Clifford Chance

These are the UK government's words in launching its new National Data Strategy. Will the strategy equip the UK to emerge from the coronavirus pandemic with a world-leading data economy, or isolate it from its international friends?

On 9 September 2020, the UK government announced a set of initiatives setting in motion a potential rethink of the UK's regulation and rules governing the use of data. The headline is the release of the government's National Data Strategy, which provides a framework for government action on data regulation in the UK, and the launch of a consultation, inviting stakeholders to provide comments on the National Data Strategy. Following the consultation, the government will release proposals outlining the next steps early next year.

The deadline for responses to the consultation is on 2 December 2020.

UK as digital leader

The UK wants to position itself as a leading digital nation.

In 2018, digitally delivered UK services exports were estimated to be £190 billion (67% of total service exports). The UK has confirmed that enabling and growing this data-driven trade will be a priority in its approach to free-trade negotiations. Globally, investors pour venture capital into the UK tech sector - reportedly only behind the US and China. Post-Brexit, the UK will need to have a clear policy framework to continue attracting this investment (also to develop talent).

Data can be used to help, but without appropriate safeguards can cause harm. Dr Jeni Tennison, Vice President at the Open Data Institute said, "People and organisations of all kinds are facing big challenges over the next few years. Data can help us all to navigate them, increasing our understanding of our changing world and informing the decisions we make."

Post-Brexit, the strategy unequivocally states that the UK government "will take advantage" of being a "independent, sovereign nation" to maximise the UK's strengths domestically and to internationally influence the global approach to data sharing and use. Data sovereignty is driving geopolitical debates and legislative reforms, from the EU, the US and elsewhere. But how will the UK's ambitions be realised?

Data sovereignty

What does data sovereignty look like in a world where data and the laws and rules applicable to it cannot be hermetically sealed?

The strategy will involve interrogating how the existing laws impacting personal and non-personal data should be addressed. Data protection is just one example. The UK is currently subject to EU data protection laws including the General Data Protection Regulation (the GDPR). Assuming that there is no extension to the transition period, these laws will cease to apply on 1 January 2021 (see here). By leaving the EU, the UK will be able to diverge from the EU rules on data protection. Whilst the UK data protection rules are currently aligned with GDPR standards (the UK Data Protection Act 2018 essentially implements the GDPR and its standards across all general data processing into UK rules), this new strategy indicates the UK government's policy objectives in the coming years.

The Government Office for Science released a report on the same day as the National Data Strategy, titled "The future of citizen data systems". The key message of the report is that the UK government should "clearly articulate what it wants to achieve with its data system: what economic, social and security-related ambitions it has for better use of citizen data and what objectives for security, inclusion and individual rights it will prioritise." This is broadly in line with the objective of the National Data Strategy. Digital inclusion and responsible data resonates with other international data framework developments, and the UK's proposed strategy wants to tackle matters like data ethics and innovating to prevent online harms head on.

Interestingly, the Government Office for Science also recommends that "[c]oherence with regional data systems, for example the EU and regulations including GDPR in the UK’s case, can be important for businesses seeking to export and consumer access to services" though notes that "there are also important variations in domestic implementation of different policies and regulations, and the multilateral frameworks that have emerged do not necessarily preclude other forms of international coordination."

One option is for the UK to remain aligned with EU rules. Again, to take data protection as an example, under the GDPR rules the European Commission can deem that non-EU countries provide 'adequate' protection for individuals’ rights and freedoms for their personal data, thereby facilitating transfers of personal data to that third country. In the Revised Political Declaration between the UK and the EU, the EU committed to begin its assessment of the 'adequacy' of the UK data regime with a view to coming to a decision by the end of 2020. Any decision by the UK government to diverge from the EU rules may have an impact on whether or not the UK is deemed 'adequate' by the EU.  Given the importance of cross-border data flows, that may be a risk that the UK is not willing to take.  The rush for data sovereignty by other states is ramping up aggressively; we are also seeing intense debates about the EU's recent decision on cross-border personal data transfers in Schrems II. A political misstep threatens the free flow of data between the UK and EU. That is something that the UK government will surely consider very carefully.

The National Data Strategy

In order to make best use of data in the UK, four core pillars of the strategy have been identified:

• Data foundations: to achieve better insights and outcomes from the use of data, its quality should be improved, it should be recorded in standardised formats on modern systems, and it must be held in an accessible and reusable condition.
• Data skills: for businesses to use data effectively there will need to be more data-literate individuals and more opportunities to train and prepare the future workforce. The growth in AI and cyber specialisms also drives the demand for broader supply of data skills at the foundational level and across the public sector.
• Data availability: to have the most effective impact, data needs to be appropriately accessible, mobile and reusable. Increasing data availability across the wider economy and society has the potential to support greater innovation and drive economic growth.
• Responsible data: it is imperative to use data in a responsible, lawful, secure, fair, ethical, sustainable and accountable manner, while also supporting innovation and research.

These pillars are reflected in five priority areas of action or 'missions', which address key challenges preventing the UK from taking advantage of the opportunities that data offers:

Unlocking the value of data across the economy

The UK's aim is to create an environment where data is appropriately usable, accessible and available across the economy – from smaller companies to tech giants, enabling timely and appropriate access to data that is of sufficient quality. The government is proposing the creation of a framework to identify where data can and should be made available, and to explore its in achieving this goal including as collaborator, customer, provider, funder, regulator and legislator.

Securing a pro-growth and trusted data regime

Following withdrawal from the European Union and the assumption of control over data protection laws and regulations, the UK is clear that it is pursuing EU 'data adequacy' to maintain the free flow of personal data from the EU. While ensuring the data protection laws remain fit for purpose and can support competition and innovation, the government is committed to high data protection standards that maintain privacy, security and public trust.

Transforming government’s use of data to drive efficiency and improve public services

The coronavirus pandemic has demonstrated that there is a lot of untapped potential in the way the government uses data. The government is seeking to tackle the challenges, among others, of legal and security risks of sharing data, the lack of incentives, skill or investment to drive effective governance, and the lack of consistency in the standards and systems used across the government. Identifying five broad areas of work, the government wishes to hear views on which of these actions will have the biggest impact for transforming the use of data: (i) quality, availability and access; (ii) standards and assurance; (iii) capability, leadership and culture; (iv) accountability and productivity; and (v) ethics and public trust.

Ensuring the security and resilience of the infrastructure on which data relies

The government wishes to take greater responsibility to ensure that data is handled in a safe, secure and resilient way. Data relies on virtualised or physical data infrastructure, systems and services that store, process and transfer data, and in the increasingly international environment this infrastructure presents significant data security risks. The government therefore wishes to determine the scale and nature of such risks, evaluate the way it manages the risks and work out the appropriate responses. 

Championing the international flow of data

Facing the opportunity to be a world leader in digital trade, the UK wishes to create a regime to ensure personal data is appropriately safeguarded as it moves across borders, remove unnecessary barriers to international data flows, and develop shared technical standards to facilitate the combination and cross-referencing of different data sources.

Throughout, the strategy seeks to provide evidence of what the UK government is doing in practice already to deliver on these pillars; there are receipts for the various promises made, and the government encourages stakeholders to provide meaningful input on how they see regulation of data-related issues being managed by UK bodies (for example, the UK Centre for Data Ethics and Innovation on AI and data ethics issues).

Looking ahead

Having left the European Union and in light of changes wrought by the global coronavirus pandemic, the UK wishes to position itself as a "global champion of data use" and hopes that the latest strategy will dovetail with other government initiatives such as those on Smart Data and Open Data.  

Businesses that receive personal data from organisations in the EU should take steps to prepare for new rules and regulation concerning data protection, and to consider how data can be more effectively collected, stored and accessed in a responsible and ethical way.

A call to action

The UK government wants to hear from a representative cross-section of society, ensuring diversity and inclusion.

A call to action is made to a broad range of interested parties including investors in tech and data companies, data-rich companies, academics and research and policy organisations, and law firms. These organisations, particularly those with UK operations and presence, have the opportunity to drive the policy.

The future form of these rules will impact which tech deals proceed and which fail, what regulatory enforcement emerging technologies may be subject to, and – importantly – what protections will exist in the UK to harness data for the benefit of society and those the data concerns.

The consultation is detailed and wide-ranging; the issues are of fundamental policy and legal significance: the government explained that it wants to ensure that the strategy is "sensible" given the potential for wider public interest. Those wanting to help shape the next stage should respond.

This article was wrtten by Alex Hough and Eliot Cohen, Trainee Solicitors