A revised data protection law forms part of the new government’s legislative agenda for the UK. Key points in the Queen’s Speech on 21 June 2017 were that a new UK Data Protection Bill (the Bill) will replace the current Data Protection Act 1998; the new Bill will implement the EU General Data Protection Regulation (GDPR) in the UK (a fact that the party manifestos were silent on before the election); and the government intends to put the UK in the best position to maintain data sharing across the EU and internationally. These points remained unchallenged in the subsequent parliamentary debates, and the government’s express intention to implement the GDPR through national law in the UK was welcomed by many businesses.
What will be included in the Bill?
The notes to the Queen’s speech explained that the Bill would:
- Implement the GDPR, meeting the UK’s obligations whilst still in the EU and then internationally after Brexit.
- Require major social media platforms to delete information held about individuals at the age of 18.
- Ensure that the UK data protection framework is suitable for the new digital age.
- Strengthen the position of the UK in relation to technological innovation, international data sharing and the protection of personal data.
- Enable police and judicial authorities to continue to exchange information quickly and easily with international partners in the fight against terrorism and other serious crimes.
- Update the powers and sanctions available to the UK data protection regulator (the Information Commissioner’s Office / ICO).
Impact on international Personal Data transfers?
The briefing paper published last week by the House of Commons set out the UK government’s and regulator’s views on the issue of transfers of personal data between the UK and EU after the UK leaves the EU.
For the purposes of international personal data transfers, leaving the EU means that the UK becomes a “third country”. Therefore personal data (i.e. data relating to a living individual) cannot be transferred from EU member states to the UK without the UK having a determination of “adequacy” from the European Commission, or safeguards being put in place (such as standard contractual clauses approved by the European Commission). Both the relevant Minister and the the ICO have indicated that they would prefer the UK to be granted a determination of adequacy by the European Commission, although they note this will be part of the Brexit negotiations. There have also been concerns that UK surveillance powers under the Investigatory Powers Act 2016 might compromise the UK’s chances of securing an adequacy decision.