Former chief New Zealand privacy regulator and Facebook critic, John Edwards has been named to replace Elizabeth Denham as chief of the UK’s data protection watchdog, the ICO, as the government promises a post-Brexit “shake up” of data rules and a possible watering down of GDPR.
While GDPR is seen as the gold standard for data privacy and is being copied not only by other countries, but also by individual states in the US, there has been no progress at all to create an equivalent federal privacy law in the US Congress.
Furthermore, the EU’s focus on privacy as a human right and the US prioritization of mass surveillance for national security are fundamentally at odds. Two transatlantic data sharing treaties have been struck down, Safe Harbor and Privacy Shield. And we now face a mismatch between legal reality in which organisations are not allowed to use cloud or data services from US tech firms as none comply with GDPR, and a political reality in which everyone is turning a blind eye as there is currently no realistic alternative.
Furthermore, there is unlikely to be any breakthrough as long as there is partisan gridlock in Congress and no real will in the US to uphold the privacy of its allies by protecting them from its own surveillance regime.
The UK, as ever, occupies a mid-Atlantic position: as a member of the Five Eyes Consortium it is complicit in the US mass surveillance, but as a necessity for its post-Brexit trading arrangements it has been granted a GDPR ‘adequacy’ decision by the EU allowing data to continue flowing freely between the EU and the UK.
Enter John Edwards, a notable Facebook critic who has headed up the Office of the Privacy Commissioner In New Zealand for the last seven years and who is now going to replace Elizabeth Denham as head of the UK’s ICO.
In the wake of the 2018 Cambridge Analytica data misuse scandal Edwards publicly announced that he was deleting his account with the social media company — accusing Facebook of not complying with the country’s privacy laws.
His appointment aligns with the UK government’s agenda to tame the tech giants as it works to bring in safety-focused legislation for digital platforms and reforms of competition rules that take account of platform power.
Boris Johnson had already commissioned a special task force to investigate how the UK could reshape its data policies outside the EU, also issued a report this summer — in which it recommended scrapping some elements of the UK’s GDPR altogether — branding the regime “prescriptive and inflexible”; and advocating for changes to “free up data for innovation and in the public interest,” as it put it, including pushing for revisions related to AI and “growth sectors.”
At a time when the Irish, which are largely viewed positively by their EU colleagues, are being rebuked for failing to uphold and enforce GDPR, any move by the UK, which is not viewed at all well by them on most fronts, to diverge from its data-sharing commitments and dilute its own version of GDPR, is likely to cause alarm.
UK GDPR Adequacy Decision
Despite the fact that its GDPR ‘adequacy’ decision is time-limited to four years, the UK government is risking any chance of this being renewed by preparing to reveal how it intends to “reform” (aka: reduce) domestic privacy standards.
Those in favour of reform, point to the cost of compliance, the chance to do away with frustrations such as cookie pop-ups, and the need to resolve the problem with the legal use of US cloud services – rather than ignoring the problem. They also question the point of a more rigorous regime, if, as in Ireland, it is not being enforced.
Those against reform, argue that if a UK firm trades with Europe or even processes or stores the personal data of a single EU citizen then it needs to comply with EU GDPR anyway. Most organisations will therefore need to conform to the higher standards set by the EU and will want to avoid having to run two separate systems in parallel. They will therefore experience no benefit from any dilution of UK GDPR. Furthermore, the UK risks failing to have its GDPR ‘adequacy’ decision renewed in a few years time.
The potential costs of complying with two different systems or of facing regulation or litigation from either the EU or UK make this an issue that all senior executives need to be aware of.
Cybercrime will cost companies worldwide an estimated $10.5 trillion annually by 2025, up from $3 trillion in 2015. At a growth rate of 15 percent year over year — Cybersecurity Ventures also reports that cybercrime represents the greatest transfer of economic wealth in history.
Whatever your situation, you need to expect the cost of your cybersecurity to increase over this period and your data privacy compliance costs are also likely to increase – more so if you end up complying with both the UK and EU versions of GDPR.