On 14 September 2017, the UK government announced the publication of the Data Protection Bill. The Bill is principally designed to:
- implement and supplement key standards of the General Data Protection Regulation (GDPR);
- outline where UK law will deviate from certain GDPR provisions; and
- update and strengthen UK law to make the shift to the GDPR (and the UK’s transition out of the EEA) as simple and as smooth as possible for businesses.
In this short update, we summarise the background to the Bill, key messages for businesses and what is likely to happen next.
Background to the Bill
The GDPR will automatically come into force on a harmonised basis across the EU from 25 May 2018, although EU Member States are able to derogate from certain GDPR requirements.
In its Statement of Intent of 7 August 2017 (summarised in our recent update), the UK government outlined how it would legislate to exercise its right to derogate from the GDPR (and deal with broader policy issues flowing from the 2017 Conservative party election manifesto).
The Bill is designed to address those earlier commitments within the parameters of the UK’s current rights and obligations as an EU Member State, while putting the UK in the best position possible to secure unhindered EEA-UK data flows post-Brexit (for the reasons outlined in our earlier article).
What are the key messages for businesses?
Structure and format
- The Bill is a particularly complex piece of primary legislation (running to just over 200 pages) and, rather than transposing the text of the GDPR in full, is designed to be read in conjunction with the GDPR. (This makes it slightly difficult to navigate in practice.)
- Large sections of the Bill are given over to law enforcement and national security processing and so only limited elements of the Bill are likely to be of direct relevance in a business context. The key ones include:
- Part 2 – General Processing: This includes broad provisions applying key GDPR concepts and standards across all general data processing (presumably anticipating a post-Brexit model in which the UK falls outside an area of exercised EU legal competence), and specific modifications to certain GDPR concepts and individuals’ rights under the GDPR; and
- Parts 5 and 6 – The Information Commissioner’s Office (ICO) and Enforcement: These include provisions designed to empower the ICO (the UK’s data protection regulator) to continue to regulate and enforce data protection laws, impose charges on data controllers and serve new “assessment notices” on businesses for the purpose of conducting mandatory data protection audits.
Modifications and extensions to the GDPR
- The Bill adopts many of the core concepts of the GDPR, but, as expected and trailed by the UK government in its Statement of Intent, extends or deviates from the GDPR in certain key permitted areas. For example:
- Protecting Children online: Section 8 of the Bill amends the GDPR to allow a child aged 13 years or older to consent to their personal data being processed by a provider of information society services (in its Explanatory Notes, the UK government expects most online websites to meet this definition) without parental consent also being required.
- New criminal offence for intentionally or recklessly processing data: Section 162 outlines a brand new criminal offence that applies if an organisation knowingly or recklessly re-identifies information that is “de-identified” personal data, without the consent of the data controller responsible for de-identifying the data. This offence was outlined in the UK government’s Statement of Intent.According to the Bill’s Explanatory Notes, a key policy reason for this provision is to protect anonymised online patient/medical data. However, the provision is particularly widely drafted and so could also potentially sweep up processing activities in other industries, such as ad targeting or data analytics activity where individuals are identified based on a third party anonymous identifier (e.g. Apple’s IDFA identifier) or pseudonymous data (for example, by piecing together different data fields held separately to identify an individual’s online browsing habits).
- Once the UK has left the EU, the stated intention of the UK government is that the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Bill, currently before Parliament.
Repeal of the DPA, but preservation of its key concepts
- The Data Protection Act 1998 (DPA), which currently underpins the UK’s data protection regime, is expressly repealed in Paragraph 2 of Schedule 18 of the Bill. However, the UK government remains committed to integrating the GDPR into UK law in a way that as far as possible preserves the existing concepts of the DPA.
- For example, the Bill has preserved well-established DPA principles in the following areas:
- Automated Decision Making: Section 13 of the Bill introduces new safeguards to protect an individual’s rights where they are the subject of automated decisions authorised by law. This safeguard generally replicates Section 12(2) of the DPA by obliging the decision-maker to notify the individual as soon as possible, and granting the individual a period of 21 days to request either human intervention, or that the decision is re-considered.
- Processing special categories of personal data and criminal convictions data: Employers will welcome the fact that the Bill continues to approach criminal offence data in a similar way to special categories of personal data (known as sensitive personal data under the DPA). Less welcome will be the additional obligation under Part 1 of Schedule 1 to have an appropriate “policy document” in place where it processes special categories of personal data and criminal convictions data for the purposes of performing its obligations under employment law. This policy document will need to set out how it intends to comply with the GDPR principles and its approach to data retention.
What can we expect next?
The introduction of the Bill into the House of Lords on 13 September 2017 represents just the first key stage of the Bill’s voyage through the UK legislative process (you can keep up-to-date on its progress here). Given the substantial wave of lobbying and debate likely to follow, there is scope for further changes before it finally receives Royal Assent.
It may, therefore, still be some time before we get any certainty on the final text of the Bill. Until then, the key message for businesses will be to continue with GDPR projects as planned, while weaving core themes and likely changes under the Bill into those activities. For example, employers currently mapping data or assessing the legal bases on which they process special categories of personal data and criminal convictions data will need to also consider preparing, as part of their remedial measures, an appropriate policy document to ensure their obligations are fully satisfied.