LOGO

UK Startup Criticizes Government Data Protection Plan

October 13, 2021
Topics:Brexitcaliforniacronofydata protectiondata securitydigital rightsEd Vaizeyeuropean unionGDPRGeneral Data Protection RegulationNetherlandsPolicyPrivacyprivacyUK governmentuk plcUnited KingdomUnited States
UK Startup Criticizes Government Data Protection Plan

Post-Brexit Data Reforms Spark Concerns for UK Tech Sector

The United Kingdom government’s post-Brexit intention to revise its domestic privacy regulations by lowering data protection levels is already generating repercussions throughout the nation’s technology landscape.

Consultation on Reduced Privacy Standards

The Department of Digital, Culture, Media and Sport (DCMS) announced last month a consultation regarding the reduction of privacy standards. Officials asserted that “simplified” regulations would stimulate business innovation.

Scale-Up Voices Concerns

A U.K.-based scale-up has now strongly criticized the consultation in a detailed blog post. The company warns that any decrease in data protection standards will “certainly” negatively impact its EU operations and potentially weaken its U.S. business, considering that several states, including California, have enacted laws similar to Europe’s General Data Protection Regulation (GDPR).

Global Trend Towards Stronger Protections

Lawmakers in the United States, across the political spectrum, are also advocating for the passage of comprehensive federal privacy legislation. Consequently, outside the U.K., the prevailing trend in personal data handling is towards increased protections, not diminished ones.

Government's Focus on Deregulation

Within the U.K., however, ministers are examining current high data standards and exploring avenues to reduce these protections. This is accompanied by the assertion that lowering privacy rights will benefit businesses.

Potential for Legal Uncertainty

Deregulation will inevitably lead to increased legal ambiguity and risk for businesses, potentially resulting in significant business losses.

Cronofy's Response: Relocation to the Netherlands

In a blog post, Cronofy, a U.K. startup founded in 2014 that provides a calendar API and scheduling platform for enterprises, detailed its preparations to mitigate the potential damage from domestic deregulation. The company announced it will establish a new entity in the Netherlands and offer customers the option to contract with Cronofy BV under Dutch law.

“This will establish the new headquarters for all of our data processing, placing us under the supervision of the Dutch data regulator and, therefore, the EU,” explained CEO and co-founder Adam Bird. “Our new General Counsel overseeing this transition is Dutch.”

Impact on U.K. Investment and Jobs

Bird added that this restructuring will likely result in a reduction in Cronofy’s investment in U.K. skills and job creation. “Britain will not benefit from this situation,” he stated, suggesting a negative outcome for the U.K.

Wider Criticism of the Proposal

Bird is not the sole critic of the U.K.’s proposal to revise data protection rules.

Information Commissioner Defends Current Rules

John Edwards, the U.K.’s newly appointed information commissioner, defended the existing data protection framework during a pre-appointment hearing with MPs. He described the U.K.’s GDPR as a “model to follow, not to abandon.”

Former Minister Warns of "Disastrous" Consequences

Earlier this month, Ed Vaizey, formerly the minister of state at DCMS (now Lord Vaizey), cautioned that the U.K. must maintain alignment with the GDPR to avoid “disastrous” economic and digital business consequences.

“The U.K. played a significant role in shaping data protection legislation while a member of the EU, so it seems counterintuitive to now distance ourselves from it,” Vaizey told TechCrunch. “Maintaining alignment is crucial to avoid jeopardizing cross-border data exchanges, which would be devastating. We must, to a large extent, remain in sync with the European Union.”

Damage to U.K. Plc. Already Evident

However, even the policy statements emanating from DCMS appear to be causing harm to the U.K.’s reputation.

Cronofy's Revenue Breakdown

Bird described Cronofy as a “truly global company” currently headquartered in the U.K., with revenue distributed as follows: 55% from the U.S., 25% from the EU, and 9% from the U.K. This means 91% of the scale-up’s revenue originates from exports.

GDPR as a Competitive Advantage

“EU GDPR legislation has not hindered our U.S. business and has, in many cases, been advantageous,” Bird continued. “Addressing data privacy requirements from the outset provides us with a distinct advantage as U.S. companies begin to prioritize protecting people’s information.”

Pre-Brexit Concerns from EU Customers

Prior to the completion of Brexit, Bird noted that a “significant” number of EU customers had already expressed concerns about the potential implications of the U.K.’s departure for their sensitive calendar data and their relationship with his business.

“We have consistently prioritized the protection of people’s private data. However, we made these assurances amidst the U.K. government’s assertive negotiation stance, even to the point of voting to breach international law,” he stated. He added that even before the end of the transition period, customers lacked confidence in Cronofy’s ability to uphold its commitments or in the U.K. government’s willingness to enforce compliance, even if data standards remained unchanged on paper. “Critically, they couldn’t offer that reassurance to their end users,” Bird emphasized.

Government's "Simplification" Plans as a Breaking Point

The government’s current proposals to “simplify” U.K. data protection standards represent the “final straw” for Cronofy.

DCMS Consultation Document Details

The DCMS consultation document outlines plans to implement “reforms to create an ambitious, pro-growth, and innovation-friendly data protection regime” while “maintaining high data protection standards without creating unnecessary barriers to responsible data use.” However, the proposal’s objective is undeniably to remove layers of protection.

Expanded Permissions for Data Use

Ministers are considering granting businesses broad legal permissions to utilize data for “innovation” purposes, with an undefined scope, and are exploring the removal of the requirement for individual consent for processing certain data types, among other potential amendments to the U.K.’s version of GDPR.

Potential Removal of Automated Decision Review

The government is also considering eliminating the provision that grants individuals the right to review purely automated decisions with legal or equivalent consequences.

BCS, The Chartered Institute for IT, has cautioned against such a drastic step, suggesting that increased clarity of the existing provision would be a more prudent approach than maintaining it as-is or abolishing it altogether.

Entrepreneurial Alarm Over UK Data Policy

“With the recent announcement by the government regarding changes to the U.K.’s data privacy legislation, those fears have been realized,” Bird writes, raising the alarm about the direction of U.K. data policy.

“The intention is to move towards a ‘do and ask for permission’ model driven not by societal benefit but by commercial interests. Even if we assure our customers about Cronofy’s approach to data privacy and controls, corresponding enforcement will be lacking.

“We can highlight our ISO certifications, data management controls, and segmented data hosting. However, prospective customers may not even reach that point because they will discount us based on our location. I don’t blame them. Data protection is complex and fraught with risk. Why even consider the risk of working with a provider outside the EU?”

Risk of Losing EU Data Adequacy Agreement

If the U.K.’s level of protection is downgraded, the immediate risk is the loss of its key data flow agreement with the EU, which was only recently established now that the U.K. is considered a “third country” under EU terms.

U.K. companies with European customers rely on this EU “data adequacy” agreement for seamless operations, as it allows for the free flow of personal data from the bloc to the U.K. However, if U.K. law is deemed no longer equivalent, the European Commission has stated it will revoke the arrangement approved this summer.

Sunset Clause and Potential for Revocation

The data flows deal includes a sunset clause, meaning U.K. standards will be automatically reviewed in 2025. EU lawmakers have warned they could revoke the agreement at any time if divergence occurs. Therefore, critical assessments of U.K. privacy policy by entrepreneurs like Bird are unlikely to go unnoticed in Brussels.

A "National Act of Self-Harm"

“This national act of self-harm will have ramifications for decades to come,” Bird warns. “It turns out that Project Fear was actually Project Fact.

“Instead of learning from this warning, the U.K. government appears to be striving to exceed it. While Cronofy being affected is insignificant in isolation, we are witnessing a concerning sign for the U.K. and its relationship with the rest of the world.”

“I had hoped to build Cronofy into a world-leading, U.K.-based company. EU membership provided an enviable platform for that, allowing us to reinvest success back into the U.K.,” he adds, emphasizing that U.K. government policy has left Cronofy with no choice but to restructure its business, prioritizing the EU.

DCMS Response

DCMS was contacted for a response to Bird’s blog post.

A government spokesperson provided the following statement:

Regarding the economic justification for reforming U.K. data protection rules, the spokesperson referenced the Analysis of Expected Impact report on gov.uk. However, they also stated that the analysis remains open for consultation, adding that the government is seeking further information to accurately quantify impacts, including on trade, as it develops a more comprehensive case.

DCMS also emphasized that the consultation process is intended to encourage discussion, stating that it has not yet introduced legislation and will not do so until it has gathered a full range of perspectives and engaged with stakeholders.

For an indication of the future facing U.K. startups if the government’s “reforms” undermine the U.K.’s data adequacy status, refer to the EDPB’s detailed guidance on transfers to third countries. And prepare to increase your legal budget.

This report was updated with a response from DCMS

Are you a U.K. startup with views on the government’s Data: a new direction proposal? Contact natasha@techcrunch.com.

#UK startup#data protection#government plan#data privacy#GDPR#digital rights

Related Posts

Ring AI Facial Recognition: New Feature Raises Privacy Concerns

Ring AI Facial Recognition: New Feature Raises Privacy Concerns

FTC Upholds Ban on Stalkerware Founder Scott Zuckerman

FTC Upholds Ban on Stalkerware Founder Scott Zuckerman

Intellexa Spyware: Direct Access to Government Espionage Victims

Intellexa Spyware: Direct Access to Government Espionage Victims

India Drops Mandatory App Pre-Installation After Backlash

India Drops Mandatory App Pre-Installation After Backlash

Google's AI Advantage: Leveraging User Data

Google's AI Advantage: Leveraging User Data

Apple Cracks Down on AI Data Sharing in New App Store Guidelines

Apple Cracks Down on AI Data Sharing in New App Store Guidelines