The UK government’s post-Brexit appetite to ‘reform’ national privacy rules by reduce the level of protection surrounding personal data already has broader ramifications for the country’s tech ecosystem.
Last month, the Department of Digital, Culture, Media and Sports (DCMS) announced a consultation on lowering privacy standards – saying “simplified” rules would be a boon to business innovation.
Now a local scale up has exploded the consultation into a Exciting blog post – warning that any reduction in data protection standards will “certainly” harm its business in the EU and could even weaken its business in the US, given that a number of states (such as California) have already adopted laws similar to the European General Data Protection Regulation (GDPR)).
U.S. lawmakers on both sides of the aisle are also pushing for the passage of comprehensive federal privacy legislation. So, outside the UK at least, the direction in which personal data is moving is towards greater protection, not less.
But in the UK, ministers are eyeing the current high standards on data packaging and are looking for ways to reduce those protections – making a cursory claim that cutting privacy rights will be good for business.
What deregulation will certainly mean is increased legal uncertainty and risk to businesses – and potentially a lot of business losses as well.
In the blog post, Cronofi, a UK start-up founded in 2014 that sells a calendar API and scheduling platform for businesses, writes that it is preparing to prevent a nationwide deregulation bombshell from destroying its business – saying it will open a new business in the Netherlands and offer customers the option of contracting with Cronofy BV under Dutch law.
“This will become the new headquarters for all our data processing so that we can be under the supervision of the Dutch data regulator and therefore the EU,” writes CEO and co-founder Adam Bird. “Our new General Counsel who oversees all of this is Dutch.”
“How is Britain doing? Not very well, I’m afraid,” he adds, suggesting that the restructuring will also mean that Cronofy will end up reducing the level of investment it is making. in UK skills and jobs.
Bird is also not the only one to denounce the British proposal to demolish data protection rules.
While earlier this month, Ed Vaizey, the former minister of state in charge of DCMS (now Lord Vaizey), warned that the UK must stay aligned with the GDPR – or face “catastrophic” consequences for the economy and people. digital businesses.
“The UK had a big influence on how data protection law was crafted when we were a member of the EU, so I think it’s a little strange that we have to move away from that legislation, “Vaizey told TechCrunch last week.
“You don’t want a position where you make yourself vulnerable to attacks from the EU to say that your data protection regime is not adequate and therefore we cannot have cross-border data exchanges – this would be disastrous. So whether we like it or not, we will have to stay in tune with the European Union to some extent. “
However, even political noise coming from DCMS seems to hurt UK Plc.
In his blog post, Bird describes Cronofy as “a truly global company” – a company headquartered (currently) in the UK but with 55% of revenues split in the US, 25% in the EU , 9% in the UK, or 91% of revenue from scaling. comes from exports.
“EU GDPR law has not hindered our business in the US and in many cases has been a benefit,” he continues. “Having to deal with data privacy requirements since the inception of the company gives us a clear advantage as US businesses realize they need to protect people’s information. “
Before Brexit was ‘over’, Bird says a ‘significant’ number of EU customers were already worried about what the UK’s departure might mean for their data (sensitive timeline) and relationships with his business.
“We will always do our utmost to protect people’s private data. However, we were making these claims against the backdrop of the UK government’s demagoguery in the name of ‘strong negotiation’, even as they voted to infringe international law, “he continues, saying that even before the end of the transition period, customers were not convinced Cronofy would be able to deliver on their word or that the UK government would bother to enforce compliance even whether it kept the same data standards on paper. “More importantly, they couldn’t reassure their end users,” Bird adds.
Government rumors about ‘simplifying’ UK data protection standards are the ‘last blow’ for Cronofy.
In the consultation document, DCMS talks about carrying out “reforms to create an ambitious data protection regime, favorable to growth and innovation” while “maintaining[ing] high standards of data protection without creating unnecessary obstacles to responsible use of data “- but there is no doubt that the aim of the proposal is to remove the layers of protection.
Ministers are considering, for example, extended legal permissions allowing companies to use data for ‘innovation’ purposes, whatever that might mean (hint: anything) – and consultations on removing the need individual consent to process certain types of data, among other potential changes to the UK version of the GDPR.
The government is also considering completely removing a provision that gives people a right to review purely automated decisions that have legal / equivalent impact.
(And on this front, the professional body BCS, aka The Chartered Institute for IT, today warned against such a drastic step – suggesting in a blog post that greater clarity of the existing provision would be the wisest policy than keeping it exactly as it is. or delete it completely.)
“With the recent announcement by the government of the changes it wants to make to UK data privacy legislation, it appears these fears were well founded,” Bird writes, sounding the alarm bells on the direction of UK data policy.
“He wants to move to a ‘do and ask permission’ model, driven not by the benefit of mankind but rather by business interests. Whatever we say to our clients about how Cronofy approaches privacy and controls data, the corresponding application will not follow.
“We can protest against ISO certifications, data management controls, hosting segmented data. However, potential customers will not necessarily go that far as we will be discounted based on our location. I don’t blame them. Data protection is cumbersome and complicated. Why even take the risk of going with a supplier from outside the EU. “
If the UK’s level of protection is lowered, the immediate risk is that the UK will lose a key data flow agreement with the EU – which has only just been put in place now that it is under way. is a so-called “third country”, in European terms.
UK businesses with customers in Europe rely on this EU’s “data adequacy” agreement for proper operation, as it allows personal data to flow freely from the bloc to the UK. revoke the arrangement signed this summer.
The data feed agreement already includes a sunset clause, which means there will be an automatic review of UK standards in 2025.
“This national act of self-harm will have ramifications for decades to come,” Bird warns. “It turns out that Project Fear [as Brexit supporters dismissively dubbed objections to leaving the EU by those that wanted to remain], was actually Project Fact.
“Instead of seeing it as a warning of something to be avoided, the UK government seems to have viewed it as an outcome to be exceeded. Although it is isolated, Cronofy being collateral damage is not important. we face is a worrying omen for the UK and its relationship with the rest of the world.
“I expected and wanted to make Cronofy a leading UK company. Joining the EU has given us an enviable platform to do this and, in turn, to reinvest this success in the UK.” he adds, stressing his view that UK government policy has left Cronofy with little choice but to restructure its activities so as to put the EU at the center of the action.
DCMS has been contacted for a response to Bird’s blog post.
A government spokesperson sent us this statement:
“We are not weakening UK data protection rules. We are consulting on reforming our data regime to encourage innovation and improve public services.
“All proposals will build on the UK GDPR, with people continuing to benefit from the highest data protection standards and with increased corporate responsibility to protect their personal information. “
On the economic arguments for reforming UK data protection rules, the spokesperson said this was described in the Analysis of the expected impact report on gov.uk – but also said the analysis remains open for consultation, the official adding that the government is seeking additional information to robustly quantify impacts, including on trade, as it builds a more detailed case.
DCMS also told us that the consultation process was meant to spark discussion, pointing out that it had not yet introduced legislation – and saying it would not do so until it collected a range. full of views and engaged interested parties.
For a glimpse of the future that awaits UK startups if government “reforms” end up setting UK data adequacy status on fire, see the Complex guidance from the EDPB on transfers to third countries. And get ready to increase your budget for legal fees.
This report has been updated with a response from DCMS