You are here

Data Protection post-Brexit: what to do with the EU General Data Protection Regulation?

28 October 2016

Our submission to Joint Committee on Human Rights

Ten years ago there was no such thing as Android or an iPhone yet now more than three quarters of UK adults own a smartphone. As of 2014, the world was generating more data in ten minutes than all of humanity had from its inception through the year 2003 . As the UK prepares to withdraw from the European Union, Privacy International warns that individuals should not lose out on European data protection regulations, which protect against rampant abuse of their personal data. 
These concerns are echoed by the new UK Information Commissioner (“ICO”) Elizabeth Denham who warned that the UK ‘must avoid data protection Brexit’. New European standards relating to data protection — the General Data Protection Regulation (“GDPR”) provides stronger standards of protection of personal data to those contained in the current UK Data Protection Act. The GDPR seeks to address some of the challenges to effectively protect individuals’ privacy in the face of new technologies. As the European Data Protection Supervisor (“EDPS”) emphasised there is a need for privacy and innovation, not privacy or innovation, with greater protection of our digital data. He warned that there is “an apparent growing imbalance between web-based service providers and consumers may diminish choice, innovation and the quality of safeguards for privacy.”
It is clear that the UK legislation needs to adapt to the modern digital age. Yet whether the UK will adopt the standards in the GDPR following Brexit is unclear. Failure to implement the regulation would have significant legal and human rights implications. 
Whatever the relationship between the UK and Europe after Brexit, to continue to transfer personal data to and from the EU, the UK will need to prove that its data protection legislation provides ‘essentially equivalent’ protection to the GDPR. 
The current UK Data Protection Act falls below the GDPR standard and is based on the older EU data protection standard contained in the 1995 EU Data Protection Directive. 
The GDPR provides stronger standards of protection of personal data to those contained in the EU Directive 1995. Notably it provides individuals with stronger rights such as the right to data portability; higher standards of consent to processing of personal data; and the right to object to profiling for direct marketing purposes. It also contains provisions that expand the scope of protection to cover types of personal data such as IP addresses and location data. It requires mandatory reporting of breaches of personal data and stronger powers of enforcement including the capacity of the national data protection authorities to impose high fines.
The need for accessible options for individuals to take control of their personal information and the need to address the growing challenges of protecting the privacy of online communications, expressed by the UK ICO and EDPS, are echoed in public opinion. The Chartered Institute of Marketing survey showed that of 2,500 people surveyed, 57% did not trust companies to handle their data responsibly.
Elizabeth Denham stated in her first speech as ICO that GDPR the major shift “is about giving consumers control over their data.’ 
At a time when it is now “virtually impossible to choose not to be tracked while consuming digital services” the UK risks missing out on protections that will benefit European citizens.
There are still uncertainties about Brexit and how it will proceed. As the ICO pointed out, we do not need to wait until May 2018 to apply the GDPR in the UK. With so much uncertainty, the UK government should aim to implement the GDPR in ways that give the highest level of protection to individual’s privacy and personal data. So let’s get on with it.