Aug 102017

Greater Protection for Individuals and Larger Fines for Organisations Under a New UK Data Protection Bill

William RM Long and Francesca Blythe
, , , , , ,

In a statement of intent published on 7 August 2017, the UK Government has committed to updating and strengthening data protection laws through a new Data Protection Bill (the “Bill”). The Bill will incorporate the new EU General Data Protection Regulation (the “GDPR”) into UK law.

According to the UK’s Minister of State for Digital, Matt Hancock, the Bill will “give [the UK] one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”

Under the Bill and in accordance with the GDPR, the UK’s Information Commissioner’s Office (the “ICO”) would be given the power to issue higher fines, of up to £17 million or 4% of global turnover in cases of the most serious data breaches. In addition, the Bill would create a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data where the maximum penalty would be an unlimited fine. The Bill would also widen the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if the they initially obtained it lawfully).

The GDPR permits Member States to introduce a number of derogations in specific areas. The statement of intent sets out a number of instances where the UK plans to implement these derogations including, for example:

  • The UK intends to set the minimum age at which a child using information services can consent to data processing to 13 years.
  • In respect of the right under the GDPR for an individual not to be the subject of automated decision making including “profiling”, the UK intends to implement the exemption of where the decision is authorised by Member State law, “with a view to ensuring legitimate grounds for processing personal data by automated means.”
  • With regard to individual rights under the GDPR, the UK will legislate to ensure that research organisations will not have to: (i) respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes; or (ii). comply with an individual’s rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure.

We understand the Bill is likely to be introduced to Parliament before the end of 2017.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.