UK startup blasts gov’t plan to downgrade data protection

The U.K. government’s post-Brexit appetite to “reform” domestic privacy rules by reducing the level of protections wrapping people’s data is already having wider ramifications for the country’s tech ecosystem.

Last month the Department of Digital, Culture, Media and Sport (DCMS) announced a consultation on reducing privacy standards — claiming “simplified” rules would be a boon for business innovation.

Now a homegrown scale-up has blasted the consultation in an excoriating blog post — warning that any reduction in data protection standards will “certainly” damage its EU business and could even weaken its U.S. business, given that a number of states (such as California) have already passed similar laws to Europe’s General Data Protection Regulation (GDPR).

U.S. lawmakers on both sides of the aisle are now also pressing the case to pass comprehensive federal privacy legislation. So — outside the U.K. at least — the direction of travel on personal data is toward greater protections, not fewer.

But inside the U.K., ministers are eyeing current high standards wrapping data and looking for ways to downgrade those protections — making a superficial claim that reducing privacy rights will be good for business.

What deregulation will certainly mean is increased legal uncertainty and risk for businesses — and potentially a lot of lost business too.

In the blog post, Cronofy, a 2014-founded U.K. startup which sells a calendar API and scheduling platform for enterprises, writes that it’s making preparations to prevent a domestic deregulatory bomb cratering its business — saying it will be opening a new company in the Netherlands and offering customers the ability to contract with Cronofy BV under Dutch law.

“That will become the new HQ for all of our data processing so we can be under the oversight of the Dutch data regulator and thus the EU,” writes CEO and co-founder Adam Bird. “Our new General Counsel overseeing all of this is Dutch.”

“How does Britain fare out of this? Not very well I’m afraid,” he adds, suggesting the restructuring will also mean Cronofy ends up reducing the level of investment it makes into U.K. skills and U.K. jobs.

Bird is not alone in blasting the U.K. proposal to rip up data protection rules, either.

The U.K.’s newly appointed information commissioner, John Edwards, defended the current data protection rulebook in a pre-appointment hearing with MPs, describing the U.K.’s GDPR as a “how to not a don’t do” just last month.

While, earlier this month, Ed Vaizey, the former minister of state in charge of DCMS (now Lord Vaizey), warned the U.K. must stay aligned with the GDPR — or face “disastrous” consequences for the economy and digital businesses.

“The U.K. was very influential in how data protection legislation was drawn up when we were members of the EU so I think it’s slightly odd that we should shy away from that legislation,” Vaizey told TechCrunch last week.

“You do not want a position where you make yourself vulnerable to attacks by the EU to say that your data protection regime is not adequate and we can’t therefore have cross-border exchanges of data — that would be disastrous. So whether we like it or not we will have to keep to a certain extent in lock-step with the European Union.”

However even the policy noises coming out of DCMS appear to be doing damage to U.K. Plc.

In his blog post, Bird describes Cronofy as “a truly global company” — one that’s (currently) headquartered in the U.K. but with revenue split 55% U.S., 25% EU, 9% U.K. Meaning 91% of the scale-up’s revenue is from exports.

“EU GDPR legislation has not harmed our U.S. business and in many cases has been an advantage,” he goes on. “Having to confront data privacy requirements from the founding of the business puts us at a distinct advantage as U.S. companies wake up to having to protect people’s information.”

Before Brexit “got done”, Bird says a “significant” number of EU customers were already raising concerns about what the U.K.’s departure might meant for their (sensitive calendar) data and relationship with his business.

“We will always do our utmost to protect people’s private data. However, we were making these assertions against the backdrop of the UK government grandstanding in the name of ‘strong negotiation’, even to the extent that they voted to break international law,” he continues, saying that even before the end of the transition period customers weren’t confident Cronofy would be able to stand by its word or that the UK government would bother to enforce compliance even if it kept the same data standards on paper. “Even more importantly, they couldn’t give that reassurance to their end users,” Bird adds.

The government’s noises now about “simplifying” U.K. data protection standards are the “final straw” for Cronofy.

In the consultation document, DCMS talks about carrying out “reforms to create an ambitious, pro-growth and innovation-friendly data protection regime” while “maintain[ing] high data protection standards without creating unnecessary barriers to responsible data use” — but there’s no doubt the proposal’s aim to remove layers of protection.

Ministers are, for example, considering expansive legal permissions for businesses to use data for “innovation” purposes, whatever that might mean (hint: anything) — and consulting on removing the need for individual consent to process certain types of data, among other potential amendments to the U.K.’s version of GDPR.

Entirely removing a provision that gives people a right of review of purely automated decisions that have a legal/equivalent impact is also being eyed by government.

(And on that front, the professional body BCS, aka The Chartered Institute for IT, has warned today against such a drastic step — suggesting in a blog post that increased clarity of the existing provision would be the more judicious policy than keeping it exactly as-is or dumping it altogether.)

“With the recent announcement by the government of the changes they want to make to the UK’s data privacy legislation, it seems that those fears were well founded,” writes Bird, sounding the alarm over the direction of UK data policy.

“It wants to move to a ‘do and ask for permission’ model driven not by benefit to mankind but instead by commercial interests. Whatever we say to our customers about how Cronofy approaches data privacy and controls, corresponding enforcement will not follow.

“We can make our protestations about ISO certifications, data management controls, segmented data hosting. However, prospective customers won’t necessarily get that far because we’ll be discounted based on our location. I don’t blame them. Data protection is fraught and complicated. Why even entertain the risk of going with a provider from outside the EU.”

If the U.K.’s level of protection gets downgraded, the immediate risk is the U.K. will lose a key data flow agreement with the EU — which has only just been put in place now that it’s a so-called “third country”, in EU terms.

U.K. companies with customers in Europe rely on this EU “data adequacy” agreement for smooth running as it allows for personal data to flow freely from the bloc to the U.K. But if U.K. law is assessed as no longer equivalent the European Commission has said it will revoke the arrangement signed off this summer.

The data flows deal already includes a sunset clause — meaning there will be an automatic review of U.K. standards in 2025.

But EU lawmakers warned they could revoke it at any moment if there’s divergence. So blistering attacks on U.K. privacy policy by homegrown entrepreneurs like Bird are unlikely to go unnoticed in Brussels…

“This national act of self-harm will have ramifications for decades to come,” Bird warns. “It turns out that Project Fear [as Brexit supporters dismissively dubbed objections to leaving the EU by those that wanted to remain], was actually Project Fact.

“Instead of taking it as a warning of something to avoid, the UK government seem to have taken it as an outcome to exceed. Whilst in isolation, Cronofy being collateral damage is unimportant. What we are facing is a worrying portent for the UK and its relationship with the rest of the world.”

“I expected and wanted to be building Cronofy into a world-beating, UK company. Membership of the EU gave us an enviable platform to do that and, in turn, invest that success back into the UK,” he adds, underscoring his point that UK government policy has left Cronofy with little choice but to restructure its business in a way that puts the EU at the core.

DCMS was contacted for a response to Bird’s blog post.

A government spokesperson sent us this statement:

“We are not weakening the UK’s data protection rules. We are consulting on reforming our data regime to encourage innovation and improve public services.

“Any proposals will build on the UK GDPR, with people continuing to enjoy the strongest data protection standards and with a reinforced responsibility on businesses to keep personal information safe.”

On the economic case for reforming UK data protection rules, the spokesperson claimed this is described in the Analysis of Expected Impact report on — but also said that the analysis remains open to consultation, with the official adding that the government is seeking further information to robustly quantify impacts, including on trade, as it builds a more detailed case.

DCMS also told us the consultation process is intended to spark discussion, emphasizing that it has yet to introduce legislation — and saying it will not do so until it has gathered a full range of views and engaged with interested parties.

For a glimpse of the future that awaits U.K. startups should the government’s “reforms” end up torching the U.K.’s data adequacy status, see the EDPB’s intricate guidance on transfers to third countries. And prepare to level up your legal expense budget.

This report was updated with a response from DCMS

Are you a U.K. startup with views on the government’s Data: a new direction proposal? Get in touch by contacting