The Data Protection Bill (the Bill) had its first reading in the House of Lords on 13 September 2017.
The Department for Digital, Culture Media & Sport has produced a set of factsheets, including an Overview of the Bill. This factsheet explains that, once enacted, the new Bill will:
- Replace the Data Protection Act 1998 (DPA) with a comprehensive and modern framework for data protection in the UK, with stronger sanctions for malpractice;
- Set new standards for protecting general data, in accordance with the General Data Protection Regulation (GDPR), giving people more control over use of their data;
- Preserve existing exemptions that have worked well under the DPA, carrying them over into the new law. These include exemptions for journalists, researchers and financial services firms; and
- Provide a bespoke framework tailored to the needs of our criminal justice agencies and national security agencies, to protect individuals' rights while ensuring we can tackle global threats.
The Bill, which runs to just over 200 pages, comprises five main parts:
Part 2: General Processing
Clauses 3-26 of the Bill implement the GDPR standards across all general data processing and provide clarity on the definitions used in the GDPR in the UK context. Until the UK leaves the EU, the GDPR will operate in tandem with the Bill. Once the UK has left, the Bill will allow for the continued application of GDPR standards.
Although the Bill builds on the provisions in the GDPR, it includes special rules (enabling the enactment of derogations by Member States from rights and duties enshrined in the GDPR in certain circumstances) for the processing of personal data. Some of these rules have been carried forward from the DPA and aim to ensure a measure of continuity for those who operate in accordance with existing exemptions. The Bill recognises, for example, that it is sometimes appropriate to disclose personal data for purposes to do with criminal justice or the taxation system, such as the prevention or detection of crime.
Some of the key GDPR derogations in the Bill are as follows:
- The Bill permits the processing of sensitive and criminal conviction data without consent, if there is justification for doing so (such as to allow employers to comply with employment law obligations, to allow scientific research and/or to prevent fraud).
- Exemptions for literary, journalistic or academic purposes are included in the Bill (similar to those in the DPA), with the aim of balancing freedom of expression of the media with the right to privacy; and
- The age at which children can consent to the processing of their personal data online is 13 (lower than default position under the GDPR of 16).
Part 3: Law Enforcement Processing
Clauses 27-79 of the Bill create a bespoke framework for the processing of personal data by the police, prosecutors and other criminal justice agencies. The Bill strengthens the rights of data subjects, while providing exemptions for law enforcement agencies to prevent investigations from being undermined. The EU Law Enforcement Directive (LED) covers cross-border processing for law enforcement purposes. To ensure a coherent regime, the Bill creates a single domestic and trans-national regime.
Part 4: National Security Processing
National security is outside of the scope of EU law, and the GDPR was therefore not designed to apply to processing by the intelligence services. Clauses 80-111 of the Bill provide a specific data protection regime for the intelligence services, which will ensure that the processing of personal data is subject to proportionate controls.
Parts 5-6: The Information Commissioner and Enforcement
The final parts of the Bill (clauses 112-168) set out the role, powers and duties of the UK Information Commissioner. Consistent with the GDPR, the Bill provides for maximum fines of up to £18 million or 4% of global turnover. Two new offences are also created by the Bill, namely, the 're-identification of de-identified personal data' and the 'alteration etc. of personal data to prevent disclosure'.
Organisations will be pleased to learn that the Bill does not contain any surprises and also that a number of exemptions under the DPA will be carried over into the new Bill. The key exemptions and derogations from the GDPR will be of particular interest, and we will write further articles about their impact in our next bulletin.
The Bill is scheduled for a second reading before the House of Lords on 10 October 2017.