With holiday season upon us, earlier this week Matt Hancock, the UK Government’s Digital Minister, announced proposals for a new UK data protection law. Previously covered on this blog here and here, little new of substance was announced, but in a slow news week, the announcement garnered significant UK media coverage and attention. 

In his press release, Mr Hancock said:

The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”


It appears that the new law will mainly copy into UK law the European General Data Protection Regulation (GDPR) which comes into force in the UK next year and which, absent Brexit, would have been directly effective in the UK. The following principles in this week’s press release reflect similar provisions to those in the GDPR:

  • Making it simpler to withdraw consent for the use of personal data
  • Enabling people to ask for their personal data held by companies to be erased
  • Expanding the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
  • Making it easier for customers to move data between service providers
  • Enabling parents and guardians to give consent for their child’s data to be used

However, the announcement does not address Brexit related issues such as how the UK regime will enable data transfers to and from the EU post-Brexit, discussed here, as this will depend on the nature of Brexit and any transitional arrangements.