Less Brexit rhetoric and more emphasis on UK-EU cooperation
The UK’s Data Protection and Digital Information Bill no longer lives at the Department for Digital, Culture, Media and Sport (DCMS). In February, it moved to a new home at the Department for Science, Innovation & Technology (DSIT). The Cabinet Minister, Michelle Donelan, who remains responsible for this Bill, said on 10 February that innovation has been placed at the heart of the government’s agenda which provides a more explicit context for the government’s approach to data protection law. However, at the time of writing, no date for the Bill’s return to Parliament had been announced.
This political context for data protection law is illustrated by the DSIT’s priorities. The 5th priority is to “deliver key legislative and regulatory reforms to drive competition and promote innovation, including the Data Protection and Digital Information Bill, the Digital Markets, Competition and Consumer Bill and our pro-innovation approach to regulating AI.”
The government has grouped together in this Department several organisations relevant to data protection law, including the Centre for Data Ethics and Innovation, the Office for Artificial Intelligence and the UK Council for Internet Safety. So I consider there is a rational basis for siting data protection law within the DSIT’s framework of digital markets and innovation.
Data protection as a fundamental right?
While the European Data Protection Supervisor and the European Data Protection Board continue to refer to data protection as a fundamental right,(1) this is not the case in the UK. However, the UK and other countries which are members of the Council of Europe (CoE) usually acknowledge in their data protection laws their basis in the CoE Data Protection Convention 108, open for signature on 28 January 1981, and in the EU, the EU Charter of Fundamental Rights, in force since December 2009.
On reflection, there is nothing in the term “data protection” which suggests that these laws are about the protection of privacy. The world’s first national law on these lines in 1973 in Sweden was simply called the “Data Law.” It was the Privacy Act 1974 in the US – although limited in scope to records held by the federal government - which was the first which had “privacy” in its title.(2) This was 10 years before the adoption of the UK’s first Data Protection Act.
Is amending the UK’s Data Protection Act 2018 worth the effort?
While the EU GDPR (like any law) does not satisfy everyone, it does represent a consistent approach across the European Economic Area which is influential internationally, even in the US, and companies have learned to live with it. The UK government has now taken several months to review its options for amending the current Data Protection Act 2018. At the same time, Data Protection Officers and many business leaders, while in favour of innovation, generally ask whether a new UK data protection law diverging from the EU is worth the effort?
Flexibility is achievable working within the UK’s Data Protection Act
Rishi Sunak as UK Prime Minister is seeking to engage with the EU in a more constructive tone, shown most clearly in late February with the agreement on revising the Northern Ireland protocol.
In practice, a degree of flexibility is achievable for the government working within the UK’s Data Protection Act 2018. This is shown by its efforts to engage with the Cross-Border Privacy Rules. Also, the ICO is now operating its own Binding Corporate Rules system (PL&B UK Report January 2023) which is different in format from the EU version.
A further shift is the recent change of terminology in the UK’s review of jurisdictions outside the European Economic Area which are seeking an “adequacy” declaration. The UK term is now a “bridge” between the UK and these jurisdictions when assessing them for the international transfers of personal data, implying acceptance of a lower level of data protection legislation in each jurisdiction.
From April combining the DSIT section dealing with International Data Transfers (IDT) and the International Data Unit (IDU) to form one International Data Flows Unit is likely to be a factor in speeding up the process and increasing the number of jurisdictions receiving a declaration of approval from the UK.
With a focus on common interests between the UK and the EU in several policy areas and interest among some national DPAs in the UK’s approach (for example, regarding children’s issues, online safety, and testing new tech in national sandboxes) there is room to explore a more flexible approach to several areas of data protection law policy and enforcement. The EU and the UK are already closely aligned on cybersecurity.
With the passage of time from the painful EU-UK Brexit divorce and a warmer tone in EU-UK relations, it is possible that the divergent elements in UK data protection law are less likely to risk the UK’s “adequacy” status.
Who’s Watching Me? is the title of this year’s PL&B 36th International Conference, 3-5 July at St. John’s College, Cambridge. We have published the titles of 24 sessions and 50+ speakers from 13 countries. Registration is open now and the lowest fees are available until 30 March.
Now in our 37th year since I established Privacy Laws & Business in February 1987, I thank you for your continuing subscription. Laura Linkomies, Editor, and I are always interested in your ideas and suggestions.
Publisher, Privacy Laws & Business
News & Blogs
March 2023 Report Contents