In line with the EU General Data Protection Regulation (GDPR), the UK has now published a Data Protection Bill, which is intended to “make our data protection laws fit for the digital age…” The Overview Factsheet for this Bill may be found here. This legislative initiative parallels that of several other EU Member States that have introduced similar bills to implement the GDPR.
What does this mean for data protection laws in the UK and the impending GDPR, which is due to come into force throughout the EU on 25 May 2018?
Aim of the Bill
The draft Bill (which will come into force on the same date as the GDPR) is designed to replace the Data Protection Act 1998 (DPA) in the UK, implement the GDPR and transpose the EU Law Enforcement Directive into UK law. As of May next year, the GDPR will become directly enforceable in the UK as in all other EU Member States, and this will remain the case until the UK’s withdrawal from the EU. The guidance published by the UK’s Department for Digital, Culture, Media & Sport explains the relationship between the GPDR and the Bill, following its enactment, as follows:
The Bill adopts the GDPR standards for all general data in the UK. Until exit negotiations are concluded, the UK remains a full member of the EU and all the rights and obligations of EU membership remain in force. Until the UK leaves the EU, therefore, the GDPR will operate in tandem with the Bill. When the UK leaves we will restore a wholly domestic basis to our data protection laws but the Bill allows for the continued application of GDPR standards. These standards were shaped with significant involvement of the UK, and combine support for innovative use of data with robust protections. The standards will also help open up trade and investment.
The Bill reinforces the message that businesses in the UK should continue to prepare for GDPR compliance, as the rights and obligations are largely the same.
However, one key purpose of the Bill is to provide additional detail where the GDPR leaves it up to Member States to add to or to vary certain provisions. The UK has made the most of these derogations to align the Bill with the current data UK protection rules, where possible. The Bill aims to:
Preserve existing tailored exemptions that have worked well in the Data Protection Act, carrying them over to the new law to ensure that UK businesses and organisations can continue to support world leading research, financial services, journalism and legal services.
The Bill is complex and runs over 200 pages. Key points to note include:
- Penalties – The maximum fine mirrors the GDPR at £17m (Euro 20 million) or 4% of global turnover. The ICO is also given powers to bring criminal proceedings where a controller or processor alters records with intent to prevent disclosure following a subject access request;
- Special Categories – The Bill allows for special categories of personal data and criminal offence data to be processed without consent in certain situations including the following:
- To allow employers to fulfil obligations under the employment law;
- To allow historic or scientific research;
- To prevent unlawful acts and fraud; and
- To support processing for insurance or occupational pensions purposes.
- DPO – The obligation to appoint a Data Protection Office (DPO), where relevant, applies only to controllers, unlike in the GDPR which imposes this obligation on both controllers and processors.
- Children – The Bill sets the threshold for requiring parental consent to provide an information society service to a child at 13.
The Bill creates a privacy regime for the processing of personal data for law enforcement purposes by the police, prosecutors and other criminal justice agencies. This part of the Bill transposes the EU’s Law Enforcement Directive into national law. The Bill also covers additional privacy rules for the processing of personal data by intelligence services.
The Bill is still in draft form and has yet to be debated in Parliament. The Bill was introduced to the House of Lords on 13 September 2017. The next stage, scheduled for 10 October 2017, will be a second reading in the House of Lords with a general debate on all aspects of the Bill.
Our global Data Privacy & Cybersecurity team will be closely following the progress of the Bill and will provide further updates as the legislative process progresses.