Yesterday, the UK Government released the text of the much-anticipated UK Data Protection Bill. This piece of legislation provides evidence of the Government’s approach to the derogations permitted within EU General Data Protection Regulation (GDPR), and extends the terms of GDPR to cover areas beyond the scope of EU law. The Bill also incorporates the Law Enforcement Directive, which deals with data processing by the police and other law enforcement agencies.
This is a large and complex piece of legislation, running to 194 clauses and 18 schedules spread over 218 pages, which also includes, by reference, GDPR.
As we examine the Bill in more detail, Brodies will issue more detailed and specific updates in the coming days and weeks.
At this stage, though, there are a few general preliminary points that are worth sharing.
- Derogations and Exemptions - there has been concern in some quarters about the derogations and exemptions allowed under GDPR. It has been suggested that the Government may use the opportunity provided by GDPR to restrict exemptions which currently apply under the Data Protection Act 1998 (DPA) such as, for example, those relating to data processing for journalistic purposes. This Bill should help to allay those fears, as the exemptions that exist under the DPA have largely been pulled over into the new legislation. This should help to ensure a measure of continuity and will reduce some of the burdens associated with GDPR, for those who rely on existing exemptions.
- Pre-Brexit Issues - The second thing to note is that GDPR, as an EU Regulation having direct effect, can only apply to areas within the EU’s legislative competency. This was not an issue with the 1995 Data Protection Directive because it did not have a direct effect in the UK. The Directive needed national legislation to implement it and the DPA legislated beyond that limited EU competence so it was never really an issue. Pre-Brexit, GDPR does apply directly to the UK so it is limited to areas within the EU's legislative competence. The Data Protection Bill extends the provisions of GDPR, applying them to areas which do not fall within EU competence, thereby attempting to ensure that the gap that GDPR leaves by virtue of its limited scope is filled.
- Brexit - following on from this last point, when the UK leaves the EU, the distinction between processing that is, or is not, within the competency of the EU will no longer be relevant. The Government has signalled that GDPR will be given effect within UK domestic law through the European Union (Withdrawal) Bill and it will use its powers under that legislation – assuming it is passed – to create a single legal framework to apply GDPR standards to all general processing.
Finally, it should be noted that this Bill is at the first stage of the legislative process and yet to undergo serious external scrutiny. It is likely that there will be changes – some significant, others less so – as the Bill makes its way through the Commons and Lords. Brodies will continue to keep you up-to-date as the Bill evolves.
A copy of the Bill and the explanatory notes can be found here