kamasigns - Fotolia

UK legislation will mirror EU’s GDPR, says Matt Hancock

The UK plans a full implementation of GDPR and is confident of agreements with the US to ensure uninhibited data exchanges with the EU and US post-Brexit, says digital minister

The UK will replace the 1988 Data Protection Act with legislation that mirrors the European Union’s (EU’s) General Data Protection Regulation (GDPR), digital minister Matt Hancock has confirmed.

“We will be bringing legislation forward in the next [parliamentary] session to put that into practice,” he told the House of Lords EU Home Affairs Sub-Committee.

Answering questions on UK data protection after Brexit, Hancock said the way to ensure the UK can negotiate an uninterrupted and unhindered flow of data with the EU is to put GDPR into UK law.

“In a sense, we are matching them rather than asking them to match anything new from the UK,” he said.

Hancock repeatedly emphasised that unhindered data flows between the UK and EU – including law enforcement and medical research data – is a key goal that the UK government will pursue in the Brexit negotiation process.

He said GDPR would be implemented in full because it is a “decent piece of legislation” due to “significant” UK negotiating successes during its development and because it will help ensure the UK is starting from a position of “harmonisation” rather than a position of difference in Brexit negotiations.

“The reason there are so many questions around data protection is that the EU is moving its own domestic law at the same time as we will be going through the Article 50 process. We have got to make sure that we look at the whole [of the data protection and privacy changes taking place],” he said.

Hancock noted that the GDPR introduces obligations for data controllers and processors in several areas, that it strengthens the rules for obtaining consent and for breach notification, and that it emphasises self-assessment in the management of data.

He said he was confident that strategy of implementing the GDPR fully would ensure the UK achieves its goal of free data flows with the EU post-Brexit in an appropriate data protection environment, but declined to give any other details of what other arrangements the UK might seek to put in place.

“We have got to go through a negotiating process and, as the prime minister put it, we are not going to give a running commentary on that,” he said.

However, Hancock noted that the UK not only has to consider its future position regarding data exchanges with the EU, but also with other jurisdictions that have “high-quality data protection regimes”, such as the US.

Post-Brexit, he said the UK will need a set of global relationships, and the UK government will be able to decide what changes to make domestically given everybody else’s position.

“If we need to respond to changes, we will be able to, as opposed to be being dictated to by the European system [of data protection],” he said.

He later added that the UK government is considering all the options regarding the most beneficial way of ensuring that UK data protection regime supports UK business in the global economy.

Read more about GDPR

Hancock said his department was “fully resourced” to deliver GDPR compliance inside government, while outside government GDPR compliance will bring some requirements on companies, which is a good thing considering the increasing importance of data in business activities.

“The requirements are consistent with best practice for handling data, so companies that handle data appropriately, have good cyber security arrangements and respect the privacy of those whose data they hold should not find this much of a burden, but it will require some companies that do not have best practice to come up to speed,” he said.

Commenting on the role of the UK Information Commissioner’s Office (ICO), Hancock said it had changed a lot in the past 20 years and would undoubtedly continue to evolve in the future.

“The ICO has been a world leader in ensuring the rules and the framework around data are kept up to speed and I am sure it will continue to do so,” he said.

Hancock confident in Privacy Shield framework

Hancock said the UK has been a strong supporter of the Privacy Shield framework for exchanges of personal data between the EU and the US.

Privacy Shield was developed in consultation with the US to replace the Safe Harbour agreement, which was declared invalid by the Court of Justice of the European Union (CJEU).

“Making sure the business between the UK and the US can take place post-Brexit is an important consideration for the government,” said Hancock, adding that he was “confident” that the UK will come to an agreement that will ensure the current unhindered exchange of data with the US continues.

Responding to questions about the future of Privacy Shield in the light of current legal challenges to the framework by Irish privacy advocates Digital Rights Ireland and French digital rights group La Quadrature du Net, Hancock said he was confident the challenges would not succeed.

“We are also confident of the legal basis of the Privacy Shield framework,” he said, adding that the new system is more legally robust than Safe Harbour because it was set up in response to the challenge that led to Safe Harbour being declared invalid.

Read more about EU-US Privacy Shield

Commenting on the EU-US Umbrella Agreement signed in June 2016 to strengthen safeguards for the protection of personal data exchanged between EU and US law enforcement authorities, Hancock said 1 February 2017 marked the implementation of the agreement.

“Data sharing in the response to increasingly mobile threats is a critical part of our defences and security arrangements and the importance of security agencies working together across borders to share information to protect the public will not be changed by Brexit,” he said.

“Data sharing with international partners, both inside the EU and outside of it, will remain a top UK priority and we expect to continue to play a leading role after Brexit. There is a strong desire to get this right and get a deal that works with the EU and other countries around the world.”

Finally, responding to a question about the UK’s new Investigatory Powers Act, Hancock said the UK government is confident the legislation is consistent with the GDPR, but declined to comment any further because legal proceedings in this regard were still underway.

Read more on Privacy and data protection