The issue of data protection and data flows, post-Brexit, is the fundamental question for the digital and tech sectors. As Europe prepares to move into GDPR, the first continent-wide data protection overhaul in 23 years, it is critical for UK businesses to have legal certainty about the UK’s adoption of GDPR. Without GDPR, the UK would need to achieve equivalence and adequacy with any domestic data protection legislation it might choose to adopt. Given the chaos and congestion Brexit is causing in general, it would be all but impossible for the UK to come up with this legislation in time.
GDPR is one piece of a healthy data flow framework, and the UK is not a healthy country by any measure. Other issues, ranging from the ePrivacy directive to passenger name records, have barely been touched upon.
- General Data Protection Regulation, enforceable from 25/05/2018
- See also: presentation, slides, and UK-specific reference documents
Progress and developments:
- In October 2016 the UK government confirmed that the UK will implement GDPR.
- The UK Information Commissioner has subsequently set out how the ICO will support implementation over the next two years.
- On 12 December the Commons held a surprisingly rich debate on GDPR post-Brexit.
- In March 2017 the EU Committee of the House of Lords drew attention to post-Brexit GDPR and data flow issues.
- Also in March, the European Scrutiny Committee of the House of Commons reviewed the issue, and provided yet more background analysis.
- In spring 2017 UK Gov ran a consultation on the UK’s GDPR implementation, including derogations.
- On 21 June the Queen’s Speech announced the Data Protection Bill, the legislation intended to act as the bridge between GDPR and any post-European data protection regime.
- On 7 August UK Gov launched a publicity campaign about the Data Protection Bill, most of which blatantly claimed the changes the UK was receiving anyway under GDPR as the UK’s ideas, and indeed, the work itself as Matt Hancock’s.
- On 18 August the House of Lords warned of the dangers of hindering data flows after Brexit.
- On 27 July the House of Commons research service published a useful basic briefing on data protection after Brexit.
- On 24 August the Department for Exiting the EU released a remarkably flawed white paper on data flow adequacy after Brexit.
- The Data Protection Bill will be introduced during September’s brief Parliamentary session.