Annabel Gillham and Mercedes Samavi
Privacy + Data Security
On 7 August 2017, the UK government released its Statement of Intent (the Statement) regarding the new Data Protection Bill (the Bill)—the legal instrument that will apply new data protection standards set by the EU General Data Protection Regulation (GDPR) within UK law. The Statement confirms that the Bill will be aligned with the GDPR (thereby restating the principles set out in the Queen’s Speech earlier this year), and sets out key areas where it intends for the UK to derogate from the GDPR.
The UK has (of the G20 countries) the largest internet economy as a percentage of GDP and evidently, the UK government is keen to capitalize on its lead by preparing in good time for the GDPR, as well as Brexit, to give “consumers confidence that Britain’s data rules are fit for the digital age in which we live.”
A brief refresher on GDPR
The GDPR is an extensive data protection regime that will replace the existing EU data protection legislation on 25 May 2018. As part of the overhaul, the GDPR will harmonize data protection requirements across all EU Member States and, in particular, promote key principles such as accountability and transparency. In doing so, the GDPR will empower EU citizens with new individual rights and impose new obligations on data controllers and processors. For more information, visit MoFo’s GDPR Resource Center.
What are the key derogations proposed by the UK government?
The Statement seeks to reassure global businesses that the UK is committed to retaining robust data protection and data security laws after Brexit. It states that the Bill will put the UK government “on the front foot in allowing the UK to maximize future data relationships with the EU and elsewhere”, and that the UK government will seek to ensure that data flows between the UK and the EU (and the UK and third countries) remain uninterrupted after Brexit. Keen to show good faith, the Statement then indicates that the UK will be cooperative with law enforcement agencies in Europe and beyond.
Of course, it remains to be seen during the Brexit negotiations what the outcome will be for the UK on securing EU adequacy.
What happens next?
In terms of timing, the Bill won’t be debated in the UK parliament until the new session starts in September. Before the Bill can receive Royal Assent and pass into law, it must first pass through three readings in the House of Commons.
In large part, the Statement recites the requirements of the GDPR, which are becoming familiar territory for global businesses operating in EU markets. However, many businesses are considering how to prepare for the impact of Brexit on data flows between the UK and the rest of the EU. The Statement provides some reassurance that this issue remains firmly on the UK government’s agenda, although there are no clear answers yet on how the adequacy process will work and whether any transitional arrangements could be agreed to ensure that data transfers between the UK and the EU are uninterrupted the day after Brexit.
Businesses would be well advised to formulate a “Plan B” to maintain cross border data flows from the UK, such as the use of model clauses in any contracts with overseas service providers, or implementing Binding Corporate Rules (BCRs) across its global operations to facilitate intragroup data transfers and the viability of seeking client and employee consent to cross border transfers of their personal data.
©1996-2019 Morrison & Foerster LLP. All rights reserved.