With the UK set to adopt the GDPR ahead of plans to exit EU and the single market, questions remain over whether it would seek to amend or maintain compatible standards moving forward
Information Commissioner Elizabeth Denham has said the UK will need to take a longer-term approach to data protection regulations and decide whether to continue to keep its law in line with EU standards once the country has formally terminated its membership of the bloc.
The European Parliament last year approved the General Data Protection Regulation (GDPR) that will apply across all EU member states from mid-2018 as a means to try and grant citizens improved control over how their information is being shared.
Intended to impact public sector bodies and business, the UK government has confirmed that it will be adopting the revised regulations for enforcement and control of data, before then considering how it may move forward with potential amendments outside of the bloc.
Speaking in London to the Institute of Chartered Accountants in England and Wales yesterday (January 17), Denham noted that while the UK would have to comply with GDPR by the time it exits the EU, uncertainty remains over how it would tackle key issues like privacy and protection outside the bloc.
"The big question is what happens when the UK leaves the EU. The legal relationship answers are for government to give - I'm a regulator, independent of government - but they've made it clear that EU law will remain UK law, until the government sees fit to repeal it," she said.
"Of course it's possible that in the years after the UK leaves the EU, parliament will debate amending the requirements of the GDPR."
Denham said that the ICO would continue to be part of any discussions over changes to UK data regulation, with a particular focus on playing up the need for protection and rights for consumers and clear laws for organisations.
Even with the GDPR just over a year away from being implemented, Denham said that legal challenges were also expected around international data transfer agreements like the EU-US Privacy Shield.
The Privacy Shield has been devised to set out clear safeguards and transparency obligations for US-based organisations processing data from EU citizens that will impact technology functions across the public and private sector. It replaces the 'Safe Harbour' transfer arrangement that was invalidated by the European Court of Justice (ECJ) last year, although critics argue the new agreement could face a similar fate without clearer safeguards and revisions.
"While some people believe that the substance of the agreement may be challenged by data protection authorities or through the courts, the advice for businesses is that Privacy Shield is a legitimate basis for transferring personal data to the US," said Denham. "The ICO welcomed the additional safeguards it provided compared to the previous safe harbour arrangement. "
Denham's speech was delivered the same week as the Information Commissioner's Office (ICO) announced it was updating guidance for organisations handling data via GDPR and how to plan for the incoming regulation.
Jo Pedder, interim head of policy delivery for the ICO, said it would be providing details of its expected contributions over the next year to the Article 29 Working Party that brings together European data protection authorities.
"The central pillar to our guidance is the overview of the GDPR. We are developing the overview as a living document, adding content on different points as more guidance is produced by us and the Article 29 Working Party," added Pedder.