UK to overhaul privacy rules in post-Brexit departure from GDPR (opens in new tab)

(theguardian.com)

96 pointstompagenet24y ago64 comments

64 comments

59 comments · 12 top-level

agilob4y ago· 9 in thread

>Culture secretary says move could lead to an end to irritating cookie popups and consent requests online

No it won't. Unless you ban EU citizens visiting your website and your website doesn't make business with other businesses in EU.

>Britain will attempt to move away from European data protection regulations as it overhauls its privacy rules after Brexit, the government has announced.

Other countries like Canada implemented GDPR directive. EU required this from Canada, Japan and other countries to make some custom/tariff -free deals. Looks like UK wants to break away from dealing with EU at all?

miohtama4y ago

> Unless you ban EU citizens visiting your website and your website doesn't make business with other businesses in EU.

You can simply break the law and ignore the EU. The cookie popup sanctions are not criminal and unless you are very high profile business, nobody cares about you. Nobody is going to come after you.

The only regulator that international developers need to worry is the SEC from United States, because they pursue for US victims cross border. But the get on the bad side of the SEC you need to do something really stupid.

tankenmate4y ago

The maximum fines for breaking the GDPR is up to 4% of your global turn over. If it gets to that they can seize any assets in the EU, including any revenue earned in the EU up to the amount of the fine. Potentially directors can attract criminal risk by refusing to pay the fine(s), leading to an international arrest warrant. Obviously this is the most extreme case, but it is generally is easier to just comply with the law like a reasonable person.

2 more replies

martin_a4y ago

> Nobody is going to come after you.

You should doubt this.

I filed several complaints with unauthorized newsletters and failing to comply to my GDPR requests. German officials went after the companies and asked them to provide the necessary information. For sure it took its time but it worked and for the companies it's been a warning shot.

2 more replies

rentnorove4y ago

Irritating cookie popups are not mandated by GDPR; the opposite is true and most cookie popups are non-compliant with the legistration. If the ICO (UK regulator) actually did its job then this would be solvable under the existing powers, but it's done very little:

https://www.enforcementtracker.com/

prof-dr-ir4y ago

Also, the cookie popups are not an immediate consequence of GDPR, but rather of its interplay with another directive from 2002 [0]. The EU has of course taken notice of the irritation of the public and is trying to improve on the state of affairs with the proposed ePrivacy Regulation [1].

[0] https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...

[1] https://en.wikipedia.org/wiki/EPrivacy_Regulation

redjet4y ago

Practically the UK must maintain an adequacy agreement with the European Commission so any changes would necessarily be constrained by that. Given that much of what became the GDPR was developed by British civil servants and in line with what the UK wanted to achieve at the time I suspect there is more than a little showboating going on here from HMG.

jka4y ago

This will partly depend on whether the EU also decide to change regulations around cookie consent.

You might be interested to follow the EU's ePrivacy Regulation proposals, described here: https://digital-strategy.ec.europa.eu/en/policies/eprivacy-r... (and in particular, the top-level item related to cookies).

naturalauction4y ago

> No it won't. Unless you ban EU citizens visiting your website and your website doesn't make business with other businesses in EU.

I strongly dislike the move too but this is true. The popups are often based on geolocation by ip. Jurisdictions with GDPR get the pop up and those without don’t. If you want to test this go to the Washington Post on an EU/UK ip and an American ip, clearing cookies in between visits and see the difference for yourself.

tonyedgecombe4y ago

>Looks like UK wants to break away from dealing with EU at all?

Anything to do with the EU has become toxic to the governing party.

CodeGlitch4y ago· 8 in thread

I agree with removing the cookie requests. 99% of people just click the big green "AGREE ALL" button because they're too busy to go on a box-ticking exercise. I hope other aspects of GDPR remain in place though, and have to agree that we should be cherry picking the rules that make sense to UK businesses and users.

jka4y ago

The EU's upcoming ePrivacy Regulation[1] proposes, among other suggestions, to move cookie consent into the browser:

"Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies that improve internet experience, such as cookies to remember shopping-cart history or to count the number of website visitors."

[1] - https://ec.europa.eu/digital-single-market/en/proposal-epriv...

FridayoLeary4y ago

Google uses a dark pattern already so that law is screwed before it has even passed.

1 more reply

Macha4y ago

A lot of these cookie requests that are the most cumbersome are themselves GDPR violations.

You should have the options to agree or disagree to non-essential cookies presented equally, and then can offer the granular box ticking for people who really care that Google Analytics can use their data but Google Ads cannot.

People complain that the EU's own website have cookie banners, but if you compare the banner on europa.eu, to say, IB times which is another link on the front page currently. The europa.eu one has two equal options, no BSing about legitimate interest claims for tracking that wouldn't hold up. The IB times one on the other hand has a totally unneeded splash screen, you then need to click manage settings, and for each purpose you need to enter it and disable extra toggles for "objecting" that are basically another layer of opt out consent since they know consent is opt in (but to my understanding if you don't go to manage settings at all and just click the go away option, they will treat that as affirmative consent).

The ePrivacy Regulation is working to clarify the interaction with the ePrivacy Directive which leads to people asking consent for "essential"/non tracking cookies like shopping carts or the "Remember I didn't consent to tracking" cookie.

tpush4y ago

A big green "AGREE ALL" button is explicitly non-compliant, though.

In theory one could preemptively block all consent popups and requests and continue to surf the website without being tracked, if the GDPR had any teeth.

CodeGlitch4y ago

For what it's worth here's what I do:

I run my own /etc/hosts file based on : https://github.com/StevenBlack/hosts

This should block the popular ad-ware companies.

I also browse with Brave, and use their inbuilt "shields" feature to block 3rd party/cross-site cookies. I don't install any additional browser plugins.

Would be nice to kill all the consent-popups, as you say.

frereubu4y ago

Do you have a source to back up the claim of 99%? It seems feasible, but I'd be interested in hard numbers on that because I haven't seen any.

CodeGlitch4y ago

No I do not - in this case 99% = most people. I think only a small percentage of the population understand what a cookie is, and an even smaller percentage of those who care about their privacy enough to go ticking those boxes.

tankenmate4y ago

Personally I would prefer something streamlined, but only if it allows individuals the same or better choices. And I would not want a situation that lead to irreconcilable differences with the GDPR, the hassle of non data portability would be too great.

Nextgrid4y ago· 7 in thread

The reason the GDPR failed and was more an annoyance than a solution is because of its lack of enforcement and the total incompetence of the ICO.

All the annoyances that seem caused by the GDPR such as the annoying and misleading consent popups are explicitly forbidden by the GDPR and do not count as compliance.

If the ICO was doing their job and was using the powers the regulation is granting it (such as the fines everyone was fear-mongering about) it would've quickly forced those websites to comply and stop the annoyances.

remus4y ago

> The reason the GDPR failed and was more an annoyance than a solution is because of its lack of enforcement and the total incompetence of the ICO.

I don't think it is clear that GDPR has failed. Companies actually think about data privacy now, to a much greater extent than they previously have. For example shady practices by the likes of google and facebook have come under the spotlight and companies do face significant GDPR fines when they mess up e.g. this 890 million euro whopper for amazon [1].

[1] https://www.bloomberg.com/news/articles/2021-07-30/amazon-gi...

jacquesm4y ago

The GDPR most certainly has not failed, in fact it is gathering steam. Compliance is increasing, more and more consumers are becoming aware that this law is working to their benefit, and fines are getting more substantial against those companies that have unilaterally decided the GDPR does not apply to them.

Of all the legislation that has come out of Brussels I would count it up next to the successes, similar to the roaming charge law and the one about phone chargers.

frereubu4y ago

Gathering steam is right - people often underestimate the power of nation states (and blocs of nation states) because they can take a while to react. But it's like steering a supertanker - slow to turn, but once they're finally going in the intended direction they're impossible to ignore.

moritonal4y ago

I can count multiple times where GDPR has improved my life as a customer and even as an employee. GDPR was a landmark success in my opinion, especially after the failure that was the cookie law.

IdiocyInAction4y ago

I don't think GDPR has failed. In fact, there have bern multiple times where I have been happy that it exists, since I knew that companies were limited in their ability to save data about me.

frereubu4y ago

If the ICO had appropriate funding I think you'd find they were be able to do a much better job.

dspillett4y ago

The consent pop-ups aren't solely due to GDPR, and GDPR is about much more than tracking in that sense.

KaiserPro4y ago· 6 in thread

I didn't think the cookie law is actually an intrinsic part of GDPR. But I could be wrong. I know you are supposed to make it clear that you are collecting data, and allow opt out.

So, I can see the political point in "setting fire to the cookie law" whilst basically being GDPR in all but name.

however, given the power of the present government to cock things up, I suspect they are going to make some stupid changes that threaten our equivalence with the EU. The EU will happily remove it, thus making it harder to trade in the EU.

I notice some murmuring about science. I suspect that means they'll try and make it simpler to wholesale sell off the fetid datamine that is NHS medical history. However if we are lucky, they'll also undermine the concept of informed consent for anything to do with research/data, which will be fun.

acatton4y ago

> I didn't think the cookie law is actually an intrinsic part of GDPR

Because it is not. [1] It was part of the ePrivacy directive, it has been amended since. The TL;DR is: today, if you don't use cookies for tracking and/or ads, you're fine. Just put a cookie consent checkbox on the user login form, and your website will have a much nicer user experience.

If you show a cookies consent modal before your visitors can access anything, either:

* you have personalised ads with global tracking. (~= criteo, amazon ads, or google adsense)

* you're using a globalised analytic tool. (~= Google Analytics)

* you're following an outdated version of the ePrivacy/GDPR directives.

But it's easier to blame it on the EU.

[1] https://gdpr.eu/cookies/

GoblinSlayer4y ago

They say you don't need cookie consent for login form. Login form is an obvious authentication, opt-in even. You need cookie consent when you authenticate user stealthily - how Google Analytics does it.

Mindwipe4y ago

> I didn't think the cookie law is actually an intrinsic part of GDPR

It isn't, the DCMS is being deliberately misleading to justify gutting UK privacy law.

12ian344y ago

Could you elaborate on why it is not?

1 more reply

account424y ago

> I know you are supposed to make it clear that you are collecting data, and allow opt out.

Just to be clear, the GDPR requires opt-*in* for any data for which you do not have a legitimate interest - that you means you need consent before you start collecting.

jollybean4y ago

As is well documented here, it's not intrinsic but it's the pragmatic outcome i.e. 'it's what is happening because GDPR and the state of the web'.

So it's one thing to point fingers and say 'the law doesn't require it' it's another to recognize that's where the equilibrium landed and that at least some kind of problem still exists.

I personally think there's actually a win-win and that we can have our cake and eat it as well, but these popups are a good indication that the laws as designed are not that.

that_guy_iain4y ago· 4 in thread

And now lots of companies who are hosted in the UK are going to have to move out of the UK to stay in compliance with GDPR.

I actually choose my newsletter service based on the fact they were in the UK and therefore compliant with GDPR due to the fact I seen Mailchimp wasn't.

scaryclam4y ago

I don't think they're going to have to move, just remain compliant with the GDPR rules. UK businesses still have a lot of customers in the EU, and will have to comply with the GDPR to continue their businesses, so I very much doubt much is going to change.

motives4y ago

If there is sufficient deviation from GDPR (who knows what will happen from this speculative article alone), the UK will probably lose its adequacy to transfer personal data, which will materially impact how international organisations can transfer data. In fact the recent UK-EU adequacy decision explicitly states this [0]:

'For the first time, the adequacy decisions include a so-called ‘sunset clause', which strictly limits their duration. This means that the decisions will automatically expire four years after their entry into force. After that period, the adequacy findings might be renewed, however, only if the UK continues to ensure an adequate level of data protection. During these four years, the Commission will continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place. Should the Commission decide to renew the adequacy finding, the adoption process would start again.'.

The impact of a loss of adequacy will be significant on UK service providers, as it will become significantly easier from a regulatory perspective to just host within the EU for both UK and EU customers than to deal with the hassle of using UK datacenters.

[0] - https://ec.europa.eu/commission/presscorner/detail/en/ip_21_...

lloydatkinson4y ago

Who do you use now?

that_guy_iain4y ago

https://emailoctopus.com/ is my current provider and they say they use EU data centers should I should be good.

1 more reply

DrBazza4y ago· 3 in thread

There's a name for this - when a large bloc of countries require something legally, and the rest of the world end up following.

You can probably "thank" the EU for not having to carry around individual LG, Samsung, Anker, Sony, Apple, whoever charging bricks:

https://en.wikipedia.org/wiki/Common_external_power_supply

AstralStorm4y ago

The name you want is Brussels Effect.

It is more costly to maintain separate product lines than to comply.

https://en.wikipedia.org/wiki/Brussels_effect

DaiPlusPlus4y ago

aka The California Effect for the 'mericans

jollybean4y ago

It's not 'a large block' it's just a large enough market, relative to a smaller market.

Most things in Canada are dictated (or influenced) by US standards.

Also, the EU is not quite big enough to force those manufacturers into 'same standard' on a global basis. The US actually might no be either alone. It's entirely feasible they could make $ by using different chargers in 'the remaining 80% of the world'. They don't do it partly for the reg, but mostly for other reasons.

Apple breaks other industry norms all the time for other product features, they do it for hardware revenues, and they can do it because they have market power which nobody else quite has, though maybe Samsung could try.

mrunkel4y ago· 3 in thread

This translates to: "We are not going to require consent for data collection."

tankenmate4y ago

Which would lead to data portability issues with the EU. A number of companies I deal with have decided to host their data in the EU (even for UK source data) as a result of Brexit.

nixpulvis4y ago

Um, it doesn't have too...

Why not start with re-reading existing consumer data protection law? I bet there's stuff in there that can be applied and reworked.

We need it to be appropriately scary for companies to abuse data.

x0x04y ago

Well, you'll be able to hear the shrieking from here if Britain is ruled not to have an adequate data protection regime.

The EU basically doesn't enforce the regulation against the US because we're too big a software partner for the rules to apply. I wouldn't bet the UK is going to get the same realpolitik exception.

s1k3s4y ago· 3 in thread

Good for them, I wish EU did it too. GDPR is such a failure.

Edit: Why is this downvoted? What exactly did GDPR accomplish except for making our web experience a mess, both for businesses and users.

HatchedLake7214y ago

It is downvoted because you say something is a failure without backing it up, when GDPR is actually a success for privacy and consumers everywhere.

1. Marketing consent has now to be explicitly asked for when signing up for any service. Companies cannot enrol you to one if you didn't ask for it.

2. Right to be forgotten. You can request a company to erase all your private data they hold on you.

3. Companies have to legally report data breaches within 72 hours after becoming aware of it.

4. Penalties for companies who do not take privacy seriously.

5. Companies can no longer just hoard sensitive/private data unless they have a reason for it.

6. Selling private data from company to company now requires original consent from the user (this stopped a lot of businesses selling lists for lead gen, call centres, etc)

7. Companies treat private data as a liability now, making them ask themselves additional questions whether it needs to be stored or processed at all, and if so, put additional security fences around it.

This list can go on for ages. I don't see these benefits and additional rights for hundreds of millions people out there as a failure. It's a win win for consumers.

guitarbill4y ago

The web "experience" was already a mess.

One example is data retention. Previously, data could and and was just keep around forever. With the GDPR, when you delete stuff, you can now expect it to actually be deleted from backend storage, usually within 30 days or less (yes, there are exceptions). This is nice, since it does limit your exposure in case of a breach. Speaking of breaches, they also have to be reported in a timely manner. Without the GDPR or equivalent, companies are free to suppress that as long as they want, and have done so.

s1k3s4y ago

I advise you to go back and read the law again. What you describe doesn’t happen and it’s not even enforced by it.

1 more reply

selfhoster114y ago· 2 in thread

Uh oh. I was worried they might start messing with GDPR. While GDPR can get complicated to comply with, it is a measure that I wholeheartedly support as a user who values their personal data.

Ekaros4y ago

Having something is better than having nothing. At least now there is some hammer for security/etc. people to use to get something sane how data is stored and handled.

selfhoster114y ago

Exactly what I was trying to say.

FridayoLeary4y ago· 2 in thread

The GDPR should specify a standard cookie banner that must be used, some of them are beyond a joke. Google (for shame) has the most horrible, obnoxious dark-pattern banner, that they have obviously worked on to make as unfriendly as possible, while looking as benign as possible. I've never once in my life bothered reading the walls of script and check-boxes before clicking the most convenient button i can find.

PaulKeeble4y ago

The grand majority of them aren't really complying with the law as they default to cookies on and use a series of dark patterns to avoid you turning them off. But so far the regulators haven't been dealing with the problem. But its well within their power to do so and fix it so there is a simple dismiss button and the default is no cookies if they start enforcing the law they have.

FridayoLeary4y ago

Ironically The Guardian itself is violating the GDPR, doing precisely what you described. And this harms the reputation of the law as it gets associated with annoying and ineffective pop-ups.

prof-dr-ir4y ago

If UK privacy law starts to deviate significantly from GDPR then the EU commission will not hesitate to withdraw its 'equivalence' decision on UK privacy rights [0]. This will hamper the flow of data from the EU to the UK, the costs of which to UK businesses will more than offset any "Brexit dividend for individuals and businesses across the UK" that the culture secretary is seemingly so keen on obtaining.

Of course, these kind of nuances tend to get forgotten by those who think they can secure better trade deals by spending £200M on a boat [1].

[0] https://www.theguardian.com/technology/2021/jun/28/eu-rules-...

[1] https://www.ft.com/content/c77b7aa1-cebc-47c6-a04a-d21eef2d1...

f32jhnjk33jj4y ago

Cookie popups is another reason to hate the EU. The block is called a bureaucratic monster for a reason.

j / k navigate · click thread line to collapse