The UK government has announced its plans for a new Data Protection Bill. This was foreshadowed in the Queen’s Speech of 21 June when she announced, “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data.”
This law is, in effect, the European General Data Protection Regulation designed to withstand Brexit. The UK will still be part of the European Union when GDPR comes into effect in May 2018. However, the government is already under great pressure to transpose 40 years of European laws onto the British statute books in time for the actual severance. It makes sense, therefore, to prepare a GDPR-compliant UK law immediately.
The wording of the new Bill is not expected to become public until September. However, the Department for Digital, Culture Media & Sport yesterday published a 30 page Statement of Intent (PDF) in which The Rt Hon Matt Hancock MP, Minister of State for Digital, explains, “Implementation will be done in a way that as far as possible preserves the concepts of the Data Protection Act to ensure that the transition for all is as smooth as possible, while complying with the GDPR and DPLED in full.”
It follows, then, that US companies that operate in compliance with the UK Data Protection Bill will (or should) be automatically in compliance with GDPR. The reverse is not necessarily true. For example, while the GDPR requires the use of anonymized or pseudonymised (its own term) personal data, the new DP Bill will: “Create a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine.”
Since this is new, and we do not yet know the detail of the proposed Bill, it is impossible to tell whether there will be any attempt to make this a worldwide offense. It is difficult, however, to see how it could be enforced in foreign jurisdictions where the company or persons concerned have no direct presence within the UK.
Other new elements include a new offence of altering records with intent to prevent disclosure following a subject access request (with an unlimited fine in England and Wales); while criminal justice agencies (read law enforcement) will have “A more prescriptive logging requirement applied to specific operations of automated processing systems including collection, alteration, consultation, disclosure, combination and erasure of data, so a full audit trail will be available.”
Another feature that will undoubtedly change will be the ultimate court of appeal in case of dispute. For the GDPR it will be the European Court of Justice (as it will be in the UK until Brexit takes effect). “At Brexit (depending on its nature),” Dr Brian Bandey, a Doctor of Law specializing in international cyber laws, told SecurityWeek, “the GDPR’s effectiveness as a law will terminate. I believe it likely that simultaneously with that event, the new Data Protection Bill will come into force. I expect the whole of the Data Protection Act 1998 will be repealed. It is at that time that the Supreme Court will be the ultimate Court of Appeal with respect to this matter.”
Whether the UK’s Supreme Court will be as aggressive in upholding the constitution (the UK does not have a written constitution in the usual sense of the term) as has the European Court, remains to be seen. David Flint, a senior partner at MacRoberts LLP, does not see a problem. He believes that the overriding motivation behind the new Bill is to ensure smooth ongoing business trading between the UK and the EU. GDPR ‘adequacy’ thus becomes an essential element.
“The fact that UK citizens cannot appeal to the ECJ is arguably a loss,” he told SecurityWeek, “but in practice it is difficult to see how a UK court could or would not take cognizance of the decisions of the ECJ in interpreting the UK Act; were they to diverge in interpretation, again the adequacy finding would be in jeopardy.”
What does seem likely is that not all the ‘optional’ elements of GDPR will be enacted within the new DPB. The Open Rights Group has already issued a statement saying, “We are disappointed that UK Ministers are not taking up the option in EU law to allow consumer privacy groups to lodge independent data protection complaints as they can currently do under consumer rights laws.”
However, says Flint, “The 2017 UK Data Protection Bill is designed to cover the limited number of instances within the GDPR in which Member States are able to make choices or derogations; issues such as the age of consent for children, for automatic profiling, law enforcement and research. We are told that the UK is adopting a UK solution to these questions.”
It seems, then, that any divergences between the UK Data Protection Bill and the GDPR will largely be limited to UK relevance only. Where US companies are concerned, future post-Brexit trading with the UK will be subject to the same conditions and the same potential fines for non-compliance, as they will be for trading with the European Union under GDPR.