Panel: UK Privacy Law Changes Shouldn't Stymie US, EU Data Transfers
U.K. data protection law revisions shouldn't cause friction with either the U.S. or EU, speakers said at an Atlantic Council Europe Center webinar Tuesday. Despite recent political changes in Britain, revising the country's privacy law remains a priority, said Jenny Hall, Department for Digital, Culture, Media and Sport deputy director. The government wants to champion cooperation with its international partners by improving on the EU general data protection regulation (GDPR), she said.
The new framework will be based on several principles, Hall said. It will re-emphasize the importance of data flows, with the secretary of state for digital, culture, media and sport given power to make flexible changes. The government will try to be as clear as possible about its approach and will focus more on the end result of cross-border data transfers than on the process. It will prioritize work with the U.S., Singapore, Dubai and several other countries, using its existing data protection regime as consistently as possible while taking a slightly new approach in the future, she said.
The U.K. doesn't see a need for friction with the EU and will work with it at the EU and bilateral levels, Hall said. It's already "deep in discussion" with the U.S. on trans-Atlantic data flows, with a lot of work happening behind the scenes. The U.K. supports EU-U.S. progress on a new data flow system to replace privacy shield, and is watching talks with interest, she said.
The proposed U.K. changes are relevant in the U.S. context, said Brookings Institution's Cameron Kerry: Elements in Britain's data strategy and legislative outline are consistent with what's being debated in the U.S. House. The American Data Privacy and Protection Act differs from the GDPR, and some of those differences align with what the U.K. is doing, he said. For example, the measure takes a risk-based approach with fewer record-keeping requirements than EU law.
The U.K. approach to data transfers is risk-based, while Europe appears to be having an increasing number of decisions against risk tolerance, such as in the Google Analytics case, noted Atlantic Council's Kenneth Propp. Asked whether that divergence could be a major factor in a EU decision whether to grant adequacy to a new U.K. regime, Future of Privacy Forum Vice President-Global Privacy Gabriela Zanfir-Fortuna said the question is whether the data subject to transfers to third parties will have safeguards acceptable to the EU: The proposed risk-based approach will play a role.
When considering new privacy laws around the world, BSA|The Software Alliance looks at whether they allow responsible companies to provide their services and whether they offer a level of protection for individuals now expected in the EU and elsewhere, said Vice President-Global Policy Aaron Cooper. Interoperability among regimes is also critical, he said. There's no one privacy law around the world that everyone could point to and say, "this is perfect."
The U.K. legislation will introduce a new condition allowing the processing of special category data to monitor and correct algorithmic bias in AI systems, Hogan Lovells legal analysis noted. The law will clarify the U.K. GDPR to state that automated decision-making isn't barred but carries certain safeguards, they wrote. On AI, the U.K. wants to give organizations more confidence about what is permitted, and individuals more certainty about how they will be protected, Hall said.