A new information commissioner will be put in charge of overseeing the transformation. John Edwards, currently the privacy commissioner of New Zealand looks likely to be given the nod to replace current supremo Elizabeth Denham. Dowden said: “Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK.
“It means reforming our own data laws so that they’re based on common sense, not box-ticking. And it means having the leadership in place at the Information Commissioner’s Office to pursue a new era of data-driven growth and innovation.”
The GDPR data protection rules introduced by the EU in May 2018 are part of UK law even after Brexit, under the Data Protection Act.
The regulation imposes strict restrictions on what data controllers can do with individuals’ personal data. It has been criticised by many for its over-reliance on consent-based permissions, which some argue has led to a boom in box-ticking but little meaningful protection of citizens.
Any future data regulation will also be aimed at convincing other nations that the UK’s data protection is adequate by their own standards, to allow for free and easy transfer of information across international borders. The government announced six target nations for such adequacy agreements, including the US, South Korea and Australia.
Eduardo Ustaran, a co-head of the global privacy and cybersecurity practice at the law firm Hogan Lovells, said Edwards’ appointment boded well for the government’s plans. He said: “The UK is starting to show that there is room for diversion from EU data protection law whilst still retaining the GDPR as a framework. What this means in practice is that the way in which international data flows are approached is not identical to the way the same data flows are treated in the EU, but this doesn’t necessarily mean that the protection is going away.”
Sebastian Jesson-Ward of Serviceteam IT said: “Any changes will be constrained by the need to offer a new regime that the EU deems adequate, otherwise data transfers between the UK and EU could be subject to restriction or frozen altogether”