Digital Minister Matt Hancock has confirmed the UK government will introduce a new data protection law. “It will provide everyone with the confidence that their data will be managed securely and safely blah blah.” The statement of intent (PDF) then lists the changes under GDPR.
What many don’t understand – or care about – is that GDPR is directly applicable in the UK on 25 May 2018. This means it doesn’t need a new UK Data Protection Act to become law. The 1972 European Communities Act does that already.
On Brexit Day 9 months later in March 2019, the Great Repeal Bill (aka European Union (Withdrawal) Bill will replace the EC Act. It will preserve or convert most EU laws into UK national law. The ones which will not make it will be the ones giving supremacy to EU law or the ECJ. Others will depend upon our Brexit deal such as the curtailment of free movement of people. But GDPR will likely survive in UK law. (Note #1: If you’re hoping Brexit will kill GDPR, you’re in for a rude awakening. Note #2: it will be interesting if the UK Supreme Court interprets GDPR differently to the ECJ.)
The key issue of the new Data Protection Act is not what GDPR says, but those areas where GDPR allows national governments to take a different approach. The ICO lists some of these so-called “derogations”. They include national security, defence or the prevention, investigation, detection or prosecution of criminal offences. These are the ones in Article 23. But there are more:
- joint controller responsibilities (Article 26)
- legal acts allowing processors to process including transfers to third countries (Article 28)
- processing under controller’s authority (Article 29)
- the need to appoint a Data Protection Officer (Article 37, which Germany is seeking to enhance)
- limiting transfers in the absence of an adequacy decision (Article 49)
- secrecy obligations of supervisory authority staff (Article 54)
Now, that’s the bit of the new DPA that will be really interesting…