New UK Data Protection Act not welcomed by all

Information commissioner Elizabeth Denham has welcomed the UK’s Data Protection Act 2018, which has been given Royal Assent after nearly a year of debate and consultation to provide a new privacy regime for the UK alongside the EU’s General Data Protection Regulation (GDPR).

The legislation is essentially the UK’s version of the GDPR and is a key part of the government’s strategy to ensure the free flow of data between the EU and the UK after Brexit.

The simplest way to achieve this is through an adequacy agreement in which the European Commission recognises a third country as having equivalent data protection standards to those applied in the EU.

However, the UK’s Brexit withdrawal agreement negotiation team has revealed that it is pressing for a new model that goes beyond the standard adequacy agreement and recognises the unique economic and security relationship between the UK and EU, ensuring ongoing data protection collaboration.

Specifically, the proposal calls for granting the Information Commissioner’s Office (ICO) an “appropriate role” on the European Data Protection Board and giving UK businesses and consumers assurances that they are effectively represented under the EU’s one-stop-shop mechanism for resolving data protection disputes.

As the data protection authority for the UK, Denham said her office is “eager to embrace the changes it brings” and begin regulating the new UK and EU legislation that, from 25 May, will make the UK one of the “world’s most progressive data protection regimes”.

The new legislation replaces the Data Protection Act 1998, which “failed to account for today’s internet and digital technologies, social media and big data”, Denham wrote in a blog post.

She said the new Act updates data protection laws in the UK and sits alongside the GDPR. “The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR,” she added.

The UK’s growing digital economy relies on consumer trust to make it work, said Denham, adding that the Act, along with the GDPR, provides a modernised, comprehensive package to protect people’s personal data in order to build that trust.

“The new laws provide tools and strengthened rights to allow people to take back control of their personal data,” she said.

The legislation requires increased transparency and accountability from organisations, and stronger rules to protect against theft and loss of data, with serious sanctions and fines for those that deliberately or negligently misuse data.

“And although the ICO will be able to impose much larger fines, this law is not about fines,” said Denham. “It’s about putting the consumer and citizen first.

“The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018.

“Effective data protection requires clear evidence of commitment and ongoing effort. It’s an evolutionary process for organisations. No business, industry sector or technology stands still. Organisations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018.”

But organisations are not alone, said Denham, because the ICO is there to help with guidance, tools, advice and education.

She also highlighted the commercial advantage of complying with the new data protection rules. “Governed by these laws, organisations will have the incentive and the opportunity to put people at the heart of their data services,” she said. “Being fair, clear and accountable to their customers and employees, organisations large and small will be able to innovate with the confidence that they are building deeper digital trust.”

Privacy International said the new Data Protection Act is an “important reform” that strengthens the rights of individuals and increases obligations for industry.

“The Act opens the way for the application of the GDPR in the UK, and regulates the processing of personal data by companies, public authorities, law enforcement and intelligence agencies,” said Tomaso Falchetta, head of advocacy and policy at Privacy International. “We particularly welcome increased powers for the information commissioner.”

But Falchetta said the rights organisation “deeply regrets that despite concerns raised by Privacy International and other civil society groups, the UK government has decided to introduce wide exemptions that undermine the rights of individuals, particularly with a wide exemption for immigration purposes and on the ever-vague and all-encompassing national security grounds”.

He added: “This represents a lost opportunity to adopt a modern and future-proof data protection law in the UK. It will not only open this new law to challenges in courts, but it puts at serious risk the free flow of data with the EU, once Brexit takes effect.”

These aspects of the Data Protection Act and the UK’s controversial Investigatory Powers Act could be an impediment to achieving an adequacy agreement for free data exchanges with the EU post-Brexit, according to Eduardo Ustaran, partner and European head of data protection at law firm Hogan Lovells.

“There is a whole new section on surveillance and investigatory powers of law enforcement and national security officers in documentation from the Article 29 Working Party that advises the European Commission on adequacy matters,” he told the IAPP Data Protection Intensive conference in London.

Ustaran said the “rather strong” powers set out in UK legislation in that respect introduce some tension with the limits on interference with the rights of individuals that the EU would demand. “And that could be a sticking point,” he added.

Privacy International said it will publish a final assessment of the Act in the coming weeks.