NHS would be hit by 'significant' costs if UK loses EU data status, warn Lords
As another government yet again seeks to reform UK GDPR, legislators say data must continue to flow
UK lawmakers have warned the government that if it doesn't continue to harmonize its post-Brexit data rules with the EU, the consequences could be dire.
A cross-party committee of the House of Lords – the UK's upper house – said businesses and organizations such as the NHS would be hit by "significant" extra costs and red tape if the UK loses the right to exchange citizens' personal data seamlessly with the EU.
After the Brexit vote in 2016, the UK left the EU in a practical sense at the end of 2020, when a transition agreement ended. However, it copied some EU laws over more or less like-for-like. For example, the Data Protection Act (DPA) of 2018, the country's implementation of the EU's GDPR, became UK GDPR from January 2021.
Later that year, the UK was given an "adequacy" ruling allowing data sharing between the two jurisdictions and, while the previous government proposed new data protection laws, it did not get them through Parliament before the general election in July.
In a letter to the new Labour government, the European Affairs Committee chair, Lord Ricketts, said failure to continue with a data adequacy arrangement would "raise new barriers to international trade and economic cooperation, and to trust in the UK's digital economy, running counter to the government's objective of boosting economic growth."
The UK's adequacy status is set to expire in June 2025, before which the EU will review the decision.
In notes published along with the King's Speech [PDF], the government proposed yet more data protection legislation in the form of the Digital Information and Smart Data (DISD) bill. It talks about harnessing the "power of data for economic growth." It also promises data will be "well protected," and the Information Commissioner's Office will be "modernized" with greater powers.
- UK gains 'adequacy' status on data sharing with EU, but making that stick all depends on how much post-Brexit law diverges
- Lawyers say changes to UK data law will make life harder for international businesses
- Norway wants Facebook behavioral advertising banned across Europe
- UK's GDPR replacement could wipe out oversight of live facial recognition
The Open Rights Group, meanwhile, has criticized parts of the DISD bill proposal as seemingly taking "the changes to the regime that regulates the use of data for scientific research straight from the [Data Protection and Digital Information] bill, a move that risks reigniting the widespread controversies that accompanied the UK data protection reform under the Conservative government." It said in August that this would "threaten public trust," quoting from a Royal Society paper on the implications of post-Brexit divergence from GDPR for data access and scientific research in the UK.
In a statement, Lord Ricketts said: "The UK faces a potential cliff-edge in June 2025 unless agreement is reached with the EU on the continued free flow of data. The safe and effective exchange of data underpins our trade and economic links with the EU and cooperation between our law-enforcement bodies.
"The loss of data adequacy would create new barriers and run completely counter to the government's ambitions to grow the economy and reset relations with the EU. We recommend that reaching timely agreement on data adequacy should be integral to the reset, and the government's top data protection priority."
He added that while the UK's current GDPR regime is far from perfect, there is scope to reform and improve it without jeopardizing the UK's adequacy status. ®