Greater Protection for Individuals and Larger Fines for Organisations Under a New UK Data Protection Bill

In a statement of intent published on 7 August 2017, the UK Government has committed to updating and strengthening data protection laws through a new Data Protection Bill (the “Bill”). The Bill will incorporate the new EU General Data Protection Regulation (the “GDPR”) into UK law.

According to the UK’s Minister of State for Digital, Matt Hancock, the Bill will “give [the UK] one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”

Under the Bill and in accordance with the GDPR, the UK’s Information Commissioner’s Office (the “ICO”) would be given the power to issue higher fines, of up to £17 million or 4% of global turnover in cases of the most serious data breaches. In addition, the Bill would create a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data where the maximum penalty would be an unlimited fine. The Bill would also widen the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if the they initially obtained it lawfully).

The GDPR permits Member States to introduce a number of derogations in specific areas. The statement of intent sets out a number of instances where the UK plans to implement these derogations including, for example:

  • The UK intends to set the minimum age at which a child using information services can consent to data processing to 13 years.
  • In respect of the right under the GDPR for an individual not to be the subject of automated decision making including “profiling”, the UK intends to implement the exemption of where the decision is authorised by Member State law, “with a view to ensuring legitimate grounds for processing personal data by automated means.”
  • With regard to individual rights under the GDPR, the UK will legislate to ensure that research organisations will not have to: (i) respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes; or (ii). comply with an individual’s rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure.

We understand the Bill is likely to be introduced to Parliament before the end of 2017.