Thursday, 10 August 2017

What will happen to the GDPR in the United Kingdom after Brexit?

Standard YouTube Licence

Jane Lambert

Art 50 (3) of the Treaty of European Union provides:
"The Treaties shall cease to apply to the State in question from the date of entry into force of the withdrawal agreement or, failing that, two years after the notification referred to in paragraph 2, unless the European Council, in agreement with the Member State concerned, unanimously decides to extend this period."
When the treaties cease to apply to the United Kingdom, all the directives and regulations that will have been made under them will fall away too. That need not matter so far as the directives are concerned since they will have been implemented by United Kingdom enactments that remain in force indefinitely, but regulations are different in that they take effect independently. That is why clause 3 (1) of the European Union (Withdrawal) Bill is intended to incorporate all regulations into English and Weksh or, as the case may be, Scottish or Northern Irish law.

The General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) will automatically come into force on 25 May 2018 and will remain part of our law until Brexit day. Then it will cease to apply unless it is preserved by national legislation.

When I wrote what is now Chapter 10 of Helen Tse's Doing Business after Brexit towards the end of last year, I expected the GDPR to be preserved by what we then called the "Great Repeal Bill." The Department for Culture Media and Sport's Statement of Intent of 7 Aug 2017 reveals a different approach. The GDPR will be superseded by the provisions of a new Data Protection Bill at least part of which will come into force on Brexit day.

No draft of the bill has yet been published but a press release dated 7 Aug 2017 announces that the new statute will:
  • "Make it simpler to withdraw consent for the use of personal data
  • Allow people to ask for their personal data held by companies to be erased
  • Enable parents and guardians to give consent for their child’s data to be used
  • Require ‘explicit’ consent to be necessary for processing sensitive personal data
  • Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
  • Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
  • Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
  • Make it easier for customers to move data between service providers."
The press release also announces new criminal offences to deter organizations from either intentionally or recklessly creating situations where someone could be identified from anonymized data.

As Chapter 3 of the Statement of Intent indicates, many of those provisions will have been introduced by the GDPR but not all of them. The new bill will contain extra provisions such as one conferring on data subjects a power "to require social media platforms to, on request, delete information held about them at the age of 18" (see page 14 of the Statement).

This Bill will affect everyone whose records are held on computer and indeed everyone who holds and processes such records though there will be some industries that are particularly affected such as fintech and healthcare. I will keep an eye on the legislation for them.

It was my job to follow this topic long before we had such legislation in this country my first instructions being to advise on the consequences of the Austrian data protection statute for businesses here which I would have received in 1982 or 1983. I attended the first conferences on trans-border data flows which were organized by the International Bar Association in Toronto and the International Telecommunications Union in Geneva in 1983. I contributed the first chapters on data protection to Butterworths' Atkin's Court Forms and Encyclopedia of Forms and Precedents in 1984 for which I  interviewed the first data protection registrar, Eric Howe, at Water Lane in Wilmslow. I have continued to receive instructions on data protection and related areas of the law ever since.

I am compiling links to everything that I have written on the topic for a new blog to be known as NIPC Data Protection which, like this one, will be integrated with NIPC Law and NIPC News. I will tweet about important developments from my @nipclaw account and post them to Linkedin and Facebook.  Should anyone wish to discuss this article or data protection, privacy or trans-border data flow in general, he or she should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.

No comments:

Post a Comment

European Council Decision of 11 April 2019 extending the Period under art 50 (3) of the Treaty of European Union to 31 Oct 2019

Donald Tusk Author   Platformy Obywatelskiej Licence Creative Commons Attribution-Share Alike 2.0 Source Wikipedia European Council...