The UK Government published a new Data Protection Bill in September 2017, paving the way for a new Data Protection Act which will replace the existing DPA 1998. This is especially topical given the introduction of the EU General Data Protection Regulation (GDPR), which came into force in the UK on 25th May 2018.
The Bill is a lengthy document of more than 200 pages. In essence, it proposes to:
- implement the EU General Data Protection Regulation in full and transfer the Regulation into UK law
- build on provisions in the EU Regulation
- expand on areas of the GDPR where member states are permitted national discretion
- apply a “GDPR-like” regime to areas of processing personal data that are not covered by the GDPR (i.e. processing by Law Enforcement Agencies and Intelligence Services)
- future-proof UK data protection post-Brexit
The Bill is expected to be highly scrutinised, and is likely to undergo changes as it progresses through Parliament. It received its second reading in the House of Lords on 10th October 2017, with Lord Stevenson of Balmacara saying we can expect to see many amendments. Concerns were raised that the Bill is unnecessarily complex, and the GDPR text has not been embedded within it. Issues have been raised surrounding trying to secure adequacy post-Brexit and securing data flows if the UK leaves the Common Market. There are also calls for stricter controls for big tech companies.
The Government has published a number of factsheets alongside the Bill which include:
Structure of the Bill
• Parts 1 and 2 cover definitions and general processing and include the bulk of the GDPR.
• Parts 3 and 4 cover law enforcement and intelligence services processing
• Part 5 covers the Information Commissioner’s Office
• Part 6 covers enforcement and adapts the terms with the aim that when the UK leaves the EU (and is therefore no longer directly bound by the GDPR), national legislation will replicate EU legislation
• Part 7 – supplementary and final provision
1. Public Authorities (clause 6)
The Bill defines public authorities. This is important due to the limitations on public authorities’ abilities to rely on Legitimate interests as a lawful ground for processing under the GDPR Article 6(1)(f).
2. Special Categories of Personal Data and Criminal Convictions (clause 9 & schedule 1)
The Bill will allow, where justified, for the processing of special categories of personal data (formerly referred to as “sensitive data”) and criminal conviction data without consent. This includes allowing employers to fulfil employment law obligations.
3. GDPR Exemptions, Adaptations, Restrictions
The Bill exercises a range exemptions from, restrictions to, and adaptions of, the application of the rules of the GDPR. These are largely set out in Schedules 2-4. These include exemptions aimed at protecting professionals in a range of fields including journalism, scientific/historical research, anti-doping bodies and financial services. They also include processing for the detection of crime, protection of rights of third parties and legal professional privilege.
4. Children’s Age (clause 8)
Under Article 8 of the GDPR children are able to give their lawful consent to the processing of their personal data, in connection with the provision of information services, when they are at least 16 years old. However, the GDPR allows for Member States to lower the age, but no younger than 13. The Bill confirms that in the UK children from the age of 13 can give consent for the processing of their personal data in relation to information services. Those under the age of 13 will require the consent of a parent/guardian. The Bill also clarifies that the reference to “information services” does not include preventive or counselling services.
Under the GDPR individuals have the right not to be subject to automated decision making. Clause 13 of the Bill implements Article 22, but as the Bill progresses through Parliament the wording of this should be watched carefully, specially surround significant and legal effects. The Government confirmed in its Statement of Intent (published in August 2017) that it plans to implement the derogation under Article 22(2)(b) to allow for individuals to request that when a decision has been made about them, based solely on automated processing, that the processing is reviewed by a person rather than a machine. The statement said, “We will legislate to implement this exemption with a view to ensuring legitimate grounds for processing personal data by automated means. Individuals will have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to them which is based solely on automated processing and which produces legal effects or similarly significantly affects them, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.”
6. Transfers of personal data to third countries (clause 17)
The Bill provides for the UK to restrict the transfer of a category of personal data to a third country or international organisation where the transfer is not authorised by an adequacy decision under Article 45(3) of the GDPR and if the Secretary of State considers the restriction to be necessary for important reasons of public interest.
7. ICO Powers – New type of Assessment Notices (clause 140)
The Bill contains a new type of “assessment notice” – a notice requiring a controller or processor to permit the Commissioner to carry out an assessment as to whether they have complied or are complying with data protection legislation.
8. Charges payable to the commissioner by controllers (clause 132)
The requirement for registration has been removed, but the Bill does all for the Secretary of State to make regulations requiring controllers to pay charges to the Commissioner and to provide information to the Commissioner in order to help identify the correct charge to be levied. The exact position on this is not clear, but it’s possible these powers could see a form of registration being introduce.
9. Amount of Monetary Penalties (clause 152)
The Bill allows for national discretion surrounding the financial penalties organisations may face for non-compliance. It includes a provision for the UK Government to determine what constitutes an “undertaking’s turnover”.
10. New Offences (clauses 161-163)
The Bill proposes new offences of:
• Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data
• Altering records with the intent to prevent disclosure
Updated October 2017
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.