General Data Protection Regulation (GDPR)
,
Geo Focus: The United Kingdom
,
Geo-Specific
Tory Government Presses Ahead with Data Protection and Digital Information Bill
Members of the U.K. Parliament considering modifications to national privacy law heard assurances Wednesday that the European Union will go along with them.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
No longer member of the European Union, the United Kingdom nonetheless continues to enforce the General Data Protection Regulation, Europe’s sprawling privacy regulation, which Parliament incorporated as domestic law before the country’s 2020 exit from the continental trade alliance. The Conservative government is pressing for changes, re-introducing in March the Data Protection and Digital Information Bill as a home grown GDPR alternative. Proponents say the bill will free British businesses from bureaucracy, although industry associations and civil rights groups have criticized it (see: UK Reintroduces Bill Proposing Modifying Country’s GDPR).
The European Commission’s opinion of British privacy protections is still important even after Brexit since data transfers outside of Europe, absent specific authorization such as through a contract, require the commission to determine that a foreign country has an adequate level of protection comparable to the GDPR. The commission in 2021 made an adequacy finding for the U.K. but limited its duration to just four years. European officials said they introduced the sunset clause out of concern that Parliament could diverge the U.K. privacy framework from the GDPR.
The U.K. Office for National Statistics calculates that potentially digitally delivered services accounted for 73% of U.K. services exported to EU countries in 2020.
“The test the European Commission applies to determine adequacy decision is to check if the law is essentially equivalent,” John Edwards, U.K. information commissioner, said during a Wednesday public bill committee hearing.
“U.K. GDPR retains all the rights of the European citizens. So I don’t think that the Commission would negatively review the U.K version on the law,” he said.
Some outside observers aren’t as sure, pointing to decisions by the European Court of Human Rights that British bulk intelligence gathering violated the right to private communications.
Government access to data for national security and intelligence purposes is something that the EU is going to be strict about, said Bojana Bellamy, president of the Centre for Information Policy Leadership, in testimony before the committee.
“This is something the EU is going to be very interested to make sure that that’s not where the bar goes down. But there’s no reason to believe so and there’s nothing in the bill to tell us so,” she said.