UK Government Publishes Draft Data Protection Bill
On 13 September 2017, the UK Government introduced the new Data Protection Bill (the “Bill”) in the House of Lords. If enacted, the Bill will repeal and replace the existing Data Protection Act 1998 and supplement the EU’s new General Data Protection Regulation (“GDPR”).
The GDPR takes effect in EU Member States on 25 May 2018 and will have direct effect in the UK until after the UK has left the EU. In addition to applying GDPR standards, the Bill is intended to implement a number of derogations by the UK that are permitted under the GDPR, and to carry over from the Data Protection Act 1998, a number of exemptions previously negotiated by the UK. Once the UK leaves the EU, the government anticipates that the Bill will function as a stand-alone data protection law for the UK.
The Bill considers five key areas:
- Part 2: General processing;
- Part 3: Law Enforcement processing;
- Part 4: Intelligence services processing;
- Part 5: The Information Commissioner; and
- Part 6: Enforcement.
This element of the Bill implements the GDPR’s standards across all general data processing and also provides clarity on some of the definitions used in the GDPR in the UK context.
Part 2 exercises a number of possible Member State derogations under the GDPR, such as:
- setting the age from which personal consent is not needed to process data online to individuals age 13; and
- restricting data subjects’ right to access and delete data, where there is a strong public policy justification, including for national security purposes.
Law Enforcement Processing
The general data processing provisions found in the Bill do not apply to processing by law enforcement or national security agencies. Part 3 of the Bill therefore provides a bespoke regime for the processing of personal data by the police, prosecutors and other criminal justice agencies for law enforcement purposes.
National Security Processing
As for law enforcement processing, the Bill also creates a bespoke regime for national security data processing. This will be based on the regime for processing personal data by intelligence services which has been proposed (but not yet agreed) by the Council of Europe’s Convention 108.
The Information Commissioner
The current Data Protection Act 1998 established the post of the Information Commissioner and provided for the Information Commissioner’s Office (ICO). As the 1998 Act will be repealed, the Bill therefore makes provisions for the continuing existence and functions of the ICO.
The Bill allows the ICO to levy administrative fines on data controllers and processors for the most serious breaches of data protection law of up to £18m or 4% of annual worldwide turnover, whichever is greater. These levels reflect the maximum level of administrative fines set by the GDPR and merely convert the euro figures in the GDPR into a fixed amount in pound sterling.
However, unlike the GDPR, the Bill also empowers the ICO to bring criminal proceedings for offences including, for example, where a controller or processor alters records with the intention of preventing disclosure following a subject access request.
The Bill also creates a new offence criminalising the deliberate re-identification of individuals whose personal data is contained in anonymised data.
Exemptions from the GDPR
Schedules 2 to 4 of the Bill set out negotiated exemptions from the GDPR. These exemptions include:
- the safeguarding of the processing of personal data by journalists for freedom of expression and to expose wrongdoing;
- the exemption of scientific and historical research organisations from certain obligations that would impair their core function;
- an exemption from the processing of personal data by national anti-doping agencies;
- an exemption for processing carried out the grounds of suspicion of terrorist financing or money laundering; and
- where justified, the processing of sensitive data without consent to allow employers to fulfil obligations of employment law.
The Bill’s second reading, a general debate on all aspects of the Bill in the House of Lords, is scheduled for 10 October 2017. This will be the first opportunity for members of the House of Lords to debate the Bill’s principles and to flag specific areas they believe require amendments. After a committee stage, a report stage and third reading, all in the Houser of Lords, the Bill will then pass to the House of Commons.