It's clear that the Data Protection Bill (DPB), proposed on Monday by Matt Hancock, is barely short of plagiarising the EU’s General Data Protection Regulation (GDPR), which comes into force in May of next year.
In fact, there’s nothing glaring in the proposed DPB that isn’t already in the GDPR. It legislates better consumer control, enforced by a compliance regime, backed by heavy fines. Which begs the question: what’s the point?
Hancock says the rules will “prepare Britain for Brexit,” but offers no clarity as to how. It’s more than likely due to Acquis. Following Brexit, the Great Repeal Bill will transfer thousands of EU rules into UK domestic law, so that parliament can "amend, repeal and improve" the laws as necessary. The DPB is being presented as a post-Brexit equivalent to GDPR.
However, the GDPR is extraterritorial by nature – an international highest common denominator of data protection law. The obligations of UK businesses when handling EU citizen’s data won’t change one bit. The EU law will still have primacy in that sense, regardless of whether we remain in the Single Market, under the jurisdiction of the ECJ.
What’s interesting is the “amend and improve” aspect of the Great Repeal Bill. In its present form, it will grant ministers sweeping powers to make changes to EU laws without the approval of MPs.
This means that it would be remarkably easy to amend the DPB – which given May’s draconian approach to technology, is concerning.
It is not farfetched to believe that May’s unpopular proposals – from deeper corporate surveillance to outlawing end-to-end encryption – could be shoehorned into the DPB in the period following Brexit. Suspicions of the DPB being a sort of “Trojan Horse” are valid.
The GDPR is a very European legislation: it was proposed to harmonise disparate data laws across the bloc. Once Brexit is complete, reclaiming sovereignty is meant to lessen the burden of red tape, but in this case could end up adding to it.
Although there is no inclination it will happen at present, there are associated risks with amending, distorting, or watering down the GDPR text. Conflicting data standards will be a compliance nightmare for UK businesses, torn between upholding UK standards against those required to operate in the EU. The government must heed caution, and prioritise ease of doing business over party dogma.