We are often asked by clients and prospects what happens to UK data protection laws after Brexit? Our regular answer ‘not much’ has proven to be correct: the proposed UK Data Protection Bill and GDPR are meant to be aligned with each other.
Indeed, anything else would put UK businesses at a disadvantageous position in terms of not being able to exchange data freely with the EU after Brexit. And keep in mind this is one of the easy areas, where Brexit negotiations results might not matter all that much: once UK laws are as favourable to individuals as the GDPR, European Commission is likely to allow unrestrained data exports to the UK regardless of any new EU-UK relationship.
Harsher penalties
The new UK Data Protection Bill and GDPR are aligned when it comes to penalties, one of the GDPR’s underlying new policies potentially targeting international web giants: maximum penalties £17 million or 4 % of global turnover resemble €20 million and the same percentage of the GDPR.
Obtaining consent becoming more difficult
UK Data Protection Bill and GDPR both put focus on consent for personal data processing, which is no longer a formal, box-ticking exercise. Issues such as easy withdrawal of consent, children’s consent or consent to process sensitive personal data are all the focus of both the UK Government and GDPR. Children and adults may also choose to be ‘forgotten’ by social media platforms.
Broader definition of personal data
In the same way as some other EU countries have already done, UK Data Protection Bill is expanding the definition of ‘personal data’ to include IP addresses. This is so because ISPs and other entities can easily identify and trace individual users when they know their IP addresses. Furthermore, the definition would expressly include internet cookies and DNA.
