Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

UK Introduces Data Protection Bill to Replace GDPR After Brexit

The UK government has announced its plans for a new Data Protection Bill. This was foreshadowed in the Queen’s Speech of 21 June when she announced, “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data.”

The UK government has announced its plans for a new Data Protection Bill. This was foreshadowed in the Queen’s Speech of 21 June when she announced, “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data.”

This law is, in effect, the European General Data Protection Regulation designed to withstand Brexit. The UK will still be part of the European Union when GDPR comes into effect in May 2018. However, the government is already under great pressure to transpose 40 years of European laws onto the British statute books in time for the actual severance. It makes sense, therefore, to prepare a GDPR-compliant UK law immediately.

The wording of the new Bill is not expected to become public until September. However, the Department for Digital, Culture Media & Sport yesterday published a 30 page Statement of Intent (PDF) in which The Rt Hon Matt Hancock MP, Minister of State for Digital, explains, “Implementation will be done in a way that as far as possible preserves the concepts of the Data Protection Act to ensure that the transition for all is as smooth as possible, while complying with the GDPR and DPLED in full.”

It follows, then, that US companies that operate in compliance with the UK Data Protection Bill will (or should) be automatically in compliance with GDPR. The reverse is not necessarily true. For example, while the GDPR requires the use of anonymized or pseudonymised (its own term) personal data, the new DP Bill will: “Create a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine.”

Since this is new, and we do not yet know the detail of the proposed Bill, it is impossible to tell whether there will be any attempt to make this a worldwide offense. It is difficult, however, to see how it could be enforced in foreign jurisdictions where the company or persons concerned have no direct presence within the UK.

Other new elements include a new offence of altering records with intent to prevent disclosure following a subject access request (with an unlimited fine in England and Wales); while criminal justice agencies (read law enforcement) will have “A more prescriptive logging requirement applied to specific operations of automated processing systems including collection, alteration, consultation, disclosure, combination and erasure of data, so a full audit trail will be available.”

Another feature that will undoubtedly change will be the ultimate court of appeal in case of dispute. For the GDPR it will be the European Court of Justice (as it will be in the UK until Brexit takes effect). “At Brexit (depending on its nature),” Dr Brian Bandey, a Doctor of Law specializing in international cyber laws, told SecurityWeek, “the GDPR’s effectiveness as a law will terminate. I believe it likely that simultaneously with that event, the new Data Protection Bill will come into force. I expect the whole of the Data Protection Act 1998 will be repealed. It is at that time that the Supreme Court will be the ultimate Court of Appeal with respect to this matter.”

Whether the UK’s Supreme Court will be as aggressive in upholding the constitution (the UK does not have a written constitution in the usual sense of the term) as has the European Court, remains to be seen. David Flint, a senior partner at MacRoberts LLP, does not see a problem. He believes that the overriding motivation behind the new Bill is to ensure smooth ongoing business trading between the UK and the EU. GDPR ‘adequacy’ thus becomes an essential element. 

Advertisement. Scroll to continue reading.

“The fact that UK citizens cannot appeal to the ECJ is arguably a loss,” he told SecurityWeek, “but in practice it is difficult to see how a UK court could or would not take cognizance of the decisions of the ECJ in interpreting the UK Act; were they to diverge in interpretation, again the adequacy finding would be in jeopardy.”

What does seem likely is that not all the ‘optional’ elements of GDPR will be enacted within the new DPB. The Open Rights Group has already issued a statement saying, “We are disappointed that UK Ministers are not taking up the option in EU law to allow consumer privacy groups to lodge independent data protection complaints as they can currently do under consumer rights laws.”

However, says Flint, “The 2017 UK Data Protection Bill is designed to cover the limited number of instances within the GDPR in which Member States are able to make choices or derogations; issues such as the age of consent for children, for automatic profiling, law enforcement and research. We are told that the UK is adopting a UK solution to these questions.”

It seems, then, that any divergences between the UK Data Protection Bill and the GDPR will largely be limited to UK relevance only. Where US companies are concerned, future post-Brexit trading with the UK will be subject to the same conditions and the same potential fines for non-compliance, as they will be for trading with the European Union under GDPR.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.