Browsers could face two regimes in Europe as UK law set to diverge from EU
British government wants to boost innovation but lawyers warn of risk to adequacy ruling
Browsers will need to satisfy two different data regimes in Europe under UK legislation proposed to replace EU laws.
The British government has promoted its approach as a way of easing the burden of cookie consent on website users, but the new law could be challenging for browser builders wanting to comply with both EU and UK regimes, which currently come under the General Data Protection Regulation (GDPR).
The UK Bill, set to be debated in Parliament, says that websites won't need to require users to consent to "collect information for statistical purposes" about how a website or service is used "with a view to making improvements to the website".
However, it also offers web users the right to opt in or out of cookie tracking at a browser level.
Jonathan Kirsop, partner and head of information law with Pinsent Masons, said: "It could help users to rid themselves of the countless consent requests they receive while browsing the internet. Implementing such an approach would not be straightforward, however, as it would be hard to argue that any general consent given by users satisfies the EU GDPR's requirements. Businesses providing browsers or publishing websites across Europe would need to grapple with two very different regimes."
The Conservative government says it wants to make data protection law more flexible and allow data sharing with other nations while maintaining its data-sharing deals with the EU, the so-called adequacy arrangement with the UK's largest trading partner.
"We now have the opportunity to seize the benefits of Brexit and transform the UK’s independent data laws. We have designed these new updates to our data protection framework so it works in our interests, protects our citizens, and unburdens our businesses," said Matt Warman, minister for media, data and digital infrastructure, introducing the Bill.
"Through this Bill we will realise the opportunities of responsible data use whilst maintaining the UK's high data protection standards. The EU does not require countries to have the same rules to grant adequacy, so it is our belief that these reforms are compatible with maintaining a free flow of personal data from the European Economic Area."
But Kirsop said the proposals could put adequacy at risk, making life harder for businesses sharing personal data between the UK and the EU.
"The proposals could be viewed as diverging sufficiently from the EU GDPR to threaten the UK's adequacy status, something which could potentially plunge global companies back into expensive and cumbersome remediation programmes less than five years after they conducted extensive work to comply with the GDPR before it took effect," he said.
- UK Info Commissioner slams use of WhatsApp by health officials during pandemic
- Boris Johnson set to step down with tech legacy in tatters
- UK, South Korea strike data-sharing pact
- Cookie consent crumbles under fresh UK data law proposals
On the other hand, "those seeking a substantial streamlining of requirements and the removal of obstacles to innovation and business, whether perceived or real, may feel the Bill does not go far enough," he said in a blog.
The Bill follows the government consultation, "Data: a new direction" [PDF], which provoked concern when it opened debate on removing the right for individuals to challenge automated decisions made about them.
As AI-based decision making becomes more popular in applications for healthcare to financial services, campaigners challenged proposals to remove these rights, set in EU law, given the potential flaws in AI including biased training data.
The Bill set before Parliament reframes the argument around challenges to automated decisions. It creates a right to "human intervention" in decision making, but it is set only to apply to "significant" decisions, rather than decisions that produce legal effects or similarly significant effects, Kirsop said.
The proposed laws also get rid of the requirement for businesses to carry out a Data Protection Impact Assessment and substitute it with the need to carry out an assessment of high-risk processing, the details of which are yet to be defined.
The Bill also proposes changes to how the government works with the Information Commissioner's Office (ICO), the data protection watchdog. Open Rights Group executive director Jim Killock said the changes would put ministers in charge of the ICO and unleash a new wave of police surveillance powers.
"British businesses will be sweating as they try to get their heads around another costly and expensive change to the regulatory regime," he said. "This Bill will scrap important protections from prejudice and bias afforded to women, workers, patients, migrants, ethnic minorities, and vulnerable people and communities, and everyone else."
MPs will next consider the Bill at Second Reading, which is likely to take place in September. ®