On Thursday 14 September 2017, the UK published its new Data Protection Bill. It comes with much fanfare that it will underpin a world class privacy regime for the UK, give individuals more control over their data, support business and prepare the UK for Brexit.
It is also a monster of a document with 194 sections and 18 Schedules. There are also 109 pages of explanatory notes.
Outline of the Bill
As everyone knows GDPR will apply directly to the UK as a member state of the EU on 25 May 2018. The Bill will add the following key components:
- Clarifications and derogations from GDPR (as permitted by GDPR) – see sections 5 to 18 and Schedules 2 to 4.
- A regime broadly equivalent to GDPR for types of processing to which GDPR does not apply (areas outside the scope of EU law and foreign/security policy) – see section 19.
- An equivalent privacy regime for Law Enforcement (to implement the Law Enforcement Directive – see sections 27 to 79).
- Additional privacy rules for Intelligence Services – see section 80 to 111.
- Rules applicable to the ICO and enforcement – see sections 112 to 168 (Parts 5 and 6).
So this is a comprehensive approach and aims to ensure that the UK can seek an "adequacy decision" (or equivalent) post-Brexit.
Other key observations
Here are our initial observations on the Bill:
- The threshold for children's consent in relation to online services is confirmed to be "13 years" (the UK has derogated from the GDPR threshold of "16 years"). So has Ireland.
- There are a range of limited exemptions (primarily in Schedules 2 to 4) from various "listed GDPR provisions" including obligations to provide privacy notices and offer individual rights. The exemptions include processing for the prevention and detection of crime, protection of rights of third parties, legal professional privilege, self incrimination, management forecasts, negotiations and confidential references. Some of these exemptions are very similar to those in the current UK Data Protection Act.
- It is confirmed that individuals can claim compensation for non-pecuniary loss (e.g. distress). This reflects the GDPR position and will likely drive claims risk.
- There are new criminal offences of:
- re-identification of de-identified personal data;
- alteration of personal data to prevent disclosure (where an individual serves an Access Request); and
- retaining data against the wishes of the controller and then using it for an unlawful secondary purpose.
- Directors and managers may be personally liable where a corporate entity commits an offence with that individual's consent or neglect. This is similar to the current DPA position in the UK.
- Registration: The requirement for registration has been removed. However, the Bill does allow the Secretary of State to make regulations requiring data controllers to: (1) pay a charge to the Commissioner; and (2) provide information to the Commissioner to help the Commissioner identify the correct charge to be levied. This wording reproduces the substance of the charging powers already incorporated into UK law by the Digital Economy Act. The position is not yet clear, but these powers seem to indicate there will be a form of registration within the UK.
With the imminent deadline of 25 May 2018, it is now time to take a detailed look at the Bill in the context of GDPR. Lots to read!