The UK government’s Brexit appetite to “improve” domestic privacy rules by reducing the level of security that wraps people’s data is already having massive implications for the country’s tech ecosystem.
Last month the Department for Digital, Culture, Media and Sport (DCMS) announced a consultation to ease privacy standards – claiming that “simplified” rules would be a boon to business innovation.
Now large scale consultation at a domestic level has led to a provocative blog post – warned that any reduction in data protection standards would “definitely” harm its EU business and could even undermine its US business, noting that many states (eg California) have already passed laws similar to Europe’s General Data Protection Regulation (GDPR). .
US lawmakers on both sides of the aisle are now pressing the case to pass comprehensive federal privacy legislation. So – outside the UK at least – the direction of travel on personal data is towards more security, not less.
But inside the UK, ministers are keeping an eye on the current high standards that wrap data and looking for ways to downgrade those protections – making a superficial claim that reducing privacy rights would be good for business.
What regulation would certainly mean would be legal uncertainty and risk to businesses – and potentially a lot of lost businesses as well.
In a blog post, UK startup Chronofy, founded in 2014 that sells a calendar API and scheduling platform to enterprises, writes that it is preparing to stop the domestic regulatory bomb that is weighing down its business – saying that This will open a new company in the Netherlands and give customers the ability to contract with Kronofy BV under Dutch law.
“This will become the new headquarters for all of our data processing so that we can remain under the watch of the Dutch data regulator and thus the European Union,” writes CEO and co-founder Adam Bird. “Our new general consul overseeing all this is the Dutch.”
“How does the UK get out of this? Very well I am not afraid,” he said, suggesting the restructuring would also mean Kronofy would reduce the level of investment in UK skills and UK jobs.
Bird isn’t the only one blasting the UK’s proposal to break data protection rules.
The UK’s newly appointed Information Commissioner, John Edwards, defended the current data protection rulebook in a pre-appointment hearing with MPs, describing the UK’s GDPR as a “how-to” last month.
Whereas, earlier this month, former DCMS (now Lord Vizzy) minister of state Ed Vizzy warned that the UK must remain in alliance with the GDPR – or face “disastrous” consequences for the economy and digital businesses .
Vazzy told Nerdshala last week, “The UK was very influential in how the data protection law was drafted when we were a member of the European Union, so I think it is a bit strange that we have to stay away from that law.” needed.”
“You don’t want a situation where you make yourself vulnerable to attacks by the EU, to say that your data security system is not adequate and therefore we cannot have cross-border exchange of data – this So whether we like it or not, we have to keep in lock-step with the EU to some degree.
However policy voices emanating from DCMS are also hurting UK plc.
In his blog post, Bird describes Cronofy as “a truly global company” – one that is (currently) headquartered in the UK, but with a revenue split of 55% US, 25% EU, 9% UK. This means that 91% of the scale-up’s revenue is from exports.
“EU GDPR legislation has not harmed our US business and in many cases has been an advantage,” he continues. “Facing data privacy requirements from setting up business gives us a distinct advantage as American companies wake up to protect people’s information.”
Before Brexit was “done”, Byrd says a “significant” number of EU clients were already concerned that the UK’s departure for their (sensitive calendar) data and relationship with their business what could mean.
“We will always do our best to protect people’s personal data. However, we were making these claims against the backdrop of the UK government’s magnanimity in the name of ‘strong dialogue’, even as they voted to break international law,” he adds, during the transition period. Even before the end customers didn’t believe Chronofy would stick to its word or that the UK government would bother to enforce compliance, even if it kept the same data standards on paper. He couldn’t give that assurance to the users,” Bird says.
The government’s noise about “simplifying” UK data protection standards is now the “last straw” for Kronofy.
In counseling documentIn , DCMS talks about making “reforms to create an ambitious, growth pro and innovation-friendly data security system”, while “maintaining”[ing] High data security standards without creating unnecessary barriers to responsible data use” – but there is no doubt that the proposal aims to remove the layers of protection.
For example, ministers are considering detailed legal permissions for businesses to use the data for “innovation” purposes, whatever that may mean (hint: anything) — and to process certain types of data. are consulted to remove the need for individual consent to Revisions to the UK’s version of the GDPR.
The government is also eyeing the complete removal of the provision that gives people the right to fully automatic review decisions.
(And on that front, professional bodies BC, aka The Chartered Institute for IT, today warned against such a drastic move – suggesting in a blog post that increasing the clarity of the existing provision would be compared to fine-tuning it or dumping it altogether. I would have a more prudent policy.)
“With the government recently announcing changes to UK data privacy law, it appears those fears were well-founded,” writes Bird, sounding the alarm towards the UK’s data policy direction.
“It seeks to move towards a ‘do and ask permission’ model driven by commercial interests, not for the benefit of mankind. What Cronofy says to its customers about data privacy and control, not complying with enforcement.” Will be done.
“We can make our protest about ISO certification, data management controls, fragmented data hosting. However, potential customers may not necessarily be that far away as we will be given a discount based on our location. I don’t blame them. Data security is difficult and complex. Why even take the risk of going with a provider outside the EU. “
If the UK’s level of security is downgraded, the immediate risk is that the UK will lose an important data flow agreement with the EU – which has just been implemented that it is a so-called “third country” in the context of the EU. Is.
UK companies with customers in Europe rely on this EU “data adequacy” agreement to run smoothly as it allows personal data to flow freely from the block to the UK but if UK law If the assessment is no longer equivalent, the European Commission has said it will cancel the arrangement signed this summer.
The data flow deal already includes a sunset clause – meaning there will be an automatic review of UK standards in 2025.
“This national act of self-harm will have implications for decades to come,” warns Bird. “It turns out that Project Fear [as Brexit supporters dismissively dubbed objections to leaving the EU by those that wanted to remain], was actually project fact.
“Instead of taking this as a warning to avoid something, the UK government has taken it as a consequence of crossing over. While in isolation, Kronofy is insignificant due to the collateral damage being caused. What we are facing is A worrying sign for its relations with the UK and the rest of the world.”
“I was hopeful and wanted to make Chronofy into a world-beating, UK company. EU membership gave us an important platform to do that and, in turn, invest that success back in the UK,” he said. Underscoring the point, the UK government’s policy has left Cronofy with little choice but to reorganize its business in a way. Which keeps the European Union at the core.
DCMS was contacted for a response to Bird’s blog post.
An official spokesperson sent us this statement:
“We are not diluting UK data protection regulations. We are consulting on reforming our data regime to encourage innovation and improve public services.
“Any proposal will build on the UK GDPR, with people continuing to enjoy the most robust data protection standards and with a reinforced responsibility on businesses to keep personal information safe.”
On the economic matter for reforming UK data protection rules, the spokesperson claimed that it is described in expected impact analysis report on gov.uk — but added that the analysis remains open to consultation, the official said the government is seeking more information to firmly measure the impacts, including trade, as it makes a more detailed case.
DCMS also told us that the consultation process is intended to spark discussion, emphasizing that it has yet to introduce legislation – and that it will not do so until it has thoroughly gathered views Taxes and does not get involved with interested parties.
For a glimpse of the future that awaits UK startups, whether government “reforms” end the UK’s state of data adequacy, see the EDPB’s complex guidance on transfers to third countries. And prepare to flatten your legal spending budget.
This report was updated with a response from DCMS