8 November 2017
In September 2017, the UK government published its Data Protection Bill, intended to provide a “complete data protection system”. What does this mean for the GDPR?
What’s the issue?
The General Data Protection Regulation (GDPR) will apply from 25 May 2018 at which point the UK will still be in the EU. The government has committed to applying the GDPR. This only tells part of the story, however, because the GDPR will not necessarily make sense in its entirety once we are no longer in the EU. For example, without explicit agreement to the contrary, the UK will become a third country for the purposes of data exports, and it will not have a seat on the European Data Protection Board.
What’s the development?
The UK government has published its draft Data Protection Bill. While the government has presented the Bill as its own initiative, it is fair to say that its primary aim is to incorporate the GDPR and the Law Enforcement Directive into UK law and deal with permitted derogations. It also hopes to provide continuity during and after Brexit and to ‘Brexit proof’ the legislation so that it continues to work in a post-Brexit environment. The Bill is intended to come into force from 25 May 2018, the date from which the GDPR will apply.
What does this mean for you?
The message is very much to carry on with full GDPR implementation because the rights and obligations are essentially the same. However, the Bill also deals with those areas of the GDPR where it is left up to Member States to add in or vary. As we have said before, there are far more of these than were initially intended, leading to a watering down of the concept of a single EU data protection regime. Schedule 6 also attempts to amend those parts of the GDPR that will no longer work once the UK leaves the EU and personal data processing is no longer covered by Union law in the UK, for example, removing references to “Union and Member State Law”.
This means that in the UK, the GDPR has to be read alongside the Bill, in particular, the derogations and schedules. Unfortunately, this is not an easy task as, on the whole, the Bill makes reference to GDPR clauses, rather than reproducing them. Having said that, the Bill will not change the fact that by 25 May 2018, organisations will have to comply with the GDPR.
The Bill recently had its second reading in the House of Lords and a number of amendments are being tabled so it may yet change.
Parts 1 and 2 - set the context, scope definitions and general processing provisions. Key points to note include:
- Online age of consent - in relation to children’s consent the Bill sets the threshold of 13, below which parental consent is required in relation to offering internet society services to children. It also makes clear that the term “internet society services in this context” excludes preventative or counselling services.
- Special data - in relation to processing of special categories (i.e. sensitive) personal data and data on criminal convictions, the Bill allows for lawful processing at Article 9(2) and 10 of the GDPR where there is processing that meets a condition in Part 1 or where relevant Part 2 of Schedule 1 of the Bill (see below).
- Automated processing/profiling - in relation to a person’s GDPR right not to be subject of profiling and automated decision taking, the Bill includes provisions arising under Article 22(b) of the GDPR relevant to excluding from this right, decisions authorised by Member State law to which the controller is subject. The wording of the Bill here may also potentially limit the GDPR right by talking about a decision being a “significant decision” if it: a) produces legal effects concerning the subject; or b) “significantly” (rather than similarly as referred in the GDPR) affects the data subject. We will wait to see if this is in fact a ‘significant’ issue or merely a legislative typo.
Part 5 - provides for the continuing role and duties of the Information Commissioner, (the ‘ICO’) including the ability of the ICO to seek a fee for providing certain services (to be determined) and the ability to continue to require data controllers to pay charges regardless of whether a service has been provided by the ICO to fund the ICO in discharging its functions.
Part 6 - sets out the enforcement powers of the ICO, including in issuing information, assessment and enforcement notices, powers of entry and inspection and the ability to impose fines in line with the limits within the GDPR. Unlike the GDPR, the bill does provide the ICO a level of discretion on the amount of fine, including by taking account of any aggravating or mitigating factors. Any fines are payable in sterling and will be determined by applying the spot rate of exchange against the GDPR Euro rate set by the Bank of England on the day a penalty notice is given.
In addition to the existing offence under the DPA of unlawful obtaining of personal data (which is amended slightly to also include retention of personal data after the unlawful obtaining without the consent of the controller) there are two further proposed offences. The first applies to knowingly or recklessly re-identifying information that is de-identified without the consent of the controller responsible for de-identifying the data. The second arises in the context of receiving a subject access request where it would be an offence to deliberately alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure.
Part 7 - includes a number of supplementary provisions and offences, including the existing prohibition against use of enforced subject access, as well as other provisions on how the law applies to different parties and bodies. This Part also includes further definitions and defined expressions.
The schedules, of which there are 18, include the bulk of the detail of the provisions relevant to exceptions or derogations applicable to certain types of processing. In particular:
- Schedule 1 - sets out conditions relevant to meeting requirements for the lawful processing of sensitive personal data and of criminal convictions data.
- Schedules 2-4 - set out exemptions that seek to restrict the rights and obligations under specific provisions of the GDPR for particular types of processing and by certain types of bodies. These exemptions (including the journalistic exemption) are broadly similar to those found within the current law, albeit with a few adjustments. These adjustments include at Schedule 2 where, for example, processing for ‘academic purposes’ is included within the ‘special purposes exemption alongside processing for literary and artistic purposes. There is also the addition of a separate test in the case where the Bill anticipates the existing exemption in the Data Protection Act 1998, relevant to disclosures required by law or in connection with legal proceedings, meaning under the Bill, that the exemption is only relevant to the extent that the application of those provisions would prevent the controller from making the disclosure for that purpose.
- Schedule 3 - includes exemptions specific to Health, Social Work, Education and Child abuse.
- Schedule 4 - restricts the application of GDPR provisions in cases where disclosures are prohibited or restricted by way of other law, particularly in the context of human fertilisation, adoption, statements of special educational needs and parental orders and reports.
- Schedule 6 - seeks to future-proof the law so that it continues to work post Brexit, including by modifying the application of scope, and references so that they have the same effect as references to the UK and domestic law.
- Schedules 12-16 - set out further detail on the appointment, tasks, role and powers of the Information Commissioner and the penalties that can be imposed.