A common sense approach to UK data protection

If it is true that uncertain times lie ahead for the UK, the past year has been a good warm up. Following the shock result of the Brexit referendum a year ago, we have witnessed a change of government, an endless and sometimes fierce debate about the shape that Brexit should take, an alarming increase in hate crime, a full blown legal challenge about which UK institution has the final say, a slightly subdued parliamentary debate and a general election. In the meantime, the government has been – perhaps understandably – coy to reveal its Brexit cards and as a result, both business and citizens have been left guessing how things will turn out. The same is true of the future of UK data protection. Or at least it was until the recent Queen Speech.

According to the bold statement made by Her Majesty to parliament and the country on 21 June, a new law will ensure that the United Kingdom retains its world-class regime protecting personal data. This means that the government is keen to show it understands the importance of having a robust data protection framework for the prosperity of the country. So during this legislature, the UK will pass a new Data Protection Act replacing the existing one. If anything, this is an acknowledgment by the UK government that privacy and data protection are regarded as a political and legislative priority.

The stated aim of the new law is to make the UK's data protection regime suitable for the digital age, allowing citizens to better control their data. This development is in line with the Conservative Party's manifesto commitments to give people new rights to “require major social media platforms to delete information held about them at the age of 18” and to “bring forward a new data protection law”. In addition, the law is meant to allow police and judicial authorities to continue to exchange information internationally in the fight against terrorism and other serious crimes.

Perhaps more importantly, the UK government has confirmed that the new law will implement the EU General Data Protection Regulation ('GDPR') and the Directive which applies to law enforcement data processing. This will of course allow the UK to meet its obligations while it remains an EU Member State. But crucially, the government believes that this approach will help put the UK in the best position to maintain its ability to share data with other EU Member States and internationally after Brexit. If the UK is to remain hopeful of being deemed as a safe jurisdiction for personal data imported from the EU, it is beyond doubt that as a starting point the UK must align itself with the GDPR, so this is certainly the right way to go.

As part of this exercise, the Information Commissioner will be granted new powers, including in relation to sanctions. In practice, the ability of the UK Information Commissioner to function at the same level as her EU counterparts will be one of the critical aspects of the operation of the new law. The benefits of ensuring this go beyond the mere freedom of movement of data between the EU and the UK, and if the government is truly ambitious in this respect, it should be aiming for UK companies and organisations to be able to benefit from the 'one stop shop' provisions under the GDPR.

All in all, the formal announcement by the UK government of its decision to push ahead with the GDPR's implementation provides a much welcome dose of certainty. Any UK company that has been making plans to comply with the GDPR will feel vindicated and on track. Those which have been more cautious about investing their efforts in that direction should now devote their compliance energies to doing so. Considering also that UK data protection law has been in existence for well over 30 years, it is comforting to know that despite the considerable political turbulence that Brexit is causing, the government is applying common sense to this important area of law. It is obvious that the UK government is conscious of the huge value of international data sharing, which is clearly one of the drivers for this approach, but by making the right to data protection a legislative priority, it is also fulfilling a key democratic duty.

This article was first published in Data Protection Leader in June 2017.