The UK Government has committed to enact a new Data Protection Act which “will ensure that the United Kingdom retains its world-class regime protecting personal data”.
What does the Bill cover?
According to the explanatory policy paper that accompanied the Queen’s Speech, the new Bill will “ensure the UK has a data protection regime that is fit for the 21st century” by:
- ensuring that the UK’s data protection framework cements the UK’s position at the forefront of technological innovation, international data sharing and protection of personal data;
- strengthening rights and empowering individuals to have more control over their personal data;
- establishing a new data protection regime for non-law enforcement data processing (implementing the Law Enforcement Directive); and
- modernising and updating the regime for data processing by law enforcement agencies.M
We already know that the biggest shake-up of data protection law in a generation is coming down the track in the form of the EU’s General Data Protection Regulation (GDPR) and the last Conservative Government made it clear that, despite Brexit, it expected GDPR to take effect in the UK on 25 May 2018 in the same way that it would take effect in all other EU member states. Indeed, given GDPR, the UK would have had to enact complementary UK legislation to supplement GDPR in areas that were left to member states, so some form of UK data protection legislation was going to be necessary in the next parliamentary session anyway.
The UK Government has said that one of the main benefits of the Bill will be to implement GDPR and, indeed, the stated aims of this new Data Protection Bill are very much in line with GDPR, but given that GDPR will take effect in the UK automatically anyway, it is not entirely clear what this new Data Protection Bill will actually do that is new.
For example, the explanatory policy paper says that the new Bill will include “a right to be forgotten when individuals no longer want their data to be processed, provided that there are no legitimate grounds for retaining it”. This right is already included within GDPR so it the intention to strengthen or modify that right? It’s not clear.
Data transfers between the UK and EU post Brexit
One of the stated benefits of GDPR is that it establishes a harmonised single legislative regime for data protection across all EU member states.
Whilst the UK will leave the EU, maintenance of that harmonised regime (albeit with some changes) would be helpful in terms of facilitating cross-border trade and allowing the sort of ‘frictionless’ transfers of personal data between the UK and EU that the Government again aspires to. If the UK is to enact specific data protection legislation that puts a UK overlay on GDPR then, depending on what it says, that may have a bearing in UK/EU negotiations as to whether personal data can be transferred freely between the UK and EU (and vice versa).
A decision by the EU to accord the UK status that allows free movement of personal data is not a formality and the European Court of Justice has struck down in the past decisions where it considers that the arrangements concerned do not afford equivalent protection to EU law.
It is encouraging at least, therefore, that the UK Government clearly sees that it will be hugely important that data protection continues to be taken seriously because impediments to the free movement of personal data between the UK and EU are likely to prove a major headache for international businesses operating within a post-Brexit UK.
With that in mind, to encourage international business to operate in the UK, it will be important to create an environment that should make that less – rather than more – likely. The continuation of the stated aim to implement GDPR should undoubtedly help.