ICO ‘bangs drum’ for new data laws

In May 2018, new data protection legislation, both in the UK and across the EU, will be in place.

And Information Commissioner Elizabeth Denham has reiterated that despite any uncertainty over the impact of Brexit, “EU law will remain UK law, until the Government sees fit to repeal it”.

The General Data Protection Regulation (GDPR) will replace the EU directive that the 1998 UK Data Protection Act is based on. It will run parallel with a new directive for police and justice issues that should enable police forces across Europe to work together faster and more efficiently to counter serious crime and terrorism.

Secretary of State Karen Bradley confirmed at an appearance before the Culture, Media and Sports Select Committee last October that “we will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt

into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public”.

And in her ‘Brexit speech’ last week, Prime Minister Theresa May said a global Britain will “continue to cooperate with its European partners in important areas such as crime, terrorism and foreign affairs”.

“All of us in Europe face the challenge of cross-border crime, a deadly terrorist threat and the dangers presented by hostile states,” Mrs May said.

“With the threats to our common security becoming more serious, our response cannot be to cooperate with one another less, but to work together more.

“I therefore want our future relationship with the European Union to include practical arrangements on matters of law enforcement and the sharing of intelligence material with our EU allies.”

Ms Denham said “of course, it is possible that in the years after the UK leaves the EU, Parliament will debate amending the requirements of the GDPR”.

But in a speech in London last week at the Institute of Chartered Accountants in England and Wales, she said: “If that happens, we [the Information Commissioner’s Office (ICO)] will be at the centre of any conversations around this, and will be banging our drum for continued protection and rights for consumers and clear laws for organisations.

“The Government will also need to answer the question about whether the UK will seek to keep the UK’s data protection law at an equivalent standard to the EU, to allow unrestricted data flows with EU countries. We need strong data protection laws to achieve all that.”

Ms Denham acknowledged “that there may still be questions about how the GDPR would work on the UK leaving the EU, but this should not distract from the important task of compliance with GDPR by 2018”.

She said it is also an uncertain time because the courts have called into question the transfer of data abroad.

“For 15 years, the European Commission allowed data to be transferred to any US company, which was part of an agreement known as Safe Harbor,” explained Ms Denham.

“That changed in October 2015, when the Court of Justice of the European Union ruled that the European Commission’s Safe Harbor decision was invalid, citing concerns about how the US protects EU citizens’ data from access by US public authorities.”

Safe Harbor has been replaced by the EU/US Privacy Shield, which is subject to a review this summer.

“While some people believe that the substance of the agreement may be challenged by data protection authorities or through the courts, the advice is that Privacy Shield is a legitimate basis for transferring personal data to the US,” added Ms Denham. “The ICO welcomed the additional safeguards it provided compared to the previous Safe Harbor arrangement.

The General Data Protection Regulation builds on the previous legislation, but “provides more protections for consumers, and more privacy considerations for organisations”.

Ms Denham said it brings a more 21st century approach to the processing of personal data – and it puts an onus on organisations to change their entire ethos to data protectio