dade72 - Fotolia

Hancock sure UK will obtain and maintain EU data protection adequacy

Minister for digital tells Lords committee he is confident the UK will obtain and maintain “adequacy” for smooth data transfers with the EU after Brexit

Matt Hancock, minister of state for digital at the Department for Culture, Media and Sport, revealed a taste for musical theatre when he appeared before a committee hearing on Brexit and data protection in the House of Lords on 20 December.

Hancock told the committee he was having to give up his ticket for the gala opening of stage musical Hamilton in order to vote in the House of Commons on the EU Withdrawal Bill that evening.

He also made an opening statement, saying that “cross-party support for the Data Protection Bill is important because there is a very strong degree of consensus around the aim – which is a high-quality data protection regime with unhindered free flow of data between the UK and adequate other countries, notably the EU upon exit”.

The Lords EU home affairs subcommittee held a one-off evidence session, revising its inquiry, Brexit: the EU data protection package, looking at the next phase of negotiations between the UK and the EU.

The inquiry itself has examined the implications for data transfers between the UK and the EU after Brexit and the options available for securing uninterrupted data flows across four elements of EU data protection – the General Data Protection Regulation (GDPR), the Police and Criminal Justice Directive (PCJ), the EU-US Privacy Shield, and the EU-US Umbrella Agreement.

The report was published in July 2017. At that time, the committee highlighted the lack of detail in government plans to deliver uninterrupted flows of data and warned that any arrangement that resulted in greater friction could present a non-tariff trade barrier that would put the UK at a competitive disadvantage and hinder police and security cooperation.

Hancock told the committee that the GDPR was a “good law”, significantly based on UK input, and that the UK should easily attain EU data protection adequacy status. But he said he was limited in what he could say about the data flow side of the second phase of the negotiations because “we have not seen the EU’s negotiating mandate yet”.

A focus for the committee is how police and security data transfers will be treated alongside commercial data transfers. Will they be treated in one comprehensive agreement, as recommended by information commissioner Elizabeth Denham when testifying before the Commons home affairs committee recently.

Hancock said in response: “We take the ICO’s [Information Commissioner’s Office] advice seriously, and I can see the attractions to that. But having said that, the EU has yet to publish its negotiating mandate, and so we are not in a position to answer that concretely.”

Read more about data sharing and Brexit

Later, in response to a question from Lord Condon about the timescale for the UK attaining the status of “adequate” from the EU in relation to its data protection regime, Hancock said: “It is critical that we have uninterrupted, unhindered free flow of data for the UK and the EU. This is where the time-limited implementation period [after the Brexit date in March 2019] is important.

“Adequacy is not the only way of ensuring the unhindered, free flow of data. We are also proposing, at a technical level, that the ICO continues to be involved to make sure that UK expertise in this area, which is very great, continues to inform EU decisions.”

In response to a question from Lord Kirkhope about how adequacy will be maintained after leaving the EU as the UK will no longer accept the competence of the European Court of Justice, Hancock said: “We won’t be accepting the direct application of the ECJ, but I am confident the UK will be in a good place because data protection standards in the UK will be significantly higher and more aligned with the EU than other countries that have adequacy already. The GDPR is a good law, heavily influenced by the UK Data Protection Act.”

Annual check

Hancock said later that part of any adequacy decision would be an annual check by the European Commission, but it “would not be directly applied”, as it is now.

“What we would not want is for the UK to become a passport for inadequate third countries,” he said. “Hence the [importance of the] expanding global areas that have adequacy [in the eyes of the EU].”

In response to a question from Lord Watts about what framework would underpin data protection rights once the UK leaves the EU, and so will be outside the Charter of Fundamental Rights, Hancock said: “The legal framework will be the Data Protection Bill plus the GDPR, which will be brought into domestic law by the passage of the Withdrawal Bill. The Data Protection Bill is the full spectrum of data protection for intelligence, law enforcement, personal data that is currently under the jurisdiction of the EU, and that which is not.”

The minister confirmed that the Department for Culture, Media and Sport had hired a body of people to ensure the mechanics of that “full spectrum” British data protection regime will be enforced.

As the session concluded, Lord Kirkham, “speaking as a thespian”, offered to “represent the minister at this very important production of Hamilton”, amid much festive jollity.

There is a touch of the David Camerons about Matt Hancock. There is the manifest good manners and  a similar educational background at one of the more down-to-earth Oxford University colleges – Brasenose in Cameron’s case, Exeter in Hancock’s. And, it almost goes without saying, the same undergraduate course, PPE [philosophy, politics, and economics]. Might this “digital minister”, this son of the software industry be destined for higher things?

Read more on Privacy and data protection