Data Protection Bill – A new framework for data protection in the UK
Coming in at a massive 194 sections, with 18 schedules, the Data Protection Bill was introduced in the House of Lords last week. It will replace the Data Protection Act 1998 (DPA) and aims to set new standards for protecting personal data, within the requirements of the General Data Protection Regulation (GDPR), and help prepare for a post-Brexit data protection regime.
Key aspects of the Bill include:
A single framework for data protection
The Bill aims to create a single, comprehensive and simple framework for data protection. Prior to Brexit, the GDPR will apply directly in the UK and so the Bill will work in tandem with the GDPR. Post-Brexit, the Bill ensures that GDPR standards will continue to apply to data processing on a single, domestic legal basis. This aim is, however, not helped by the drafting, which includes multiple cross-references to GDPR, meaning that to understand it, the reader needs to keep both the Bill and the GDPR open for cross-referrals!
The Bill also contains provisions relating to law enforcement processing – thereby implementing the Law Enforcement Directive into English law – and relating to intelligence services processing. Again, it sets out a single domestic and trans-national regime based on the GDPR standards for processing such categories of data.
Derogations from protection
The GDPR allows Member States to enact derogations from rights and duties in certain situations relating to general data processing. The Bill aims to preserve certain existing exemptions that have worked well under the DPA. For example, the Bill replicates the current provisions in the DPA that allow the processing of sensitive personal data (called special categories of data under the GDPR and the Bill), and criminal conviction and offences data, without explicit consent in certain circumstances. There are also exemptions for processing personal data for literary, journalistic or academic purposes, which again largely reflect the current system.
Under the GDPR, individuals have the right to object to decisions made about them solely on the basis of automated processing, if those decisions have legal or other significant effects – e.g., data about an individual’s personal finances. The Bill again replicates existing additional safeguards in the DPA.
The GDPR also allows Member States to set the threshold for the minimum age for a child to consent to data processing when using information society services, i.e., most online websites including social media and search engines. The Government has decided to set the minimum age for a child to consent to such processing at the lowest possible level of 13 (the GDPR allows for the level to be set at 13-16 years).
Enforcement and offences
The Bill enacts the additional powers contained in the GDPR for the Information Commissioner (ICO), including the power to impose higher administrative fines of up to £18m or 4% of global turnover. Under the current regime, the maximum fine that can be levied by the ICO is £500,000. However, the ICO has been quick to reassure businesses in an excellent series of blog posts that seek to ‘separate the facts from the fiction’, asserting that the power to impose increased fines will be used ‘proportionately and judiciously’.
Whilst the existing criminal offences in the DPA are maintained (with modifications to meet the GDPR framework), new offences will be introduced including:
- A new offence of knowingly or recklessly re-identifying individuals whose personal data is contained in anonymised data – as recommended by Dame Fiona Caldicott in her July 2016 Review of Data Security Consent and Opt-Outs.
- Alteration of personal data to prevent disclosure following the exercise of a subject access right.
What happens next?
The Bill will no doubt be subject to amendment as it makes its way through the legislative process. Having been introduced in the House of Lords last week, it will have its second reading in the Lords on 10 October. We will report further on developments and key issues in a future blog.
In addition to the Bill itself, the Explanatory Notes contain a useful summary of the Bill’s provisions and the background to the Bill. The Government has also issued Factsheets on the following: