On 10 September last year, the UK’s Department for Culture, Media and Sport published a proposal to streamline GDPR drastically. No more “record of processing activities”, “data protection officer” or “impact assessments”. All these pillars of the so-called “accountability framework” would disappear. In their place, a system of “privacy management programs” would be introduced: flexible and customisable depending on your business activity.
So why make this announcement with the ink on the “adequacy decision”, enabling free EU-UK data transfers, not yet dry? Is this a new instalment in the ongoing geopolitical struggle over data flows between governments and the tech giants? Or, more prosaically, an example of post-Brexit pragmatism where flexibility for business is prized above all else?
The GDPR-maximalist position taken by the Court of Justice of the European Union on international data transfers, in its now-famous Schrems II judgement of July 2020, has created something of a legal minefield in a globalised economy characterised by the interdependence of systems and infrastructure, not to mention Europe’s dependence on American technology. Thus, in its September proposal, the UK Government underlined its “disappointment” with Schrems II and stated its intention to take a “risk-based” approach to data transfers “based more heavily on an assessment of the real-world outcomes of data protection regimes rather than on a largely textual comparison of another country’s legislation with the UK’s legislation.”
For its part, the French data protection regulator recently served notice that it intends to apply the Schrems IIprinciples in practice, issuing an official warning to a website publisher which used Google Analytics. The regulator’s view was that this implied a transfer of personal data to the United States, and that the transfers were “illegal” because the data was insufficiently protected. This followed a French government communication last year stating that the use of Microsoft Office 365 by public sector organisations was incompatible with its “Cloud au centre” doctrine, which holds that messaging and other office tools should be hosted on a cloud service which is protected from non-EU regulations. Elsewhere in Europe, the Lithuanian Deputy Defence Minister has advised citizens not to purchase Chinese smartphones and to “get rid of those already purchased as fast as reasonably possible”.
Are decisions and announcements of this kind about digital sovereignty or economical patriotism? There is a perhaps a certain hypocrisy, or at least wishful thinking, at play: we forbid the use of technology but then carry on using it because there are no alternative solutions.
At the same time, management teams in both private and public sectors are confronted with difficulties including the ongoing legal uncertainty surrounding data transfers, the administrative burden of keeping “data inventories” and the expense of data protection impact assessments. Meanwhile, end-users (in theory, the main beneficiaries of the protective regime installed by GDPR) are asked to consult privacy policies and accept cookie banners which are often incomprehensible to the layman.
On the other hand, it is universally accepted that effective management of data is an essential aspect of organisations’ digital transition, a lever for creating value and innovation and a prerequisite for the development of AI technologies.
Given all the above, perhaps the real question behind strategies of economic intelligence or economic patriotism in Europe is the need to ensure the availability and the usability of data as a raw material for technological progress, while maintaining the protection of personal data as guaranteed (or at least envisaged) by European legislation and case law.
It is therefore perhaps not surprising that the UK is positioning itself as a “global hub for the free and responsible flow of personal data”, inspired by jurisdictions such as Singapore, Australia and Canada, which have “accountability frameworks that are more flexible and risk-based” than GDPR. With this objective in mind, the British government seems ready to risk the UK’s “adequacy” status, granted by the European Commission in June 2021 and amounting to a green light to transfer personal data from the EU to the UK. This status could be reconsidered if the UK does implement the far-reaching reforms announced in September.
In any event, notions of digital sovereignty or autonomy have to some extent been undermined by the intensification of cyber-attacks following the pandemic, the vulnerability of technical infrastructure (for example, the fire at the OVH data centre in Strasbourg in April 2021) and Europe’s continued dependence on US technology. Faced with the sheer intricacy of our interconnected economies, interdependence should be accepted as a built-in feature to be managed accordingly (denial not being a viable option).
In this context, it appears that the real fundamental questions of data availability and digital interdependence have been largely set aside: what status do we apply to personal data? Is data a consumer good, is it public property or is it an extension of the personality of the individual?
For this reason, the UK’s projected reform is a trial balloon whose progress should be of close interest to the EU. It is not a case of scapegoating GDPR, or of embracing ultraliberalism. The spirit of GDPR: accountability of the actors in the data processing chain and the consecration of the individual’s right to informational self-determination, is evidently to be welcomed and preserved. Instead, there is arguably a need, in practice, to identify the right balance between soft law, ethics, and regulation.
This requires a granular approach which prioritises certain categories of personal data. The existing legal regime for health data is evidence that the need to adapt the level of protection to the sensitivity of the data being processed is already broadly accepted. Ideas could usefully be borrowed in this regard from the notion of corporate social responsibility, with its increasing emphasis on online privacy.
In summary, short of attempting to create French or European data sanctuaries, a more realistic approach is perhaps to accept and manage our digital dependencies in a world of platformisation where future developments may include both radical decentralisation and the advent of the metaverse. With GDPR, we Europeans were the first to attempt to address citizens’ inevitable concerns about online privacy in a comprehensive regulatory framework. Today, we should try to be the first to implement these data protection principles, while encouraging the circulation and exchange of digital assets.
However, while pursuing this aim, there is a clear risk that Schrems II and its impacts will discredit GDPR. Unless a more rational approach is adopted, based on an analysis of the actual risks and facilitated by clear guidelines from the relevant national and EU bodies, there is a risk that businesses will simply stop trying to comply with the regulation.
It appears that the UK has come to a similar conclusion with its proposed reform package. From a European viewpoint, it is not a matter of joining a race to the bottom but rather of finding a way out of a regulatory impasse, taking into account an approach by our neighbours which seems to contain elements of good sense.
Rather than building walls around our personal data, we should perhaps aim to overcome transatlantic misunderstandings and benefit from the efficiency of digital value chains. European organisations must be able to offer their users sustainable and trustworthy digital solutions, developing resilient strategies with common standards, where interoperability and reversibility are the norm. It is a question of valuing data as a vital asset, respecting the common values of our citizens and our societies within a regulatory framework which is adaptable and resilient. Compliance with this framework should enable European organisations to secure and develop their business models, whether that involves reducing carbon emissions from digital activity, protecting personal data or preserving the sovereignty of our infrastructure.
By France Charruyer and Nicholas Cullen, Partners, Data Protection