Dowden's Data Protection Plans

Now that we've left the EU we can seize the opportunity to develop a world-leading data regime that will deliver for people across the UK.

Fare all part of our plan.

👉 https://t.co/R5OhCkQzi3 pic.twitter.com/2b3xtUxYXv

— Oliver Dowden (@OliverDowden) August 26, 2021

Jane Lambert

In the last few months, this government has made one ambitious promise after another. In his foreword to Global Britain in a competitive age, the Prime Minister wrote that his government's aim is for the UK to become a science and tech superpower by 2030 (see NIPC Brexit 19 March 2021). In his foreword to the UK Innovation Strategy Leading the future by creating it Kwasi Kwarteng, Secretary of State for Business, said that the UK would in science and technology what it is in finance (see UK Innovation Strategy, NIPC Inventors Club 12 Aug 2021). With similar hyperbole, Oliver Dowden, Secretary of State for Culture, Media and Sport has announced "a world-leading data regime" by "forging new global partnerships and designing our own common sense data laws" (see UK unveils post-Brexit global data plans to boost growth, increase trade and improve healthcare DCMS press release 26 Aug 2021).

The Press Release

Mr Dowden's press release makes three announcements:

• an intention to negotiate "data adequacy partnerships" with Australia, Colombia, the Dubai International Financial Centre, Singapore, South Korea and the USA;
• the appointment of John Edwards, the New Zealand Privacy Commissioner, as the next Information Commissioner; and 
• a consultation on changes to the UK's data protection laws "to break down barriers to innovative and responsible uses of data so it can boost growth, especially for startups and small firms, speed up scientific discoveries and improve public services."
  

Data Protection Legislation 

On 25 May 2018, the General Data Protection Regulation ("GDPR") came into force across the European Union including the UK.  Art 94 of the GDPR repealed Directive 95/46/EC which had been implemented in the UK by the Data Protection Act 1998.  As it was a regulation of the European Council and Parliament, the GDPR took effect automatically.  The UK Parliament enacted the Data Protection Act 2018 which repealed the Data Protection Act 1998, supplemented the GDPR and applied a broadly equivalent regime to certain types of processing to which the GDPR did not apply.  

When the UK left the EU on 31 Jan 2020, the GDPR remained in force in the UK during the transition or implementation period that ended on 31 Dec 2020 pursuant to art 127 of the withdrawal agreement.  At the end of the transition period, the GDPR was incorporated into English, Welsh, Scots and Northern Irish law by s.3 (1) of the European Union  (Withdrawal) Act 2018.  Reg 3 and Sched. 1 of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019 No 418) amended the provisions of the GDPR that have been incorporated into domestic law.   Reg 4 and Sched 2 of those regulations amended the Data Protection Act 2018.  

Transfer of Data Abroad

A fundamental principle of all data protection laws is that personal data should not be transferred abroad without adequate safeguards for its protection.  Art 44 of the GDPR provides:

"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation."

One of the conditions on which personal data may be transferred overseas is set out in art 45 (1):

"A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation."

The decision of whether a third country provides adequate protection depends on a number of elements set out in art 45 (2).   The Commission has already made an adequacy decision in favour of the UK by its Decision of  26 June 2021 which I discussed in Commission Adequacy Decisions on 29 June 2021.  

Amendments to Art 45

Para 38 (2) of  Sched 1 of  The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 changed art 45 (1) of the GDPR to:

"A transfer of personal data to a third country or an international organisation may take place where it is based on adequacy regulations (see section 17A of the 2018 Act) ”. Such a transfer shall not require any specific authorisation."

Para 38 (3) of that Sched deleted most o the rest of the article.  Para 23 of Sched 2 inserted new sections 17A, 17B and 17C into the Data Protection Act 2018.  Those new sections contain new provisions for determining the adequacy of other countries' protection of personal data.  These include the power to make regulations.    

Para 42  of Sched 2 inserted new sections 74A and 74B into the Data Protection Act 2018,   These provide for the transfer abroad of data not covered by the GDPR in accordance with the above-mentioned regulations.   S.74A (4) of the Act is in substantially the same terms as art 45 (2) of the GDPR.

"Adequacy Partnerships"

The pairing of the noun "partnership" with the adjective "adequacy" suggests that adequacy decisions could depend on reciprocity and commercial advantage rather than the criteria in art 45 (1).   The press release reinforces that impression:

"The government believes it can unlock more trade and innovation by reducing unnecessary barriers and burdens on international data transfers, thereby opening up global markets to UK businesses. In turn this will help give UK customers faster, cheaper and more reliable products and services from around the world."

 Those concerns are at least partially allayed by the "Test for Adequacy" section of the guidance note International data transfers: building trust, delivering growth and firing up innovation published on 26 Aug 2021.  On paper, at least, the test for adequacy is objective and not dissimilar to the test in art 45 (2) of the GDPR. 

Risk of Losing the European Commission Adequacy Finding

A problem of seeking adequacy partnerships with countries operating very different regimes for protecting personal data is that the Commission could revoke its decision on the adequacy of protection in the UK under art 3 (4). That paragraph provides:

"Where the Commission has indications that an adequate level of protection is no longer ensured, the Commission shall inform the competent United Kingdom authorities and may suspend, repeal or amend this Decision."

Such a situation could arise if data were to flow without restriction from the EU to the UK and then from the UK to the USA but not directly from the EU to the  USA.   It would be unfortunate if the UK jeopardized its status in the European Economic Area in a quest for more distant and generally smaller markets overseas. 

Consultation

There is as yet no green paper or consultation on changing the law.   The only indication of what the government has in mind at this stage is that it believes improved data sharing could help deliver more agile, effective and efficient public services and help make the UK a science and technology superpower.   

Further Information

Anyone wishing to discuss this article or data protection generally my call me on 020 7404 5252 during office hours or send me a message through my contact form.