[This post was updated on 01.08.16 to include a comment from the ICO]
The mysterious case of the vanishing ICO post-Brexit statement
On 24 June, as 48% of the UK was holding its head in its hands and wondering what the hell the other 52% had done, the Information Commissioner’s Office (ICO) issued a statement. It said
If the UK is not part of the EU, then upcoming EU reforms to data protection law would not apply directly to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.
I have a screenshot of the statement:
Why a screenshot? Well, because if you follow the url for the page in question (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/06/referendum-result-response/) it now redirects to a different page, containing an “updated” statement from former Commissioner Chris Graham:
Over the coming weeks we will be discussing with Government the implications of the referendum result and its impact on data protection reform in the UK.
With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case.
Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.
One notes that references to adequacy, and equivalence with the General Data Protection Regulation, have disappeared. And one wonders why – does the ICO now think that a post-Brexit UK would not need to have equivalent standards to the GDPR? If so, that would certainly represent a bold position. In a response to a request for a comment an ICO spokesperson informed me that
We noted the debates about different options that emerged following the referendum result and we decided to move to a simpler statement to avoid being too closely associated to any one particular position
I’m grateful to them for this, and it is in itself very interesting. Privacy Laws and Business recently informed their news feed subscribers that the government is keen to hear from stakeholders their views on the future of the UK data protection regime, so maybe everything is up for grabs.
But a fundamental point remains: if the EU (and indeed the CJEU – see Schrems et al) currently has exacting data protection standards for external states to meet to secure trading rights, realistically could the UK adopt a GDPR-lite regime? It strikes me as a huge risk if we did. But then again, voting for Brexit struck me as a huge (and pointless) risk, and look what happened there.
Ultimately, I’m surprised and disappointed the ICO have resiled from their initial clear and sensible statement. I would have preferred that, rather than “noting the debates” about post-Brexit data protection, they actually directed and informed those debates.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
3 responses to “An adequate response to Brexit?”
The issue raised seems completely conversant with the way data protection has developed over the years together with other newer and ongoing issues within the wider environment.
1. Any stated purpose data was collected for has historically been seen as a costly constraint adding undue burdens to potentially advantageous developments.
2. Big data cannot see any need for applying the constraint of fair obtaining, but a need for a type of purpose becomes visible, otherwise what use is it.
3. Many constraints of the human rights act are seen as problematic in many areas.
4. The constraints of membership of the European community are seen as problematic by many.
Those few examples all have one commonality – self interest outweighs any common interest.
Interestingly all societies frequently require self interests to be exercised in some way to support the community, something reflected in languages by their everyday uses of the word selfish.
Was the IC’s changing response not reflective of those same issues. (Your own perspectives should reveal how the above applies most appropriately.)
When viewed externally what message does UK society provide regarding the ongoing direction of social change.
What other difficulties will that cause data protection, and what will be its strengths.
Pingback: Any last requests? – 2040 information law blog
Pingback: Brexit, GDPR and data diplomacy, For the record, in name of transparency. - Studio Privacy