The UK will soon take Brexit one step further, going the full GDPR exit with the country rewriting its own data laws and even appointing a new privacy commissioner from across the ditch.
In the UK last week, culture secretary Oliver Dowden told The Telegraph the country is looking to reform data protection and management.
In particular, the Boris Johnson-led government wants to create key differences between the country’s approach to managing data and GDPR.
“Now that we have left the EU, I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK,” Dowden told the paper.
Hoping to “turbocharge the digital economy while also cutting red tape”, the conservative government is looking to develop a “light touch British framework”, with details expected to be published next month.
UK’s GDPR Brexit
The General Data Protection Regulation (GDPR) came into effect in 2018 and defined a set of rules governing the way personal information for EU citizens is shared and stored.
Personal data relates to any information that is identified or identifiable to a person and the scheme originated when the European Commission looked to reform data protection in 2012.
It took four years to develop the framework aimed at giving people more control over their personal data.
In its new data protection and privacy approach, the UK is looking to move away from a one-size-fits-all approach that it says disproportionately imposes greater requirements on smaller businesses and charities.
It also wants to do away with people having to provide consent each and every time they visit a particular website, and permission pop-ups on every website so only those cookies with a high risk to privacy will need individual and repeated permissions.
Pointing to countries such as Japan and New Zealand as “data adequate”, the UK does not believe it is watering down its privacy protection.
It recently announced the appointment of former New Zealand privacy commissioner John Edwards as the incoming privacy commissioner who will take the helm of the UK’s Information Commissioner’s Office.
Leading the regulator responsible for enforcing data protection law, Edwards will go beyond the regulator's traditional role of focusing only on protecting data rights.
Instead, he will have a mandate to take an approach that promotes innovation and economic growth, according to Dowden.
They’re promising a “commonsense” approach rather than a “box ticking” mandate imposed across the board.
Does Australia need privacy reform?
Although it was drafted and passed by the EU, GDPR imposes the requirement on organisations regardless of their actual location.
If they target or collect data related to people in the EU, GDPR applies, which obviously includes Australian businesses and organisations.
However, in Australia, GDPR compliance is still lagging, according to a Capgemini survey that found almost half of organisations still have a way to go.
In terms of national rules, the Privacy Act in Australia, overseen by the Office of the Australian Information Commissioner (OAIC), shares many common requirements with GDPR, including the need to implement a privacy-by-design approach to compliance, being able to demonstrate compliance with privacy principles and obligations, and adopting transparent information-handling practices.
However, Australia’s privacy protections need to be fit for purpose in the digital economy, and to ensure that the definition of ‘personal information’ needs to align with the GDPR’s definition of ‘personal data’, according to the OAIC.
It made this recommendation in its submission to the Australian Competition and Consumer Commission (ACCC) Digital Platforms Inquiry.
The OAIC also suggests evaluating the current Privacy Act exemptions and considering whether additional GDPR rights should be introduced in Australia.
For example, it wants the fair collection of information rule to be extended to the fair use and disclosure of personal information through a new, explicit provision in the Privacy Act.
“A key challenge for regulating privacy in the digital era is whether privacy laws appropriately balance privacy self-management and organisational accountability,” the OAIC said.