UK government still not sharing a post-Brexit data protection strategy
UK government still not sharing a post-Brexit data protection strategy

Monday night in the House of Commons saw Daniel Zeichner, MP for Cambridge and chair of the All Party Parliamentary Group on data analytics, open his speech in the adjournment debate speaking of the remarkable advances made in “the way we send, receive, collect, analyse and use data,” and how that will only increase over time.

The MP remarked how, “It is truly amazing that around 90 percent of global data that exists today was created in just the last two years.”

Zeichner added that this growth in big data represents “significant opportunities” for research  as well as more tailored services and experiences, such as TfL recent experiment  in tracking movements of passengers using WiFi MAC address tracking.

However, Zeichner noted, there are “equally big implications” for privacy in our modern age that are no longer covered by the “outdated” Data Protection Act (DPA) 1998.

The incoming EU General Data Protection Regulation (EU GDPR) will supersede the DPA when it comes into force in May 2018, however Zeichner noted that “very little” had been said by the government about what data protection law would look like after Brexit.

“The GDPR will apply directly, without needing to be transposed into national legislation, so when the UK leaves the EU our main data protection law will still be the Data Protection Act 1998, which is now not fit for purpose,” said Zeichner.

“Falling back on the old system will not be good enough; we need to be moving forward into the 21st century in data protection, not backward into the last century.”

Zeichner fears that the UK won't be able to “remain a major player on the digital stage”, as in order companies to trade with countries in the EU, it would need to adopt data protection rules “at least equivalent” to those of the EU.

“Many businesses and services operate across borders, and international data flows are essential to UK business operations across multiple sectors,” Zeichner said. “The danger is that, to paraphrase, when it comes to data, Brexit could mean exit for tech.”

In response, Matt Hancock, The Secretary of State for culture, media and sport, agreed and said: “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public,” and added, “the government are considering all options for the most beneficial way of ensuring that the UK's data protection regime continues to build a culture of data confidence and trust that safeguards citizens and supports businesses in a global data economy.”

However, Hancock highlighted that the UK government needs to “press ahead” with preparations for the GDPR. Hancock also agreed that there was work to be done to ensure that “data flows with the EU are not interrupted after we leave”.

Zeichner then called on Hancock to explain why the Digital Economy Bill and the Investigatory Powers Act made “little mention” of how they would adhere to the GDPR.

Speaking on this issue with SC late last month, Emma Wright, commercial, regulatory telecom and technology partner at law firm Kemp Little said: “The issue at hand here goes back to one highlighted by the Schrems case, who took Facebook to court, as his data was being processed and stored in a country with lesser data protection standards than those where he resides.”

Wright said: “I believe we are headed to a world where the IP Bill will cause problems with regards to data flows between countries post-Brexit, as Europeans will be cautious trading with a country that has such extreme surveillance laws, as those in other countries will not be able to guarantee they will be compliant with the GDPR.”

In response to Zeichner, Hancock argued that the Digital Economy and Investigatory Powers bills are written the way they are because they was expected to come into force before the GDPR, and that it was not possible to draft legislation in anticipation of future legislation.

“If and when legislation is proposed to amend an existing system such as the Data Protection Act, one would expect it to include an amendment to the Digital Economy Bill, should this Parliament enact it, in order to make it consistent,” Hancock said. “It is neither possible nor logically sensible to legislate in anticipation of future legislation, even if we fully expect it to come into force.”