kamasigns - Fotolia

GDPR good for UK business and economy, experts tell Lords’ committee

Adopting GDPR is good business practice and will put the UK on a good footing post Brexit, but getting an EC data protection adequacy ruling could be challenging due to bulk data collection provisions in the Investigatory Powers Act, experts warn

Implementation of the European Union’s (EU’s) General Data Protection Regulation (GDPR) makes good commercial sense, according to a panel of data protection experts.

Asked what changes they would like to see after Brexit, they told the House of Lords EU Home Affairs Sub-Committee that as a start point they would like to see the GDPR in operation to an adequate level.

“That is critically the most important thing for business commercially,” said Rosemary Jay, senior consultant attorney at legal firm Hunton & Williams.

“We should look for the positives in the framework to look at what we can do in the right rather than trying to avoid the regulation because it offers protection for individuals and a framework for business in a digital world,” she said.

Stewart Room, head of legal data protection and cyber security at PricewaterhouseCoopers (PwC), said the GDPR essentially provides a code for good business practices in handling personal data.

“Stripping out the legal components and enforcement mechanisms, we find in the GDPR a framework that most businesses would agree as being necessary for data handling.

“As far as consumers are concerned, the GDPR gives more rights over personal data, such as greater right to transparency and a greater right to intervene in the operation of business if they have concerns [about their personal data],” he said.

The GDPR also includes mandatory breach disclosure that will help consumers to understand serious incident concerning confidentiality and security, and it acts as a transparency mechanism as well as a mechanism to help those affected mitigate any harm.

Goal is free data flow, says Hancock

Room said in the light of the fact that certainty is important for business, having a “GDPR Act” post-Brexit where the legislation is transposed verbatim is going to be a “significant advantage”.

This view is consistent with the UK government view expressed by digital minister Matt Hancock, who faced questions from the same sub-committee in February 2017 on how best to ensure there are unhindered flows of data between the UK and the EU after Brexit.

He told the sub-committee that the UK will replace the 1988 Data Protection Act with legislation that mirrors the GDPR, saying he was confident that this strategy would ensure the UK achieves its goal of free data flows with the EU post-Brexit.

In addition to GDPR-like legislation, Room said it is also important for the Information Commissioner’s Office (ICO) as the UK privacy regulator to remain relevant and penetrative as well as being able to lead.

“We need to ensure that our regulator is sufficiently resourced in terms of skill and capability so that no-one can levy the charge that the [UK] data protection regulation is not working in operations,” he said.

Lack of EC approval could lead to UK criticism

Room said one problem with not having a data protection adequacy decision by the European Commission (EC) is that it can provide a platform for other countries to criticise the UK and present challenges to the UK’s adequacy.

Asked whether avoiding legal challenges is the only reason that an adequacy decision is important, he said multinational companies want to build to a common standard and they want certainty.

“An adequacy decision provides that certainty to business and the economy that UK law is accepted as being of the right nature and right properties, which is the critical dynamic from a commercial point of view,” said Room.

However, the panel pointed out that it could take two to three years for the EC to complete the formal legislative process whereby the UK, as a third-party country post-Brexit, is deemed to have an adequate data protection regime in terms of legislation, custom and practice.

“Once out of the EU, like the other countries that do not have an EC adequacy decision, the UK will have to rely on a range of mechanisms to maintain the flow of data such as the European Union’s standard contractual clauses [SCCs],” said Room.

“Individual companies would have to look at using the SCCs to create contractual relationships with their business partners in Europe, but for multinational groups of companies there is a mechanism called BCRs or binding corporate rules – that allows multinationals to share data across the group globally.”

By pursuing GDPR-like legislation to replace the 1988 UK Data Protection Act, the panel agreed the UK would be in a good position in terms of commercial data exchanges.

Legal rulings around data protection

However, Valsamis Mitsilegas, professor of European criminal law at Queen Mary University of London, said the UK could encounter problems in the area of law enforcement.

“In the field of law enforcement things become more complicated because even if the UK wanted to move into bilateral agreements, when EU member states act externally [they] are bound by EU law.

“This means they cannot co-operate with third countries if these countries are not perceived to provide an equivalent level of protection,” he said.

Mitsilegas later referred to the December 2016 ruling by the EU Court of Justice (CJEU) in a case brought by UK Labour member of Parliament (MP) Tom Watson against the Data Retention and Investigatory Powers Act (Dripa), saying this may affect the UK’s ability to get an adequacy ruling.

The CJEU ruled that the UK government was breaking the law by indiscriminately collecting the nation’s internet activity and phone records and letting hundreds of public bodies grant themselves access to these personal details with no suspicion of serious crime and no independent sign-off, effectively rendering significant parts of the Investigatory Powers Act unlawful.

“Adequacy will also be seen in terms of domestic UK law. In the case of private companies and data protection regulation, it is very likely that we will see a level playing field. But in the field of security there may be challenges for the UK because of perceptions that UK data protection law is of a lower standard as determined by the CJEU,” said Mitsilegas.

“In the field of security, there are concerns about the UK, which was found in breach of EU law in the Watson case on the topic of mass surveillance relating the bulk collection of personal data and the transfer of this data to law enforcement authorities. This is a red line for the EU – and, as long as you have domestic law that allows mass surveillance, you will have problems with EU law,” he said.  

His comments come as the civil rights group Liberty confirms that it has begun its legal challenge to the bulk surveillance powers in the Investigatory Powers Act, setting in motion a judicial review

Read more about GDPR

Read more on Privacy and data protection