Legal briefing | |

DCMS makes important announcement about the UK's data protection regime

DCMS makes important announcement about the UK's data protection regime

Overview

Recently, the DCMS announced three important developments on the UK data protection front:

  • The UK Government's approach to granting adequacy decisions in respect of third countries under UK GDPR, including a list of 'priority countries' that it will focus its assessment efforts on first.
  • Details of a consultation on the UK's future data protection regime, to be launched in September.
  • The identity of the preferred candidate for the role of Information Commissioner once the current incumbent, Elizabeth Denham, steps down in the autumn.


The Government's approach to granting adequacy decisions in respect of third countries

Data ‘adequacy’ is a status granted to countries which provide adequate standards of protection for personal data. An ‘adequacy’ determination means that personal data can be transferred from the UK to that country freely, in accordance with the terms of the relevant adequacy decision, without the need for organisations subject to UK GDPR to consider alternative transfer mechanisms.

As well as setting out details about how it will approach adequacy assessments (including a UK Adequacy Manual), the Government announced its top priority destinations for fast tracking adequacy decisions, including Australia, Colombia, the Dubai International Financial Centre, the Republic of Korea, Singapore, and the United States of America, and in the longer term: Brazil, India, Indonesia and Kenya.

Test for Adequacy

The DCMS has outlined its "Test for Adequacy". The goal is that when personal data is transferred internationally, the level of protection under the UK GDPR is not undermined. To determine this, the DCMS will consider the overall effect of a third country’s data protection laws, implementation, enforcement, and supervision.

When understanding how a third country protects personal data, the Government will - amongst other things - consider the following factors:

  • The rule of law, respect for human rights and fundamental freedoms,
  • The existence and effective functioning of an independent regulator; and
  • Relevant international commitments

The four phases of granting an UK adequacy decision will be initial gatekeeping; more detailed assessment; recommendation to the Secretary of State; and finally the procedural steps necessary to formally put the decision in to effect.

Consultation on the UK's data protection regime

The Government intends to break down barriers to innovative and responsible uses of data so that it can boost growth and unlock what it sees as the considerable value in data. It intends to do this while at the same time maintaining secure and trustworthy privacy standards. There isn't a great deal of detail on what the consultation will involve and what proposed changes might be made to the regime, however, indications in further press interviews suggest different, less burdensome rules for start ups and small businesses, and a move away from the tick box consent culture for using website cookies.


The Government's preferred candidate for Information Commissioner

John Edwards has been named as the Government's preferred candidate.

John Edwards was appointed as New Zealand’s Privacy Commissioner in February 2014. He is currently serving his second five-year term and is responsible for the implementation of New Zealand’s newly passed Privacy Act 2020. If appointed, his mandate will expand to include a balanced approach which promotes further innovation and economic growth. His pragmatic and no-nonsense approach is thought to fit well with the Government's plans for reform.

Commentary

Whilst these are all potentially exciting developments, much will depend on the detail, and also timescales for reform. In addition, whilst any such reform may well be helpful for those organisations which only operate under UK GDPR, the reality is that it may not make that much practical difference for the many UK based organisations which by virtue of their operations also have to ensure compliance with EU GDPR. Meanwhile, the UK will have to tread a careful line between achieving the reform it wants and keeping the EU on side.  

James Longster - Commercial, IP & Technology Partner at Travers Smith, says: "we’ll await further details of the proposals, but the EU will also be watching - maintaining 'adequacy' in the eyes of the EU will, we assume, be an important aim of the UK government too."

Get in touch

Read Dan Reavill's Profile