The EU Data Protection Package: the UK Government’s perspective
Speech by Baroness Neville-Rolfe DBE CMG, Minister for Data Protection, at the Privacy Laws & Business annual conference on data protection
Good afternoon. Can I begin by thanking Stewart Dresner, Chief Executive, Privacy Laws & Business, and his colleagues for organising this very important event. There are some very interesting issues up for discussion over the next two days, such as, cyber security, international transfers of data and the Internet of Things.
I will start if I may by tackling the elephant in the room. Of course the world has been changed by Brexit and for a period the future will be more uncertain. And I will have to be less definite today about the detailed UK line on many things than I would have been a short while ago.
But the problems this conference was called to address are still important and we will still need to develop policies to meet the same problems. The answers will need to draw on the same facts and needs. So while the detailed future may be different from what was envisaged 10 days ago, the underlying reality on which policy is based has not changed all that much.
One problem is that we do not know how closely the UK will be involved with the EU system in future. On one hand if the UK remains within the single market EU rules on data might continue to apply fully in the UK. On other scenarios we will need to replace all EU rules with national ones. Currently it seems unlikely we will know the answer to these questions before the withdrawal negotiations get under way.
But what we must do is tackle the issues calmly and think about the opportunities as well as the challenges. I have this attitude as a result of my business experience and indeed my own background as the daughter of a father who reinvented himself as a Brussels consultant after his farming business failed.
We need to unleash economic dynamism to reverse any Brexit downturn by getting people to pull together under a new Prime Minister and by finding the right regulatory and trade arrangements in Europe and internationally. So I am very much in listening mode right across my portfolio which currently includes IP, professional and business services and the Single Market.
However the politics turn out, the basic problems we face on data will not be very different. These are how do we protect data and indeed, at a more fundamental level, what do we mean by data?
I suggest ‘data’ represent units of information that pass through systems; and ‘protection’ generally refers to the technical or procedural means by which that information is protected. Strictly speaking, this is accurate. This is the lens through which organisations often view data protection issues. They have been seen first and foremost as technology or IT issues.
But data protection can be viewed through a different lens. On this view ‘data’ represent people, individuals with personal lives, reputations, and livelihoods increasingly enmeshed with the technology we rely on through the data they share. If organisations misuse or lose this data they are breaching not only people’s rights, they are invading their privacy. They risk damaging people’s wellbeing not just data sets.
In the correspondence I receive as a Minister, people don’t talk about breaches and technology failures, they talk about their distress, fear, anger and an erosion of trust. Technology shouldn’t therefore be the starting point for a response. ‘Protection’ should be about respect for individuals and the personal information they share in good faith. That should shift the focus in the board room from a technical issue to a reputational and commercial one.
And it is clear that it makes good business sense. £1 of every £5 earned by UK companies now comes from the internet; and a 2014 Nesta study of 500 UK firms found those making greater use of online customer data were up to 13 per cent more productive.
The European angle
Until recently my main focus in matters digital was on the impact of the EU Data Protection Regulation. As matters stood and perhaps still stand, it was expected to take effect in the UK by 25 May 2018. In line with what I said earlier we - all of us, I mean you here as well as government - need to consider carefully what might be done either to replace it if and when it ceases to have effect or, instead, if in the event it never comes into force.
As I have pointed out the future might take several different forms and we need to identify as quickly as possible how to best to react to whatever path is eventually chosen.
Sharing data across national boundaries
One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK’s negotiations going forward.
We will maintain close contact with the Information Commissioner’s Office during this transitional period as they have an important role in helping to guide organisations who are already working hard to prepare for implementation of the Regulation. We are fortunate to have a new Information Commissioner, a Canadian, Elizabeth Denham who starts here this month. I know she will bring a zest and a wealth of experience to the role and to this time of change.
In the meantime, the Data Protection Act continues to be the UK’s data protection legal framework and it is important that organisations continue to comply with it. We are also ensuring it works better with the Digital Economy Bill.
EU-US Privacy Shield
I should mention the negotiations to agree a renewed ‘Safe Harbor’ agreement by means of the new EU-US Privacy Shield. Again it is not quite clear how this will affect the UK, but we will need a satisfactory understanding with the US of the rules to be applied.
But what I can say is that I talked to the US Minister about this recently when I was in Cancun for a brilliant OECD conference on the digital economy. DCMS officials are currently in Brussels at an Article 31 Committee meeting, where they are going over the amended text of the Privacy Shield. I understand that the aim is to come to a swift conclusion on the text in the upcoming weeks.
Throughout the negotiations, the UK Government has been urging both the Commission and the US to conclude negotiations on this new legally robust adequacy decision, in order to provide clarity to the businesses that transfer data from the EU to the US, and to reassure citizens that their rights will be upheld in the new agreement. All of our discussions with the Commission and the US have recognised the need to strike the balance between commercial interests and fundamental rights.
I turn now to the relatively easy subject of cyber security - that is a major priority for this Government.
In November 2015, the Chancellor announced a £1.9 billion investment in cyber security over the next five years, including the establishment of a National Cyber Security Centre. The Centre will establish a single point of contact for industry to get advice and support on cyber security.
Businesses in all sectors should take action to protect themselves. Most successful cyber attacks exploit basic vulnerabilities, so this is a risk that can be easily managed by most firms. Good cyber security requires continual focus, leadership and commitment, not only to prevent breaches but also to detect and respond to incidents rapidly.
We have put in place a range of guidance and interventions to help businesses protect themselves online. The Government’s Cyber Essentials scheme has been developed to give industry, especially our 5.6 million small businesses so vital to economic dynamism, a clear baseline to aim for in addressing cyber security risks to their company.
Businesses can do more to ensure their staff have a greater understanding of cyber threats. To improve awareness within the industry, we have launched several free online training packages – including one for small businesses, and one specifically for law professionals – to raise awareness of cyber security and help staff improve their skills. My message today is ‘get on with it’.
Internet of Things
If political events were less exciting I could have waxed lyrical and long about the Internet of Things, how we are going to see exponential growth of ordinary objects and devices connected to the internet. Many of these devices are already on the market and in time nearly all products and services will have a digital element. This is a huge opportunity for Britain at home and overseas with its strength in digital, its creative, innovative people and strong universities to keep up the flow of new ideas and IP.
Where automation takes a large role, for instance in driverless cars, it will be important to have established a clear basis for dealing with protection of users and third parties, and liability. Tech UK’s IoT Council is working on a common industry approach to this kind of issue which I warmly welcome.
We will have more to say in our Digital Strategy in due course, but I think it would be imprudent for me to forecast its exact timing!
To quote the Chinese proverb we ‘live in interesting times’. The essentials are I suggest first, that the explosive growth in digital developments of all kinds will continue apace and second that the need to protect citizens’ interests and data will remain a priority. But how we achieve the latter objective has got a little more difficult. All of us - government, business, civil society and everyone else - must strive their best to do so. I am sure we will succeed; the sooner we think hard about how best to adapt to recent developments the better. That process can start today.
Thank you for listening - I look forward to hearing the results of your discussions in an area so close to my heart.