Out-Law News 4 min. read

Government reiterates plans for EU-UK data flows post-Brexit amidst criticism of Data Protection Bill powers


The UK government has reiterated its plans to establish an agreement with the remainder of the EU member states that will allow personal data to flow across borders unhindered post-Brexit.

Digital minister Matt Hancock said the UK is seeking an "enhanced mechanism that builds on what the existing model of adequacy provides for third countries".

Hancock also said it would be best for both the UK and EU if "the UK and the EU to agree early to mutually recognise each other's’ data protection frameworks as the basis for the continued free flow of data between the EU and the UK from the point of exit until such time as new and more permanent arrangements come into force".

Those comments build on the contents of a 'future partnership' paper the government published in August which called on the EU to recognise the UK's data protection framework as aligned with its own before the UK leaves the EU.

Hancock's latest comments were contained in a letter (5-page / 292KB PDF) to the chair of the European Union Committee in the House of Lords, and set out the government's response to a report the committee published in July.

Hancock's letter was published as two other UK parliamentary committees took issue with aspects of the government's proposed new Data Protection Bill. The Bill is designed to replace the existing Data Protection Act and implement and complement the EU's General Data Protection Regulation (GDPR), which will apply from 25 May 2018.

The Lords' Constitution Committee highlighted powers that the UK government would have to introduce new data protection rules via secondary legislation in future if the Data Protection Bill is enacted as currently drafted.

"This is an increasingly common feature of legislation which, as we have repeatedly stated, causes considerable concern," the Constitution Committee said. "The government’s desire to future-proof legislation, both in light of Brexit and the rapidly changing nature of digital technologies, must be balanced against the need for parliament to scrutinise and, where necessary, constrain executive power."

Similar concerns about were raised by the Lords' Delegated Powers and Regulatory Reform Committee in a separate report published recently.

"We are troubled that the government should think it appropriate, on the basis of such a thin justification, to seek to take wide-ranging powers allowing current or future ministers to implement important policy changes without the need for further primary legislation," it said.

The Delegated Powers and Regulatory Reform Committee highlighted a number of clauses in the Bill where the government would have delegated powers to legislate on data protection matters without having to bring forward an Act of parliament.

Those clauses included provisions concerning the processing of sensitive and criminal convictions data, the processing of personal data for law enforcement purposes, fees that businesses might charge people who make manifestly unfounded or excessive requests for their data, and potential restrictions on overseas data transfers by international organisations.

Claire Edwards, data protection law expert at Pinsent Masons, the law firm behind Out-Law.com, said: "From the perspective of future-proofing legislation, clearly having delegated powers hugely assists in keeping the primary legislation relevant and therefore personal data protected. If delegated power was not included in the Data Protection Bill, we could end up in the same situation we ended up in with the Data Protection Act – a piece of law no longer fit for purpose, with the inability to do anything about it."

"Additionally, in the context of Brexit, in order for us to continue trading with the EU, where personal data and the protection thereof is a crucial consideration, the UK needs to be able to keep up with its European counterparts. As technology evolves, the law needs to move with it and this will continue to happen at a more and more rapid pace. With provision for delegated powers, the UK can move forward to implement any changes made by the EU post-Brexit more quickly," she said.

Edwards said that what the potential government powers to update legislation quickly might be viewed as either a positive step where the powers would be used to enhance data protection or more negatively if they are used to introduce more exemptions that put that the rights of data subjects at risk. The government might risk any future determination of adequacy for the UK's data protection regime by the European Commission if it takes the latter approach, she said.

Edwards said there are also commercial considerations to using any delegated powers to update data protection legislation.

"In addition to any concerns which may come from Europe, from a commercial standpoint, where personal data is not only a commodity, but the crux of a business model, delegated powers, particularly to the extent proposed by the Data Protection Bill, could either be stifling or give them extra freedom," Edwards said. "There is the potential to decrease business stability if the law is changing so frequently, that businesses can’t, or take the commercial decision not to, keep up, particularly when compliance activity is not income generating."

"Whilst the threat of administrative fines encourages businesses to comply, if the parameters keep changing it might just become almost impossible. That being said, the current draft of the Bill gives powers to make further exemptions, so potentially gives organisations an easier route to processing personal data than the GDPR would. In exercising any power, there would need to be a balancing exercise between wanting to be the leading light on data protection, the rights of data subjects and the commercial needs of business’. The difficulty is that this type of exercise, checks and balances, may be better placed in a parliamentary discussion," she said.

There is a raft of new and forthcoming changes to information law that businesses have to adapt to, Edwards said.

"To properly get to the bottom of data protection legislation in the UK, a controller or processor would need at the very least to read the lengthy Data Protection Bill, the lengthy GDPR and rules on e-privacy – currently PECR, although a new EU ePrivacy Regulation is on the way," Edwards said. "That is before taking into account other pieces of national law, which may have some impact, such as the Digital Economy Act for example. Adding a potentially never-ending list of orders statutory instruments etc. made under the Bill’s delegated powers and it has the potential for compliance to be over burdensome for controllers and processors trying to make sense of it all."

"Things only get worse if the UK business offers goods and services in the EU – not only will it have the problem of complying with reams of primary and secondary legislation for its UK customers, it would have a separate set of obligations to comply with for its EU customers, due to the territorial scope of the GDPR, defeating the GDPR’s purpose of harmonising data protection legislation," she said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.