not to replace the GDPR with something else which organisations then need to adapt to but rather to focus on better guidance and funding for the ICO so that it can help organisations to deal with consumers more effectively and provide advice and, if necessary, penalise those organisations that choose not to. The actual example given in the report is similarly misconceived. The report critics the creation of cookie consent boxes on websites with the statement that nobody considers them and people just agree. However, cookie consent has nothing to do with the GDPR, it is actually part of the Privacy and Electronic Communications Regulations (PECR), which is a quite different thing. It is also not really the point that people often choose to accept cookie consents. The fact is that they are being advised that they are accepting them and have the choice not to. The fact that many internet users are unconcerned about cookies does not mean that cookie consent is without purpose. In fact, large technology firms, which place many of the tracking cookies on computers, are starting to remove these technologies and to stop tracking people so closely, largely as a result of PECR and GDPR.
However, the most damning part of the TIGRR report is contained in one simple sentence. That is where it states that “The Government should use an approach to data based more in common law, so case law can adapt to new and evolving technologies such as artificial intelligence and blockchain”. This is simply rubbish. The GDPR itself is subject to case law as ultimately it is the Courts who decide if it has been breached. The ICO may produce guidance and have views on breaches but it can be challenged in the various information tribunals and ultimately in the Court of Appeal and Supreme Court. Likewise individuals can make claims under the Data Protection Ac 2018 against organisations for breach of the GDPR and those claims are heard in courts. Indeed, both types of these challenges have occurred and they have already altered our understanding of the GDPR. If it was to be removed then there would need to be some other statutory framework put in place for the courts to decide on. If, as TIGRR seems to suggest, that their solution is to just remove the GDPR allowing the courts to decide privacy and data protection matters and develop the law as they see fit then that is no solution at all. Given that the main engine for the courts resolving privacy issues has been the European Convention on Human Rights and the Human Rights Act it is surprising that the authors of this report, no friends of the ECHR should now be seeking to promote it as a replacement for the GDPR.
The government needs to be much clearer as to its proposals for the GDPR. An adequacy decision from the EU is welcome but the four year sunset clause provides little certainty for businesses that are accustomed to planning their data management strategies on much longer timescales. Rather than engaging in wildcard report writing which risks the loss of much-needed adequacy decisions it would be better to focus on completing the process of separating the UK GDPR from the EU. Rather embarrassingly the ICO is still highlighting large amounts of advice provided by EU bodies and is still using contractual clauses drafted by the EU to allow for data to be sent to third countries such as the USA. We should also focus on building robust data transfer protections and mechanisms into trade deals to allow for sensible data transfer that does not violate the terms of the EU adequacy decision. Risking cutting off the EU for data purposes for questionable data benefits is pointless. As I have said elsewhere trimming back the GDPR will also end up imposing a double burden on many companies as they will still have to comply with the GDPR for the handling of EU data and so would need to operate different systems for different data or alternatively, and more probably, they will simply continue to comply with the EU GDPR regardless of what the UK does.