kamasigns - Fotolia
The UK will replace the 1988 Data Protection Act with legislation that mirrors the European Union’s (EU’s) General Data Protection Regulation (GDPR), digital minister Matt Hancock has confirmed.
“We will be bringing legislation forward in the next [parliamentary] session to put that into practice,” he told the House of Lords EU Home Affairs Sub-Committee.
Answering questions on UK data protection after Brexit, Hancock said the way to ensure the UK can negotiate an uninterrupted and unhindered flow of data with the EU is to put GDPR into UK law.
“In a sense, we are matching them rather than asking them to match anything new from the UK,” he said.
Hancock repeatedly emphasised that unhindered data flows between the UK and EU – including law enforcement and medical research data – is a key goal that the UK government will pursue in the Brexit negotiation process.
He said GDPR would be implemented in full because it is a “decent piece of legislation” due to “significant” UK negotiating successes during its development and because it will help ensure the UK is starting from a position of “harmonisation” rather than a position of difference in Brexit negotiations.
“The reason there are so many questions around data protection is that the EU is moving its own domestic law at the same time as we will be going through the Article 50 process. We have got to make sure that we look at the whole [of the data protection and privacy changes taking place],” he said.
Hancock noted that the GDPR introduces obligations for data controllers and processors in several areas, that it strengthens the rules for obtaining consent and for breach notification, and that it emphasises self-assessment in the management of data.
He said he was confident that strategy of implementing the GDPR fully would ensure the UK achieves its goal of free data flows with the EU post-Brexit in an appropriate data protection environment, but declined to give any other details of what other arrangements the UK might seek to put in place.
“We have got to go through a negotiating process and, as the prime minister put it, we are not going to give a running commentary on that,” he said.
However, Hancock noted that the UK not only has to consider its future position regarding data exchanges with the EU, but also with other jurisdictions that have “high-quality data protection regimes”, such as the US.
Post-Brexit, he said the UK will need a set of global relationships, and the UK government will be able to decide what changes to make domestically given everybody else’s position.
“If we need to respond to changes, we will be able to, as opposed to be being dictated to by the European system [of data protection],” he said.
He later added that the UK government is considering all the options regarding the most beneficial way of ensuring that UK data protection regime supports UK business in the global economy.
Read more about GDPR
- Businesses dealing with EU citizens’ data urged to ensure they are on track to comply with the GDPR in less than 16 months, as the world marks Data Protection Day 2017.
- The Information Commissioner’s Office (ICO) has set out its plans for publishing guidance on the EU General Data Protection Regulation (GDPR).
- The Information Commissioner’s Office is to publish a revised timeline for the UK implementing the EU’s General Data Protection Regulation after Brexit.
- Business demand for consumer identity management capability is growing to enable new business models and improve customer engagement.
Hancock said his department was “fully resourced” to deliver GDPR compliance inside government, while outside government GDPR compliance will bring some requirements on companies, which is a good thing considering the increasing importance of data in business activities.
“The requirements are consistent with best practice for handling data, so companies that handle data appropriately, have good cyber security arrangements and respect the privacy of those whose data they hold should not find this much of a burden, but it will require some companies that do not have best practice to come up to speed,” he said.
Commenting on the role of the UK Information Commissioner’s Office (ICO), Hancock said it had changed a lot in the past 20 years and would undoubtedly continue to evolve in the future.
“The ICO has been a world leader in ensuring the rules and the framework around data are kept up to speed and I am sure it will continue to do so,” he said.
Hancock confident in Privacy Shield framework
Hancock said the UK has been a strong supporter of the Privacy Shield framework for exchanges of personal data between the EU and the US.
“Making sure the business between the UK and the US can take place post-Brexit is an important consideration for the government,” said Hancock, adding that he was “confident” that the UK will come to an agreement that will ensure the current unhindered exchange of data with the US continues.
Responding to questions about the future of Privacy Shield in the light of current legal challenges to the framework by Irish privacy advocates Digital Rights Ireland and French digital rights group La Quadrature du Net, Hancock said he was confident the challenges would not succeed.
“We are also confident of the legal basis of the Privacy Shield framework,” he said, adding that the new system is more legally robust than Safe Harbour because it was set up in response to the challenge that led to Safe Harbour being declared invalid.
Read more about EU-US Privacy Shield
- The transatlantic data transfer framework has been approved, but will need more fine-tuning in the first joint review in a year’s time, says the Article 29 Working Party.
- Ireland faces legal challenge over the independence of its data commissioner in the wake of the scrapping of the Safe Harbour data protection agreement.
- Dublin court case on the legality of Facebook’s data transfers to the US raises issues that affect US national security, claims US Department of Justice.
- User demand for locally hosted cloud services prompts cloud firms and infrastructure providers to rapidly take up datacentre space in Europe, CBRE research shows.
Commenting on the EU-US Umbrella Agreement signed in June 2016 to strengthen safeguards for the protection of personal data exchanged between EU and US law enforcement authorities, Hancock said 1 February 2017 marked the implementation of the agreement.
“Data sharing in the response to increasingly mobile threats is a critical part of our defences and security arrangements and the importance of security agencies working together across borders to share information to protect the public will not be changed by Brexit,” he said.
“Data sharing with international partners, both inside the EU and outside of it, will remain a top UK priority and we expect to continue to play a leading role after Brexit. There is a strong desire to get this right and get a deal that works with the EU and other countries around the world.”
Finally, responding to a question about the UK’s new Investigatory Powers Act, Hancock said the UK government is confident the legislation is consistent with the GDPR, but declined to comment any further because legal proceedings in this regard were still underway.