On 25th August, the DCMS Secretary of State announced a number of measures to ‘unleash the power of data’.
The announcement sets out HMG plans to make international data transfers more seamless, confirming the UK’s near and longer-term priority partners for new UK adequacy arrangements. HMG near term priorities countries are the United States, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia.
The announcement is accompanied by a Mission Statement on the UK’s approach to international data transfers, the UK Adequacy Manual which provides technical detail on how adequacy assessments are conducted, and a call for experts to a new International Data Transfers' Expert Council. The full suite of materials and details of processes used by the International Data Transfers team can be found on the Gov.UK website.
The announcement names the UK Government's preferred candidate for the next Information Commissioner as John Edwards.
The announcement trails the government’s intention to consult on reforms to the UK’s data protection regime in the ‘coming weeks’.
The importance of maintaining the EU-UK data sharing agreement
The Government has been clear that data reforms are a post-Brexit priority. Therefore, yesterday’s announcement on data reforms does not come as a surprise, but it is concerning. Any reforms which jeopardise the future of the EU-UK data sharing agreement cannot be countenanced.
Maintaining the EU-UK data sharing agreement is vital to make sure both the UK and EU health sectors can function properly. The agreement is instrumental to addressing cross-border health threats such as COVID-19, enabling the movement of professionals and facilitating crucial research, development, and cooperation. Crucially, the agreement also provides the conditions for UK and EU researchers to co-operate on clinical trials and other health research, and in turn, save and improve lives.
The risk of departing from the EU GDPR regime
Without seeing the detailed data reform proposals, it’s very difficult to ascertain whether and how concerned the NHS and UK health sector should be. However, if the government decides to adopt the recommendations on data protection as set out in the independent report from the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) then we should be very concerned for the future of the EU-UK data sharing agreement. The TIGRR goes as far as recommending that the UK replaces the UK GDPR with a new, more proportionate UK Framework of Citizen Data Rights. This would mean a departure from the EU GDPR and the likely revocation of the EU-UK data sharing agreement. Although commissioned by No.10, the TIGRR is an independent report, and we can only hope that the government proposes a more measured approach when its consultation is published in the coming weeks.
Key here is that the EU requires countries with data sharing agreements to maintain equivalent, not identical, data protection regimes. Therefore, data reforms within the red lines of EU regulatory equivalence could be positive, potentially even welcomed. For example, some TIGRR recommendations on data reform for AI, increasing citizens control of their data and improving data flows could be positive steps with improved data sharing allowing data to flow more freely and drive growth across the NHS services. However, any positive reforms must not be at the expense of the EU-UK data sharing agreement. The agreement should be the foundation upon which we build, without it we are creating barriers to data sharing rather than reducing them.
Alternative transfer mechanisms
If the EU revokes the UK data sharing agreement, costly and burdensome alternative transfer mechanisms will need to be put in place for personal data to continue to flow. This cannot and must not happen. It’s important to remember – and easy to forget – that the data sharing agreement between the EU and UK was hard won. It took 15 months to agree, required two extensions and even then, was only agreed with less than two weeks to go before the expiry of the interim data sharing agreement. The value and difficulty of securing a data sharing agreement with the EU should not be underestimated or thrown away.
Everything going forward pivots on the interpretation of ‘equivalence’. The key question: will the upcoming data reform proposals propose changes within the red lines of EU regulatory equivalence, or will they rip up the rule book and depart from the GDPR entirely? The answer to this question will tell us exactly how concerned, or not, the NHS and health sector should be. We therefore await the Government consultation on reforms to the UK’s data protection regime expected in the ‘coming weeks’ with bated breath.