Out-Law News 2 min. read
15 Dec 2016, 3:54 pm
Speaking in parliament earlier this week, UK digital minister Matt Hancock again confirmed that the GDPR "will become directly applicable in UK law on 25 May 2018". Hancock made similar comments last month, when he also suggested "changes" could be made to the UK's "data protection regulatory landscape after the UK exits the European Union".
In his latest statements, Hancock did not offer further clarity on how data protection laws might change in the UK post-Brexit. He did, though, confirm that, under the framework of the GDPR, the UK will look to draw up its own rules in some areas where the Regulation permits.
"We are now working on the overall approach and the details of that implementation [of the GDPR]," Hancock said in response to comments by Labour MP Daniel Zeichner. "Details of any new legislation in this area will be made in due course and announced in the normal way, but I can tell him that we are considering these matters in great detail as we speak."
"We plan to consult with stakeholders on key measures where we have the opportunity to apply flexibilities … in the regulation to maximise and to protect our domestic interests and to get the balance right between delivering the protection that people need and ensuring that the regulation operates in a way that ensures that the UK’s data economy can be highly successful," he said. "For example, one measure will be on what the age of consent should be for children who wish to access information services. We want a data protection framework that works best for the UK and meets our needs. Those consultations will be forthcoming."
Hancock said UK organisations must "prepare now" for "the new standards of data processing" that will apply under the GDPR.
UK businesses that operate cross-border in the EU will have to comply with the GDPR if processing personal data of citizens based in EU countries regardless of what legislation applies in the UK post-Brexit.
Hancock also stressed that the government is working to ensure that the flow of personal data between organisations based in other EU countries and those based in the UK is not disrupted when the UK leaves the EU.
The ability to transfer personal data outside the European Economic Area (EEA) is restricted under existing EU data protection laws set out in the Data Protection Directive. Only where "adequate protections" are in place, or where the destination country has been pre-approved by the European Commission as having adequate data protection, can data transfers go ahead. Similar restrictions on data transfers will apply under the GDPR.
It is not yet clear whether the UK will be a member of the EEA post-Brexit, or, if not, whether the UK's data protection regime post-Brexit would be deemed to meet the 'adequacy' test.
Hancock said: "We have made progress in our argument within the EU that data localisation rules are not appropriate. That is a live issue in the EU at the moment. There is also work to be done between now and 2018 to make sure that we achieve a coherent data protection regime and that data flows with the EU are not interrupted after we leave. The government are considering all options for the most beneficial way of ensuring that the UK’s data protection regime continues to build a culture of data confidence and trust that safeguards citizens and supports businesses in a global data economy."
"I hope that I can reassure … the tech industry in the UK that we are doing all we can to ensure that our future data standards are of the very highest quality, including their international links, and that we get the balance right between ensuring the high levels of protection that individuals and companies need and ought to expect with the appropriate levels of flexibility to make sure that our data economy can be one of the strongest in the world," he said.