It is likely general data protection regulation (GDPR) based on EU law will no longer apply in its current form – meaning the legal framework for processing health data and personal data is set to change in the UK, an employment lawyer has warned.
Melanie Stancliffe partner at law firm Cripps, told Health & Protection the Retained EU Law Bill will change laws that are EU-law based, with the current version set to revoke all retained EU law on 31 December 2023 or at a later date prior to 23 June 2026, unless MPs codify the existing rules into UK law.
Stancliffe added the bill will remove the special status of the retained EU law at the end of 2023, at which point it will be known as “assimilated law” but it is unclear exactly how rules will change.
The difficulty is that the bill was not accompanied by any policy statement from the government explaining how it intends to use the mechanisms in the bill, leaving the extent to which the law will change uncertain, Stancliffe explained.
But she added that she expects that GDPR and regulations originally based on EU law will no longer apply as they are.
Though Stancliffe also pointed out that the UK’s Data Protection Act 2018 would seem to be outside the scope of the bill and is set to stay in its current form.
“We know that a new draft law, entitled the Data Protection and Digital Information Bill, was proposed by Boris Johnson’s government to overhaul UK data protection law but that has been put on pause,” Stancliffe said.
“That overhaul flowed from a public consultation the aims of which were to give individuals greater clarity over their rights and a clearer sense of how to determine access to and benefit from their own data and clarify the lawful grounds for processing data to provide research organisations with a platform to innovate and make medical breakthroughs enabling better care for individuals.”
Speaking at the Conservative Party Conference in October this year, Michelle Donelan, secretary of state for digital, culture, media and sport, said GDPR will be replaced with tailored business and consumer-friendly UK rules. As a result, Stancliffe’s message for the industry is to “watch this space” on the future direction of regulation.
“We need to watch this space to see what the new British data protection system will entail,” Stancliffe said.
“The commercial approach would be to amend, rather than replace, existing UK data protection legislation, so that the UK continues to use a similar framework to the EU countries to whom data may be transferred.
“The difficulty for organisations now is the lack of any clarity on what that new British data protection law will look like.”