On 7 August 2017, the UK Department for Digital, Culture, Media & Sport (DCMS) published a Statement of Intent outlining proposals for a new UK Data Protection Bill (the Bill). This is the UK's preparation for the General Data Protection Regulation (GDPR), which will be directly applicable across the EU from 25 May 2018. This note outlines the key provisions from DCMS's statement.
Aims and objectives
The stated aim of the Bill is to protect people's privacy while allowing and encouraging innovation in digital technology. This should involve striking a balance between freedom and responsibility online. The Bill will also ensure that data remains safe as the UK moves into a future digital world based on a system with more accountability but less bureaucracy.
Brexit: The government paper says that the Bill will also bring EU law into UK domestic law. However, in practice, GDPR will be directly applicable and we expect the Bill to deal, primarily, with derogations from GDPR and certain additional data protection rules the UK is choosing to implement.
The UK government has also stated that it is committed to ensuring uninterrupted data flows continue between the UK, the EU and other countries. This will, of course, require an adequacy finding by the EU in due course. However, the challenges in achieving this are not directly addressed in the paper.
This will be expanded to include IP addresses, internet cookies and DNA. The rules will be strengthened so consent must be "unambiguous" and easy to withdraw. Pre-checked "tick boxes" will be outlawed. Consent for online services in connection with children will require parental/guardian consent. The UK is going to set the threshold at children under the age of 13. This is the same approach that has been taken in Ireland. Individuals will find it easier to acquire organisations to disclose personal data about them at no charge. There is no specific comfort here for organisations where the access request is a precursor to litigation, as is often the case. New rules will make it easier for customers to move data between service providers. Individuals can ask for their personal data to be erased. The proposal says that this will include a provision to allow people to require social media platforms to delete information they posted during their childhood. It's not clear whether this is additional to the existing GDPR right to erasure or a proposed UK-only additional right. Does this mean that, when somebody reaches age of majority, they can ask a social networking site to delete any or all of their posts regardless of the content or context? Even under GDPR, there is a balance to be struck here and exemptions can apply. Individuals can have automated decisions reviewed by a person rather than a machine. It seems the UK is seeking to clarify that there is no requirement to obtain prior consent for such processing. The Bill aims to alleviate administrative and financial burdens on data controllers but also introduces data breach notification (a new 72-hour deadline). It's not clear how this will work in the context of GDPR, which increases the accountability burden substantially as compared with the current law. That's why organisations are implementing control frameworks of policies, procedures, audit training and awareness in readiness for GDPR.
The Information Commissioner's Office (ICO)
The ICO fining power will increase from £0.5 million to £17 million or 4 per cent of global turnover.
New criminal offences
These include offences of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data; altering records with intent to prevent disclosure under an access request (strangely not an offence already); and broadening the offence of data theft to catch people who retain data against the wishes of the controller (this could cover the situation where data is obtained lawfully then used unlawfully for a secondary purpose). Journalism/whistle blowers: It looks as if the current position will be maintained so exemptions will apply where processing personal data is in the public interest. As indicated in GDPR, the UK will be abolishing the current system requiring controllers to notify (or register with) the ICO.
GDPR/UK Bill scope
There has been a rather academic debate that, as GDPR only applies to areas in which the EU has legal competence, this leaves a gap for Member States. In the UK, this is currently covered by the Data Protection Act 1998 (DPA), which is UK primary legislation and applies to all processing of personal data.
The Data Protection Bill – Derogations The UK has confirmed that the Bill will include available derogations from GDPR. Some of the commentary includes:
- Criminal convictions and offences: The UK will extend the right to process criminal conviction and offence data to enable private organisations (other than those vested with official authority) to use it (criminal record checking). The UK is saying that it will legislate to allow this.
- Freedom of expression in the media: The Bill will strike "the right balance" between freedom of expression and the right to privacy. It seems that the existing Section 32 provisions of the DPA are likely to be retained in substance.
- Research: Research organisations and archiving services will get an exemption from subject access requests where this would seriously impair or prevent them from fulfilling their purposes. Exemptions will also apply to individuals' rights in seeking rectification, restriction and objection in similar circumstances.
- Law enforcement: In addition to GDPR, there is a separate EU Directive on Law Enforcement. All Member States must implement it (and this requires domestic legislation in the usual way) at the same time as GDPR. The UK will include this in the Bill. This is, effectively, a bespoke data protection regime for law enforcement (police, prosecutors and other criminal justice agencies including HMRC, the Environment Agency and the DVLA). Notably, this will extend to domestic law enforcement as well as cross-border.
- Interestingly, the Bill will also include a framework of the handling of personal data for common, foreign and security policy for national security (not part of GDPR). This may be the first step towards seeking an adequacy assessment of the UK in a potentially post-Brexit world.
Privacy by design and default
The Statement of Intent says the Bill will promote the concept of "privacy by design and default". But it then says this is achieved by giving citizens the right to know when their personal data has been released in breach of data protection safeguards and providing a clear right of redress. This is not "privacy by design and default". These concepts, instead, refer to embedding privacy in an organisation's practices and processes from the outset.
The presentation of the Statement of Intent suggests that the proposals are largely new. In fact, they are the required new rules under GDPR with a few additions. Some areas (like the right to ask social media companies to delete data posted while a child) may be incremental. We'll have to wait and see. It is helpful, however, to know that the UK's proposal is to create a single all-encompassing regime based on GDPR, and to implement the Law Enforcement Directive regime to domestic policing as well as international sharing of data with other agencies. So far, however, we have limited detail on derogations the UK will be making. So the real detail will, not surprisingly, be contained in the Bill, which we understand is to be published during the week commencing 4 September.