Part
01
of three
Part
01
Data Regulation After GDPR
While Brexit negotiations are still underway, and consequently Britain will be at least temporarily subject to the EU's General Data Protection Regulation (GDPR) when it goes into effect in May 2018, it is widely acknowledged that the UK will ultimately have to craft its own privacy laws which it is hoped will continue to promote the smooth transfer of data with the EU. To that end, the UK is currently debating the Data Protection Bill (DPB) in its Parliament, and the focus of both corporate lobbyists and privacy advocates are in having their concerns addressed in the final form of that bill, which will shape the UK's privacy regulations for years or even decades to come.
Below you will find a deep dive of our findings.
BRITAIN'S CURRENT COMMITMENT TO DATA PROTECTION
At present, the primary source for the regulation of personal data in Britain is the Data Protection Act (DPA), which was passed in 1998 to bring the UK in line with the EU Data Protection Directive 1995.It reads: "Whilst the DPA has provided a sufficient regulatory framework, there is no doubt that it is somewhat dated and long overdue a refresh... The refresh has already been penned by the European Commission and is due to come into effect in early 2018 under the ‘General Data Protection Regulation (GDPR).’ The GDPR is aimed at unifying individual protection across the EU, as well as, the movement of personal data outside of the EU."
The UK "played a full and active part in negotiations for the new GDPR," and with the separate Data Protection Directive (which covers personal data in connection with law enforcement). This resulted, for example, in the GDPR imposing obligations on data controllers that are proportionate to the risk posed by the processing activity in question rather than a one-sized-fits-all approach. The GDPR will go into effect in May 2018, long before Britain will complete its negotiations to leave the EU, and therefore will become "the law of the land" for the UK. Nevertheless, due to Brexit the UK will need to develop its own "refresh" of its data protection laws.
An official position paper released by the UK government in mid-2017 states the UK's commitment to the protection of personal data: "Data flows are important for the UK and the EU economies and for wider cooperation, including on law enforcement matters. To ensure that individuals have control over and transparency as to how their personal data is being used, and that their personal data is protected from misappropriation and misuse, robust safeguards are needed."
The UK government paper goes on to state, "At the point of our exit from the EU, the UK’s domestic data protection rules will be aligned with the EU data protection framework." The UK is already taking the steps necessary with the announcement of the Data Protection Bill (DPB) in the 2017 Queen's Speech. (We will discuss the specifics of the DPB below.) Thus, the "UK starts from an unprecedented point of alignment with the EU," and announces its intentions to have the UK"s Information Commissioner's Office (ICO) continue to partner with EU regulators "to maintain effective regulatory cooperation and dialogue for the benefit of those living and working in the UK and the EU after the UK’s withdrawal." This is critical because 75% of the UK's "cross-border data flows" are with EU member countries.
THE DATA PROTECTION BILL
The DPB was published on September 14, 2017, and is currently in Parliament, having passed through the House of Lords and having its first reading in the House of Commons on January 18, 2018. The official introduction to the DPB by the ICO contains more information about the specifics of the bill than are within scope of a single Wonder request but may be useful for additional context. The key takeaway is that this bill, and the UK's commitment to upholding EU standards even as a partner instead of a member, means that "the UK will be compliant with EU data protection law and wider global data protection standards on exit, and given the important role of continued regulatory cooperation as part of a future economic relationship, the UK believes that a UK-EU model for exchanging and protecting personal data could provide for regulatory cooperation and ongoing certainty for businesses and public authorities. This could build on the existing adequacy model."
FUTURE REGULATION
Despite a thorough search, we were unable to locate an article or white paper by a government official or industry expert discussing any other probable future regulations that might be passed. The focus of nearly all current articles on data privacy protection in the UK appears to be on the details and ramifications of the DPB, unsurprisingly. While the GDPR is not completely absent from the discussion, it is no longer the focal point in discussions about the future of the UK's privacy regulation.
This is not to say that the GDPR receives no comment at all. For example, Scott Millis, CTO at Cyber adAPT, believes that the GDPR will "increase the pressure on companies to secure information," resulting in those companies using artificial intelligence and machine learning "to stay one step ahead of the criminals." Since the concern of the UK is making sure that it can continue to exchange data freely with EU members, the final form of the DPB will most likely be very similar to the GDPR, "tweaked" to reflect British terminology, concerns, and existing laws.
DATA RIGHTS ADVOCATES VS. INDUSTRY LOBBYISTS
Since the DPB is currently being debated in the House of Commons, advocates on all sides have focused their concerns on shaping the new law. The primary concern of lobbyists for corporations has been that the "free flow of data" between the UK and the EU not be disrupted by new regulations in the DPB, which as shown above is also of primary concern to the British government. This includes lobbying for a new e-privacy provision to replace the current Privacy and Electronic Communications Regulations (PECR), which require an individual's consent for direct electronic marketing by phone, text and email. ICO commissioner Elizabeth Denham has argued that too much "energy and effort is being spent on trying to find a way to avoid consent. That energy and effort would be much better spent establishing informed, active, unambiguous consent."
Incidentally, the official position of the British government is that, "the UK would be open to exploring a model which allows the ICO to be fully involved in future EU regulatory dialogue." This means that the ICO's position on marketing consent could have ramifications on the Continent as well, especially since the British government estimates that 43% of all large EU digital companies started in the UK.
On the privacy advocate side, there are concerns that Schedule 2 of the DPB "would potentially remove entire industries dedicated to vetting, profiling and blacklisting private individuals from the reach of the law." This is particularly concerning because the task of vetting individuals, for example, attempting to open a bank account is increasingly outsourced to third-party companies. The credibility of the databases these sources rely on has come under question, yet the vetting companies would be under no obligation to allow an individual to access their records or object to how the data was processed. Indeed, the individual would have no right to "seek any form of redress in the event that the data they hold is false, inaccurate or misleading."
Consequently, there have been calls to redraft Schedule 2 by advocacy groups such as Open Democracy, which claims to "We have represented dozens of individuals and organizations who suffered devastating consequences as a result of being falsely identified as posing a terrorism risk." They further claim that these dozens of cases are just "the tip of the proverbial iceberg."
Another point of concern is whether the EU's "Right to be Forgotten" and similar laws will continue to have precedence in the UK. These concerns have already been largely laid to rest. The UK's "Great Repeal Bill will also provide for UK courts to refer to EU court rulings when interpreting the UK's EU-derived laws. In effect, the Bill proposes that existing case law from the Court of Justice of the European Union (CJEU) will have the same binding status as UK Supreme Court rulings, and expects that the Supreme Court will only ever depart from CJEU precedent in very rare cases." [5]
CONCLUSION
With the Data Protection Bill (DPB) being under consideration by the UK's Parliament, all current discussion on the topic of the future of privacy regulation in the UK is focused on that bill. On the corporate side, lobbyists are most concerned about maintaining the free flow of data with the EU member states that the UK enjoys under the General Data Protection Regulation (GDPR) while possibly loosening some regulations pertaining to marketing consent. On the privacy advocate side, the greatest concern is the phrasing of Schedule 2, which as written might exempt the entire vetting industry from regulation and deprive citizens of their rights to even know what data is being held by those companies. Revisiting this topic in a few months when the final form of the DPB is known may yield a much clearer picture about the future of data protection regulation in the UK.