Maintaining momentum for the UK’s data protection law despite Brexit

This 100th edition of PL&B United Kingdom Report comes 18 years after the launch of this title and coincides with the government’s acceptance of the Withdrawal Agreement from the European Union. We analyse the data protection implications for organisations and make recommendations on key business priorities (p.1).

While data protection law issues have not been at the forefront of reporting on the UK’s withdrawal from the European Union, the Prime Minister has referred from time to time to the importance of the free flow of data between the UK and the European Union.

Last month, with the intention to provide supportive evidence on the working of data protection law in the European Economic Area, I wrote to the Prime Minister; Department for Digital, Culture, Media and Sport; Exiting the EU; and other relevant ministers; Opposition parties and the Scottish government. My recommendation based on the experience of Norway (PL&B International Report October 2018 p.1) and Iceland (PL&B United Kingdom Report August 2018 p.1), was that from the data protection law perspective, it would be best for the UK to remain in the European Economic Area. Today, I was pleased to receive a response from the Scottish Government which endorsed this position stating:

“If the UK Government does not wish to maintain membership of the Single Market and Customs Union, then given the strong preference of the people of Scotland to stay in the European Union, the Scottish Government would pursue the differentiated approach for Scotland that would allow us to stay in the European Economic Area (EEA).”

1st prison sentence

On 12 November, the ICO announced that it had secured its first prison sentence, prosecuted under the Computer Misuse Act 1990 (p.17). With the ICO’s staff at around 700, Elizabeth Denham, Information Commissioner, clearly has a well-resourced team to tackle criminal behaviour and civil actions with more vigour than in the past. Facebook has had the maximum fine of £500,000 imposed under the Data Protection Act 1998 (p.15). We should expect the Information Commissioner to greatly increase sanctions now she is investigating organisations with her stronger powers under the Data Protection Act 2018.

But it is not all about fines and the private sector. The public sector needs to be equally vigilant. Just today, the ICO announced that it had issued an Enforcement Notice to the Metropolitan Police after it found that the Metropolitan Police Service’s Gangs Matrix breached data protection laws

Freedom of Information Act edging towards the private sector

I established PL&B UK Report in 2000 specifically to bring together in one publication news and analysis of the UK’s new Freedom of Information Act, together with our work on the Data Protection Act. The trend is for the FoI Act to be expanded gradually to private sector companies which are carrying out work on behalf of the public sector. The latest Private Member’s Bill aims to extend it further in this direction (p.23).

GDPR Help Roundtable: Maintaining Momentum

On 28 November in London, we will hold the latest in our series of GDPR Help! Roundtables, Maintaining Momentum. The ICO’s lead on certification and codes of practice will update us on her work and that of the European Data Protection Board in this area. We will also exchange experience on adapting to the UK’s Data Protection Act 2018. Only a few places remain so now is the time to register to secure your place at this Roundtable.


Stewart Dresner, Publisher


UK Report 100

Lead story:

Preparing for Brexit – EU to UK data export solutions needed

Lore Leitner looks at the implications of Brexit and the draft Withdrawal Agreement for data protection.

Contents also include:

  • Comment: EU adequacy in light of Brexit
  • ICO gives evidence in Parliament on analytics and campaigning
  • Cookie consent and the GDPR
  • DP Impact Assessments: The EDPB assesses the ICO
  • Law enforcement processing: The new regime and why it matters
  • Isle of Man law follows GDPR
  • How companies are adapting to the UK’s DP Act 2018
  • Employee Data Subject Access Requests and proportionality
  • Contractors may become subject to FOI provisions
  • ICO advises on encryption and passwords in online services
  • Ofcom reports on Internet harms
  • Government to set up Centre for Data Ethics and Innovation
  • Morrisons held liable for actions of former employee
  • ICO issues notice under GDPR to Canadian company
  • ICO prosecution results in prison sentence
  • Unsolicited callers to face fines up to £500,000
  • Processing criminal records