The Data Protection Bill (the Bill) will replace the Data Protection Act 1998 and implement key choices under the EU’s General Data Protection Regulation (GDPR), which comes into force in May 2018.
The Bill will ensure that GDPR provisions continue to apply in the UK even after GPDR itself ceases to have direct effect after Brexit. This reflects an unprecedented alignment with non-UK law after Brexit.
The Bill gives data subjects more control and more rights over their personal data. Organisations will be required to comply with tightened rules on consent, transparency and erasure.
Significant fines for non-compliance can be imposed on organisations with the maximum fine set at either 4% of global turnover or £17 million, whichever is higher. Interestingly, the Bill also provides the UK government with the power to determine how an organisation's turnover would be calculated.
An overview of the new Data Protection Bill
The government anticipates that creation and use of data will add £241 billion to the UK economy between 2015 and 2020.
The Bill sets out three objectives of the UK government:
- Maintaining trust and confidence of data subjects that their data will be handled securely, legally, responsibly and ethically.
- Ensuring that organisations in the UK are able to transfer data to and from countries in the EU and beyond.
- Safeguarding the UK's security and law enforcement authorities’ ability to collect, share and process personal data for national security purposes.
The main aim of the Bill is to ensure that data can continue to flow freely between the UK and EU countries after Brexit when the UK will be classed as a ‘third country’ by the EU. Under the EU’s data protection framework, personal data can only be transferred to a third country where an adequate level of protection is guaranteed by the government of that country.
The UK’s Information Commissioner will have its powers strengthened and extended to help it police and enforce the new data protection regime.
What are the key changes?
The legislation will:
- make it easier for people to withdraw their consent for their personal data to be used
- enshrine the “right to be forgotten” into UK national law, allowing people to ask for their data to be deleted e.g. by social media companies and online traders
- require companies to obtain explicit consent when they process sensitive personal data
- expand the definition of personal data to include IP addresses, biometric data and cookies
- allow people to obtain the information organisations hold on them much more freely, via subject access requests
- provide data subjects with broader rights to claim compensation for breaches where “other adverse effects” are suffered. Currently, compensation can only be claimed for breaches that cause financial loss or distress.
- create new criminal offences of:
- intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data
- altering records with an intent to prevent disclosure to a data subject following a subject access request
- unlawfully obtaining or disclosing personal data without the data controller’s consent.
Exemptions and derogations
The Bill includes “vital” exemptions and derogations from data protection law which allow organisations to process personal data where it is necessary for legal or public interest reasons. Groups that will benefit from for example the “freedom of expression” exemption include:
- journalists who access personal data on the grounds of freedom of expression and to expose wrongdoing
- scientific/historical research organisations from certain obligations that would impair their work
- anti-doping bodies that are trying to catch drugs cheats
- financial services bodies that suspect terrorist financing or money laundering.
Employers can also benefit from an exemption when processing special categories of personal data (religious beliefs, health data, political opinion, etc.) and criminal convictions if they comply with applicable conditions, such as obtaining explicit consent or including details in a policy.
Children’s rights
GDPR allows implementing states to select an age (between 13 and 16) at which a child can consent to the processing of their personal data for the purposes of the “information society” envisioned by the EU and indeed the UK. Interestingly this departs from the European Commission’s original proposal which established 13 as the standard age of consent. Member states have so far differed in their choices: Germany, Netherlands and Hungary have not derogated from the age of 16, while the UK, Ireland and Spain have opted for the age of 13.
Since the Data Protection Directive 1995, which did not mention the word "children" at all, the focus on the rights of children is something which has considerably increased in GDPR and consequently the Bill. While new rights have now been granted to children, "child" is not defined in GDPR or the Bill. Given the restrictions on profiling and automated decision making in respect of children this could provide some further scope for interpretation; particularly as member states are given a choice as to the age that a child can consent.
Comment
The Bill’s drafting has been described as “ugly and complex”, a result of the multiple purposes being addressed simultaneously in a single piece of primary legislation: the Bill seeks both to select key choices available to EU members states under GDPR and incorporate and position a mirror GDPR regime to take effect seamlessly on Brexit an event that would otherwise automatically repeal all GDPR provisions under UK law.
We also note that the UK Withdrawal Bill currently allows substantive modification of this Bill by government ministers without the usual parliamentary scrutiny applicable to proposed changes to primary UK legislation, an observation that has already attracted political dissent and may therefore change as the Bill itself proceeds through the UK Parliament.
If you would like to discuss any aspect of this article or would like further information, please contact your usual contact from our data protection team.