Britain’s looming departure from the European Union will have major implications on the future of data regulation, but Minister of State for Digital and Culture Matt Hancock MP suggested yesterday that the content of the General Data Protection Regulation (GDPR) will be reflected in domestic data legislation after Brexit.
The British government will fully implement the GDPR for two key reasons, Hancock explained during a one-off evidence session at the House of Lords EU Home Affairs Sub-Committee.
"Thanks to some significant negotiating successes during its development we think that it is a good piece of legislation in and of itself," he said.
"That’s the first thing. And the second is we are keen to secure the unhindered flow of data between the UK and the EU post-Brexit, and we think that signing up to the GDPR data protection rules is an important part of helping to deliver that."
The GDPR will strengthen the rules for obtaining consent and the need for breach notifications and emphasises self-assessment in the management of data, he added.
It includes a new provision that requires companies to report any data breach to relevant data protection authorities within 72 hours, which can then judge whether it should be made public or not.
Future data sharing arrangements with the EU
Hancock was reluctant to reveal details of the ongoing negotiations with the EU, but was happy to set out the government’s goals.
"We want an arrangement that provides for the unhindered exchange of data within an appropriate data protection environment," he said.
"We seek not only unhindered data flows but for that to happen in an uninterrupted way. That is to say, the morning that have left the European Union, it’s very important that our data rules work, so there’s an uninterrupted system in place."
He was confident that the UK retained an influential voice on the European Council and that relationships with the other member states remained strong, pointing to its recent role in opposing the principle of data localisation rules as evidence. Crucial to the future of the nation's healthy position would be a full implementation of the GDPR that wouldn’t require the union to change its own regulations.
"The approach that we’ve taken in order to maximise the ease with which we can negotiate an uninterrupted and unhindered flow of data is to put GDPR into UK law in full, so in a sense we are matching them rather than asking them to match anything new from the UK," he said. "We’re starting from a position of harmonisation rather than from a position of difference."
Hancock explained that parts of the Data Protection Act 1998 would need to be repealed to ensure that data processing remains compatible with GDPR requirements and neither duplicates nor contradicts the regulation.
Legislation would be promptly brought forward to put the plans into practice and ready to be enforced by May 2018. An impact assessment would be attached to any new legislation introduced.
The minister didn’t foresee a need for major regulatory changes, as the GDPR will be implemented while the UK is still a member of the EU, but he added that there was a possibility of adding flexibility if it didn’t hinder data flow.
If the rest of the EU chose to adjust the rules then the UK would be forced to decide whether to mirror those changes or consider implementing different conditions of its own.
Data protection regulations between the UK the USA
Another part of the data protection package likely to be mirrored after Brexit is the Law Enforcement Directive. This ensures personal data processed by law enforcement agencies is used lawfully and for specific, explicit and legitimate purposes.
The regulation for EU nations is echoed for data exchanged between transatlantic law enforcement agencies by the EU-US Umbrella Agreement, which Hancock revealed was coming into force that day.
EU-US Privacy Shield is another cross-continental data deal negotiated by the union. The agreement provides stronger obligations and more robust enforcement mechanisms on international companies for data transfer between the EU and the USA, but the future of the deal has been placed following an alarming new Executive Order from President Donald Trump.
Section 14 of the order, titled "Enhancing Public Safety in the Interior of the United States", suggests that US agencies such as the NSA and FBI could gain access to data about EU citizens.
"Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information," it states.
The European Commission has responded that the Privacy Shield protects the data of EU citizens transferred to the US, but did not apply to data collected there.
Hancock said he was confident of the legal basis for the Privacy Shield, and that is was more legally robust than the Safe Harbour regulations it will replace. He was keen to emphasise the importance of aligning British data needs with American ones.
"The key is not only we’ve got to have a view both on our future position with the EU, but also our future position with other jurisdictions that themselves have high quality data protection regimes — the US being the most obvious example — and make sure that we have free flow of data with them too, which currently we do through the EU, but instead we’ll have to do directly," he said.
"I’m confident that we can come to a successful agreement to make sure that we have the same unhindered flow of data with the United States as we do now."