The Queen’s Speech: A data protection law ‘fit for the 21st century’
Daradjeet Jagpal looks at data protection provisions on the horizon.
In the Queen’s Speech this week, the Queen confirmed the intention of the UK government to issue a Data Protection Bill to give effect to the new EU General Data Protection Regulation in UK law and to give the UK a “data protection regime that is fit for the 21st century”.
The new Data Protection Bill, which will result in a new Data Protection Act (2018), will ensure that the UK’s “data protection framework is suitable for our new digital age and cement the UK’s position at the forefront of technological innovation, international data sharing and protection of personal data”.
The Queen’s Speech also confirmed that the new bill will “strengthen rights and empower individuals to have more control over their personal data including a right to be forgotten when individuals no longer want their data to be processed, provided that there are no legitimate grounds for retaining it”.
The emphasis in the Queen’s Speech is very much on the rights of individuals, which are to be significantly enhanced under the new bill (as per the Regulation). Individuals will not only enjoy improved rights of access to their personal data held by organisations, but they will also have new rights, including the “right to be forgotten” or the right to erasure when an organisation does not have a legal basis for holding on to their personal data.
The new bill will also give the Information Commissioner, the regulatory body for Data Protection in the UK, increased enforcement powers to take action against organisations that fail to comply. This includes the power to issue fines of up to €20 million in the case of the most serious Data Protection breaches.
The UK’s intention and willingness to give effect to the Regulation approaching and post “Brexit” is nothing new. Indeed, in Autumn last year, the UK government confirmed its intention to do so, not only for the reason that the UK will still be an EU member state until well into 2019 and is legally bound to give effect to all EU laws in UK law until its membership ceases, but also because of the potential disruption to commercially valuable international data flows that could result from non-implementation of the Regulation.
In the case of the latter, post-Brexit, transfers of personal data from the EU member states to the UK could be prohibited on the basis that the UK does not offer an adequate level of Data Protection (a key requirement of the Regulation) – a likely outcome in the light of the fact that the existing Data Protection Act 1998 is severely outdated and arguably not fit for purpose in the digital age. As the Queen’s Speech notes, over 70 per cent of trade in services is facilitated by data flows, and the digital sector contributed £118 billion to the economy and employed almost 1.5 million people across the UK in 2015.
While some EU member states have already published their proposed laws implementing the Regulation into their domestic laws (Ireland being one of the most recent), the Queen’s Speech does not necessarily make the UK late to the party, and there is still plenty of time in this legislative session to draft and pass a Data Protection Bill. If not, the Regulation will be directly applicable in the UK from 25 May 2018 in any event.
Daradjeet Jagpal is legal consultant and director of Information Law Solutions.