June 23rd 2016 has become a remarkable day in the history of the United Kingdom, with a majority of 51,9% of the UK voters expressing their agreement on the country’s departure from the European Union. In March 2017, UK Prime Minister Theresa May invoked Article 50 of the Treaty on the European Union (TEU), officially starting the formal two-year negotiation phase in advance of the UK’s withdrawal from the Union.
For the time being, it is not yet clear what the outcome of the exit negotiations will bring, causing uncertainty about the future of the United Kingdom and its future relations with Europe. This also affects the UK’s data protection framework, setting the conditions of processing personal information within the country and also for cross-border data transfers in and out of the EU.
However, in August 2017, UK Minister of State for Digital, Matt Hancock, announced the newest plans of the British government to reform the UK data protection framework, calling for feedback on the government’s intentions.
At the moment, there is no concrete bill draft proposed for the legislative process. Nonetheless, an outline describing the intentions of the government already revealed some details of interest for companies and industries concerned with personal data processing when doing business in and with the UK.
The key points of the announcement are so far:
-
The almost twenty year old UK Data Protection Act will be repealed by a future UK Data Protection Bill, which will align very closely to the new EU data protection framework.
-
The new UK Data Protection Bill will cover several areas of application, namely the
-
Private sector, aligning closely to the EU General Data Protection Regulation (GDPR),
-
Law enforcement sector, aligning closely to the EU Police Data Protection Directive (Directive (EU) 2016/680)
-
National Security field, aligning closely to the revised Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
-
In terms of personal data protection mostly in the private sector, there will be many aspects aligned very closely to the GDPR. Some examples are:
-
Strengthened rules for valid, informed, unambiguous and explicit consent
-
A recognition of the right to be forgotten
-
Right of access for data subjects
-
Right to erasure or modification, and data portability
-
Increased control for data subjects, especially when automated decision-making and profiling is involved
-
Improved legal remedy for data subjects
-
Expansion of sanction powers for the UK Information Commissioner (ICO) in alignment with those which the GDPR grants the European data protection supervisory authorities
-
More emphasis on the concepts of privacy by design and by default
-
Adoption of more obligations for data controllers and processors, such as:
-
the appointment of data protection officers
-
the provision of data breach notifications
-
the requirement to conduct data protection impact assessments
-
From this announcement, it becomes clear that the UK intends to secure cross-border business and participation in the European market by levelling the country’s data protection rules into alignment to the European framework. This will come as a relief to companies and industries located in, or doing business in the UK.
Despite this close alignment, there will be some derogation as well. Thereby, the UK government said it will make use of the GDPR's opening clauses. So far, intentions have been expressed to require social media providers to delete personal information upon request from data subjects captured before they were 18 years old. Moreover, public-private partnerships in the context of criminal convictions shall be facilitated by providing legal grounds for personal data processing by non-governmental authorities. However, the announcement did not yet provide much more detail on the planned derogations.
The SPECIAL project welcomes Minister Hancock’s announcement as important information and good news, as information, transparency, user control and privacy by design and default are core goals of the project. An adherence to the European data protection framework ensures that the fundamental rights of both European and UK citizens will be protected in in the Union as well as in the UK.