Although somewhat overshadowed by the eight Brexit-related Bills, today’s Queen’s Speech announced the government’s plans for a new Data Protection Bill for the UK. The purpose of this Bill, as noted in the government’s background notes (available here), is to “ensure that the United Kingdom retains its world-class regime protecting personal data”. The Bill will effectively implement the EU General Data Protection Regulation (the ‘GDPR’) into domestic law in the UK.
You may be wondering why the government is committed to implementing a European-style data protection regime in the UK in light of Brexit – particularly a regime that is in many respects more restrictive and compliance-focused than the current UK data protection regime. The reason is two-fold. Firstly, the UK will still be a member of the EU when the GDPR comes into force in May 2018 and so the GDPR will be directly binding on UK businesses for a period of time. Secondly, and more importantly for the long-term, having a European style data protection regime in the UK will be necessary to ensure that personal data can continue to be transferred freely between the UK and the EU post-Brexit.
Under EU data protection laws, personal data can only be transferred to a country outside of the EEA if the personal data will be adequately protected in that country. By introducing a domestic law that effectively implements the GDPR, the UK government is clearly hoping to obtain an ‘adequacy decision’– a declaration that the data protection laws of a country offer sufficient protection to individuals – from the EU, which will allow the free flow of personal data to continue between the UK and the EU post-Brexit. This is seen as vital to facilitating trade with the EU - the briefing paper notes that “Over 70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade.”
If the UK is not granted an adequacy decision, then post-Brexit organisations in the UK will need to put in place additional protections – such as Model Clauses or Binding Corporate Rules – in order to receive personal data from the EU. This will place increased compliance burdens on UK businesses.
The proposed Bill goes beyond just implementing the GDPR. It also emphasises the importance of individuals’ rights in relation to their own personal data – for example, the Bill will include a specific right for people to insist that major social media platforms delete any information held about them when they turn 18 – and will facilitate the international exchange of information to combat terrorism and serious crime.
Although the Data Protection Bill will introduce a stricter data protection regime in the UK, this is generally good news for most businesses as it shows the government’s commitment to maintaining the free flow of personal data between the UK and the EU. Whether the Bill actually makes its way into law in time for the UK to receive an adequacy decision from the EU before Brexit, however, remains to be seen.