The UK government’s post-Brexit appetite to ‘reform’ domestic privacy rules by proposing to reduce the level of protections wrapping people’s data is already having wider ramifications for the country’s tech ecosystem.
Last month the Department of Digital, Culture, Media and Sport (DCMS) announced a consultation on reducing privacy standards — claiming ‘simplified’ rules would be a boon for business innovation.
Now a homegrown scale-up has blasted the consultation in an excoriating blog post — warning that any reduction in data protection standards will “certainly” damage its EU business and could even weaken its US business, given that a number of states (such as California) have already passed similar laws to Europe’s General Data Protection Regulation (GDPR).
US lawmakers on both sides of the aisle are also pressing the case to pass comprehensive federal privacy legislation. So — outside the UK at least — the direction of travel on personal data is toward greater protections, not fewer.
In the blog post, Cronofy, a 2014-founded startup which sells a calendar API and scheduling platform for enterprises, writes that it’s making preparations to prevent a domestic deregulatory bomb cratering its business — saying it will be opening a new company in the Netherlands and offering customers the ability to contract with Cronofy BV under Dutch law.
“That will become the new HQ for all of our data processing so we can be under the oversight of the Dutch data regulator and thus the EU,” writes CEO and co-founder Adam Bird. “Our new General Counsel overseeing all of this is Dutch.
“How does Britain fare out of this? Not very well I’m afraid,” he adds, suggesting the restructuring will also mean Cronofy ends up reducing the level of investment it makes into UK skills and UK jobs.
Bird is not alone in blasting the UK proposal to rip up data protection rules, either.
Earlier this month Ed Vaizey, the former minister of state in charge of DCMS (now Lord Vaizey), warned the UK must stay aligned with the GDPR — or face “disastrous” consequences for the economy and digital businesses.
“The U.K. was very influential in how data protection legislation was drawn up when we were members of the EU so I think it’s slightly odd that we should shy away from that legislation,” Vaizey told TechCrunch last week.
“You do not want a position where you make yourself vulnerable to attacks by the EU to say that your data protection regime is not adequate and we can’t therefore have cross-border exchanges of data — that would be disastrous. So whether we like it or not we will have to keep to a certain extent in lock-step with the European Union.”
However even the policy noises coming out of DCMS appear to be doing damage to UK Plc.
In his blog post, Bird describes Cronofy as “a truly global company” — one that’s (currently) headquartered in the UK but with revenue split 55% US, 25% EU, 9% UK. Meaning 91% of the scale-up’s revenue is from exports.
“EU GDPR legislation has not harmed our US business and in many cases has been an advantage,” he goes on. “Having to confront data privacy requirements from the founding of the business puts us at a distinct advantage as US companies wake up to having to protect people’s information.”
Before Brexit ‘got done’, Bird says a “significant” number of EU customers were already raising concerns about what the UK’s departure might meant for their (sensitive calendar) data and relationship with his business.
“We will always do our utmost to protect people’s private data. However we were making these assertions against the backdrop of the UK government grandstanding in the name of ‘strong negotiation’, even to the extent that they voted to break international law,” he continues, saying that even before the end of the transition period customers weren’t confident Cronofy would be able to stand by its word or that the UK government would bother to enforce compliance even if it kept the same data standards on paper. “Even more importantly, they couldn’t give that reassurance to their end users,” Bird adds.
The government’s noises now about ‘simplifying’ UK data protection standards appear to be the final straw for Cronofy.
In the consultation, DCMS talks about “reforms to create an ambitious, pro-growth and innovation-friendly data protection regime” — and about “maintain[ing] high data protection standards without creating unnecessary barriers to responsible data use” — but there’s no doubt the proposal is about removing layers of protection.
Ministers are, for example, considering expansive legal permissions for businesses to use data for ‘innovation’ purposes, whatever that might mean (hint: anything) — and consulting on removing the need for individual consent to process certain types of data, among other potential amendments to the UK’s version of GDPR.
Entirely removing a provision that gives people rights over automated decisions that have a legal/equivalent impact on them is also being eyed by government. (And on that front, the professional body BCS, aka The Chartered Institute for IT, also warned against such a drastic step — suggesting in a blog post today that increased clarity of the existing provision would be the more judicious policy than keeping it as is or dumping it altogether.)
“With the recent announcement by the government of the changes they want to make to the UK’s data privacy legislation, it seems that those fears were well founded,” writes Bird, sounding the alarm over the direction of UK data policy.
“It wants to move to a ‘do and ask for permission’ model driven not by benefit to mankind but instead by commercial interests. Whatever we say to our customers about how Cronofy approaches data privacy and controls, corresponding enforcement will not follow.
“We can make our protestations about ISO certifications, data management controls, segmented data hosting. However, prospective customers won’t necessarily get that far because we’ll be discounted based on our location. I don’t blame them. Data protection is fraught and complicated. Why even entertain the risk of going with a provider from outside the EU.”
If the UK’s level of protection gets downgraded, the risk is the country will lose a key data flow agreement with the EU — which has only just be put in place now the UK is a so-called ‘third country’ outside the bloc.
UK companies with customers in Europe rely on this ‘data adequacy’ agreement for smooth running as it allows for personal data to flow freely from the bloc to the UK. But if the UK’s standard is assessed as no longer equivalent to EU law the European Commission has said it will revoke the arrangement it signed off on this summer.
The data flows deal already includes a sunset clause — meaning there will be an automatic review of UK standards in 2025.
“This national act of self-harm will have ramifications for decades to come,” Bird warns. “It turns out that Project Fear [as Brexit supporters dismissively dubbed objections to leaving by those that wanted to remain in the EU], was actually Project Fact.
“Instead of taking it as a warning of something to avoid, the UK government seem to have taken it as an outcome to exceed. Whilst in isolation, Cronofy being collateral damage is unimportant. What we are facing is a worrying portent for the UK and its relationship with the rest of the world.”
“I expected and wanted to be building Cronofy into a world-beating, UK company. Membership of the EU gave us an enviable platform to do that and, in turn, invest that success back into the UK,” he adds, underscoring his point that UK government policy has left Cronofy with little choice but to restructure its business in a way that puts the EU at the center.
DCMS has been contacted for a response to Bird’s blog post.
For a glimpse of the future that awaits UK startups if government ‘reforms’ end up torching the UK’s data adequacy see the EDPB’s intricate guidance on data transfers to third countries. And prepare to level up your legal expense budget..
Are you a UK startup with views on the government’s Data: a new direction proposal? Get in touch by contacting email@example.com
Denial of responsibility! Swiftheadline is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – firstname.lastname@example.org. The content will be deleted within 24 hours.