UK to repeal sections of the Data Protection Act as part of GDPR reform process, says minister

Out-Law News | 02 Feb 2017 | 10:12 am | 3 min. read

The UK government plans to introduce legislation later this year which will repeal some sections of the Data Protection Act as part of the process of adopting the EU's General Data Protection Regulation (GDRP), the UK's digital minister has confirmed.

Matt Hancock told a UK parliamentary committee that the move is necessary to ensure the UK's data protection framework is consistent with the GDPR. Hancock has previously confirmed that the GDPR will come into effect in the UK on 25 May 2018, as in other EU countries, despite the UK being in the process of leaving the EU.

"Parts of the Data Protection Act will need to be repealed for data processing to be in scope of the GDPR and it is necessary to ensure that we don't end up with the Data Protection Act duplicating or creating inconsistencies with the GDPR because the GDPR will be directly applicable, so we will be bringing forward legislation in the next [parliamentary] session in order to put that into practice," Hancock said.

Hancock told the EU Home Affairs Sub-Committee in the House of Lords that the UK government thinks the GDPR is "a good piece of legislation".

"My view is that the requirements that it brings in are consistent with best practice for handling data anyway so companies that handle data appropriately, have good cybersecurity arrangements and respect the privacy of their customers or those they hold the data of shouldn't find this much of a burden, but it will require some companies that don't have best practice to come up to speed," Hancock said. "I don’t think that is a bad thing given how increasingly important data is in corporate activity."

The minister said he does not "foresee any great changes" being made to UK data protection laws once the UK is out of the EU. He previously said the UK government would consult stakeholders on whether to "apply flexibilities" in the GDPR which allow EU member states to write their own data protection rules in some areas covered by the Regulation.

Hancock was questioned by the committee on whether the UK government plans to pursue an 'adequacy decision' from the European Commission to ensure personal data can continue to flow freely between the UK and EU countries post-Brexit. In response, Hancock said there are other ways that the UK could "secure the unhindered flow of data between the UK and the EU post-Brexit".

"We are keen to ensure that data flows are unhindered," Hancock said. "I'm not going to go into the details of how we do that whilst negotiations [on the UK's exit from the EU] are yet to begin. Our goals are clear which is that we want an arrangement that provides for the unhindered exchange of data within an appropriate data protection environment."

"We seek not only unhindered data flows but for that to happen in an uninterrupted way. That is to say that the morning that we have left the European Union it is very important that our data rules work so that there is an uninterrupted system in place," he said.

"An adequacy decision could work. There are many different ways that you could make this work. We have got to have a view both on our future position with the EU but also our future position with other jurisdictions that themselves have high quality data protection regimes, like the US being the most obvious example, and make sure we have free flow of data with them too, which currently we do through the EU but instead we will have to do directly [post-Brexit]," he said.

Hancock said the UK government had decided to adopt the GDPR "in full" so that UK data protection laws will match EU laws which he said will "maximise the ease with which we can negotiate an uninterrupted and unhindered flow of data" for when the UK exits the EU.

"We are starting from a position of harmonisation rather than a position of difference," he said.

Hancock also faced questions on whether the UK government intends to seek its own agreement with the US on the trans-Atlantic flow of personal data in similar form to the existing EU-US Privacy Shield to take effect when the UK leaves the EU. Hancock said "making sure that US-UK business can take place post-Brexit is a very important consideration for the government at the moment" and that he is "confident" that the UK and US can "come to a successful agreement to make sure that we have the same unhindered flow of data with the US as we do now".

Hancock also confirmed that the UK government has applied to intervene in a legal challenge brought against the EU-US Privacy Shield. He said he believes the data transfer framework is "robust" and is "confident" the two legal challenges brought against the Privacy Shield, including the one the UK seeks to intervene in, will fail.