Written by Nikolaos Theodorakis
A few days ago the UK’s Department for Digital, Culture, Media & Sport introduced the Data Protection Bill 2017 (“the Bill”). Once adopted by the legislature, the Bill will replace the Data Protection Act 1998, which is currently in force. The purpose of the Bill is to transpose the EU General Data Protection Regulation (“the GDPR”) and the EU Directive on the Processing of Personal Data by Government Authorities for Prevention, Detection and Prosecution of Crime (“the Law Enforcement Directive”) into UK law.
At the same time, the Bill aims to prepare the UK for its digital future after it leaves the European Union. The UK has strongly signaled its desire to prove that it will have equivalent data protection standards following Brexit, and to ensure a seamless data flow regime between the EU and the UK.
In summary, the Bill provides for the following:
- It transposes the GDPR into UK law
Part 2 of the Bill incorporates the main GDPR definitions and standards into domestic legislation. It also introduces some derogations, such as setting the age limit of required consent to age 13 and restricting the right to data access and erasure for reasons of public interest, including national security. In Chapter 2, it attempts to fill in gaps such as the definition of public authority and public interest. Certain rules on automatic decision-making are very similar to the Data Protection Act 1998, which signals the UK’s desire to depart as little as possible from its current regime, while implementing the GDPR.
The registration requirement is removed, yet the Bill allows the Secretary of State to make regulations regarding paying a charge to the Information Commissioner’s Office (the “ICO”) and providing information to ICO to help identify the appropriate charge. Similar language is found in UK’s Digital Economy Act, indicating that there will be a form of registration within the UK.
- It transposes the Law Enforcement Directive into UK law
Parts 3 and 4 implement the Law Enforcement Directive to the extent it relates to processing of personal data by UK law enforcement agencies, and intelligence services and agencies. The Bill provides a tailored regime and offers the flexibility that UK agencies require for law enforcement purposes. It applies to processing for law enforcement purposes listed under a defined list of “competent authorities”. The general rules that it introduces are rules derived from previous legislation.
Part 4 provides a code of personal data processing. It draws from Council of Europe’s Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and includes changes made during its modernization process. It primarily reiterates the main principles of processing and provides the required exceptions for national security processing.
- It further regulates the functions and powers of the ICO
Parts 5 and 6 regulate the role of the UK ICO under the new data protection regime. It formally provides the ICO with the investigatory, authorization and advisory powers found in the GDPR that include imposing administrative fines totaling up to £18m or 4% of annual global revenue, whichever is higher.
In light of Brexit, the ICO must develop wide international co-operation mechanisms. Rules on data sharing, direct marketing codes and consensual audits are preserved, as are the rules on disclosure of information to the Commissioner, and the duty of confidentiality. The Commissioner may charge for services, but not a data subject or a data protection officer, as already enshrined in the Digital Economy Act 2017.
The Bill also empowers the ICO to initiate criminal proceedings for certain offenses (e.g. where a controller or processor alters records to prevent disclosure pursuant to a subject access request). It also introduces certain criminal offences of:
- re-identification of de-identified personal data;
- alteration of personal data to prevent disclosure (where an individual has an access request); and
- retaining data against the wishes of the controller and then using it for an unlawful secondary purpose.
The Bill’s criminal enforcement dimension shows the UK’s strong determination to safeguard the country’s data economy. Besides, the UK has had significant experience in the recent past with delegating criminal proceedings to independent agencies (e.g. with the Serious Fraud Office).
- It provides data processing derogations
The Bill contains several Schedules. Schedule 1 describes additional grounds upon which data controllers can process sensitive personal data, including for scientific or historical research purposes, or for statistical purposes. Schedules 2 to 4 include exemptions connected to providing a privacy notice to data subjects and to uphold data subject rights provided for by the GDPR. Such exemptions include:
- Processing of personal data by journalists for freedom of expression;
- Processing by scientific and historical research organizations (e.g. museums and universities);
- Processing by anti-doping bodies;
- Processing related to anti-terrorist financing or money laundering efforts in the financial services sector;
- Processing of sensitive and criminal conviction data without consent to allow employers fulfil employment law obligations. These exemptions are almost identical to what is included in the current Data Protection Act. This is a disappointing development since the GDPR refers to journalism and research organizations as examples, and the Bill misses the opportunity to make full use of the permissible scope of the GDPR. This may be an unwelcome provision for several industries that would wish to be included in such derogations.
The Bill had its first reading in the House of Lords on 13 September and is scheduled to have its second reading on 10 October. It is considered a lengthy and complex piece of legislation and it will likely be subject to several modifications before it takes its final shape.
After three rounds of readings in the House of Lords and another three rounds in the House of Commons, the Bill is expected to receive Royal Assent and officially become law. This process will likely last for a few months, but will in any event be concluded before the GDPR kicks in, on 25 May 2018.