If you think that the UK’s referendum result will mean the end of the UK’s familiar Data Protection Act, then you are likely to be mistaken. The original Data Protection Act 1984 was passed because Prime Minister, Margaret Thatcher, was anxious that the UK should not lose out on winning data processing contracts involving personal data. The iconic year, 1984, after the title of George Orwell’s book, was convenient as a symbolic gesture to the privacy/civil rights advocates. But in reality, it was a rather weak law far from the stronger individuals’ rights and organisations’ duties that the UK adopted after implementing the European Community’s Data Protection Directive in 1995.
Chief Executive, Privacy Laws & Business
This is a follow up to Stuart’s previous article When will the EU Data Protection Regulation enter into force?
The UK’s withdrawal from the European Union will not happen for at least two years. Meanwhile, as the EU Data Protection Regulation has been adopted, the UK will need to keep up with its main requirements as a condition of trading with the EU Member States.
The options for the UK are theoretically:
- the EU DP Regulation is adopted in full
- after Brexit, something very similar will be enacted, to ensure that the UK continues to be an “adequate” regime for receipt of data transfers from EU countries
- the UK continues with the Data Protection Act 1998 with no change.
Options 1 and 3 are less likely than option 2. Everyone agrees that the UK will keep trading with the EU so some degree of compatibility is essential. Option 2 delivers the method to do so with the following next steps:
- The European Commission has a programme to assess the “adequacy” of non-EU countries from the data protection law perspective. The UK could apply for an “adequacy” declaration, the next country on the list after South Korea
- The UK could apply for an arrangement similar to that enjoyed by the USA. The former failed scheme called “Safe Harbor” was declared illegal by the Court of Justice of the European Union. Now the European Commission and the US authorities have negotiated a stronger “EU-US Privacy Shield” adopted by the European Commission on Monday 11th July. But that is also likely to be subject to a similar legal challenge.
In short, permission based marketing is here to stay whatever the legal regime.
Minister for Data Protection outlines the government’s position
The Minister responsible for UK data protection law policy, Baroness Neville-Rolfe BDE CMG, addressed Great Expectations, the Privacy Laws & Business 29th Annual International Conference in Cambridge on Monday 4 July. Her session title was ‘The EU Data Protection Regulation Package – the UK government’s perspective.’
She has now published her speech online, mentioning Privacy Laws & Business, at https://www.gov.uk/government/speeches/the-eu-data-protection-package-the-uk-governments-perspective. Her statements include the following:
“ ‘Protection’ should be about respect for individuals and the personal information they share in good faith. That should shift the focus in the board room from a technical issue to a reputational and commercial one.”
“One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK’s negotiations going forward.”
“We are fortunate to have a new Information Commissioner, a Canadian, Elizabeth Denham who starts here this month. I know she will bring a zest and a wealth of experience to the role and to this time of change.”
“Throughout the negotiations, the UK Government has been urging both the [European] Commission and the US to conclude negotiations on this new legally robust [EU-US Privacy Shield] adequacy decision, in order to provide clarity to the businesses that transfer data from the EU to the US, and to reassure citizens that their rights will be upheld in the new agreement. All of our discussions with the Commission and the US have recognised the need to strike the balance between commercial interests and fundamental rights.”
The UK’s new Information Commissioner, Elizabeth Denham, was until 6th July Information and Privacy Commissioner for British Columbia, Canada. She started work at her office in Wilmslow, near Manchester, on Monday 18th July. Although she is more experienced in this role than her four predecessors, Commissioner Denham will need all her skills to navigate the UK’s way through the rough waters ahead. The high standard of the EU Data Protection Regulation is on one side, to which the UK is legally committed while still a member of the European Union. On the other side is a wish by companies that she exercises her discretion with some pragmatism on the 30 or so points which can be decided by national Data Protection Authorities.
Readers can e-mail him at [email protected] for Privacy Laws & Business’s report on the hearing on 28th April by the House of Commons Select Committee for Culture, Media and Sport which led directly to confirmation of Elizabeth Denham’s appointment the next day.
Stewart Dresner has written on data protection/privacy and freedom of information since 1975 when he initiated a research project on this subject at the UK Consumers Association. He established Privacy Laws & Business in 1987. Its first service was the Privacy Laws & Business International Newsletter which has now developed to become the hub of a comprehensive global information service, currently on 120+ countries. Privacy Laws & Business services include consulting, conferences, training, recruitment, the Privacy Laws & Business UK Report (which also covers the Freedom of Information Act), and the Privacy Officers Network. Privacy Laws & Business has clients in over 50 countries. Stewart has spoken on data protection/privacy law at conferences in around 20 countries. The Privacy Laws & Business website, www.privacylaws.com provides details of the firm’s services and links to privacy information worldwide.
Copyright Stewart Dresner, Chief Executive, Privacy Laws & Business