On 7 August 2017, the UK government released its Statement of Intent (the Statement) regarding the new Data Protection Bill (the Bill)—the legal instrument that will apply new data protection standards set by the EU General Data Protection Regulation (GDPR) within UK law. The Statement confirms that the Bill will be aligned with the GDPR (thereby restating the principles set out in the Queen’s Speech earlier this year), and sets out key areas where it intends for the UK to derogate from the GDPR.
The UK has (of the G20 countries) the largest internet economy as a percentage of GDP and evidently, the UK government is keen to capitalize on its lead by preparing in good time for the GDPR, as well as Brexit, to give “consumers confidence that Britain’s data rules are fit for the digital age in which we live.”
A brief refresher on GDPR
The GDPR is an extensive data protection regime that will replace the existing EU data protection legislation on 25 May 2018. As part of the overhaul, the GDPR will harmonize data protection requirements across all EU Member States and, in particular, promote key principles such as accountability and transparency. In doing so, the GDPR will empower EU citizens with new individual rights and impose new obligations on data controllers and processors. For more information, visit MoFo’s GDPR Readiness Center.
What are the key derogations proposed by the UK government?
- Creating safe spaces online for children. The GDPR allows Member States to set the minimum age threshold at which a child can consent to data processing, at between 13 and 16 years. Currently in the UK, the equivalent age is 12 years, as recommended by the UK’s Information Commissioner’s Office (the ICO). The Statement confirms that the UK government’s intention is to set the minimum age for children to consent to their personal data being processed at 13 years.
- Processing criminal conviction and offense information. The GDPR only permits official authorities to process personal information on criminal convictions and offenses. However, the GDPR empowers Member States to allow other bodies to assist with the processing of such sensitive information, e.g. of private or third-sector employees as part of a criminal records check. This already happens under UK law, so in an effort to preserve continuity, the Statement indicates that the UK government wishes to replicate the existing position under the new Bill.
- Automated individual decision-making. Under the GDPR, individuals have the right not to be the subject of automated decision-making processes, including profiling. However, the GDPR grants Member States the freedom to implement exemptions to this, provided that suitable measures are put in place to safeguard the individual’s rights, freedoms and legitimate interests. To that end, the Statement comments that the UK government will implement this exemption in circumstances where an automated process would be an appropriate means of achieving an outcome, such as a bank checking the creditworthiness of an applicant via an automated credit reference check. Nevertheless, the Statement emphasizes the government’s commitment to ensuring that individuals will have a right not to be subject to automated decisions, which are used to evaluate an individual’s personal aspects so as to produce a legal or similarly significant effect without human intervention.
- Freedom of expression in the media. The GDPR accommodates journalistic exemptions to certain areas of data protection to permit journalistic activity in the public interest. The Bill will take this even further by replicating the exemptions that currently exist under the UK Data Protection Act, whereby personal information may be processed for special purposes if (i) the processing is undertaken with a view to publication, (ii) that publication is in the public interest and (iii) compliance with the principle is incompatible with the special purposes.
- Research. Research organizations will have to comply with GDPR-specified obligations in relation to an individual’s personal information; for example, the right to rectification or the right to access. However, the GDPR acknowledges that this can obstruct scientific or historical research organizations, which rely heavily on statistics, from performing their functions. The Statement echoes this and expressly states that the Bill will ensure that research organizations and archiving services do not have to respond to subject access requests where this would significantly hamper them from their objectives. Similarly, research organizations will not have to comply with requests to rectify, restrict or object to further processing where this would impede their ability to complete their work.
- Law enforcement. The GDPR does not cover the processing of personal information for national security or the “prevention, investigation, detection or prosecution of criminal offences or criminal penalties”. The Bill will therefore implement a suitable framework for processing personal information for these purposes by transposing the Data Protection Law Enforcement Directive into UK law and installing a regime for law enforcement data protection for agencies such as Her Majesty’s Revenue and Customs, the Environment Agency and the Driver and Vehicle Licensing Agency.
The Statement seeks to reassure global businesses that the UK is committed to retaining robust data protection and data security laws after Brexit. It states that the Bill will put the UK government “on the front foot in allowing the UK to maximize future data relationships with the EU and elsewhere”, and that the UK government will seek to ensure that data flows between the UK and the EU (and the UK and third countries) remain uninterrupted after Brexit. Keen to show good faith, the Statement then indicates that the UK will be cooperative with law enforcement agencies in Europe and beyond.
Of course, it remains to be seen during the Brexit negotiations what the outcome will be for the UK on securing EU adequacy.
What happens next?
In terms of timing, the Bill won’t be debated in the UK parliament until the new session starts in September. Before the Bill can receive Royal Assent and pass into law, it must first pass through three readings in the House of Commons.
In large part, the Statement recites the requirements of the GDPR, which are becoming familiar territory for global businesses operating in EU markets. However, many businesses are considering how to prepare for the impact of Brexit on data flows between the UK and the rest of the EU. The Statement provides some reassurance that this issue remains firmly on the UK government’s agenda, although there are no clear answers yet on how the adequacy process will work and whether any transitional arrangements could be agreed to ensure that data transfers between the UK and the EU are uninterrupted the day after Brexit.
Businesses would be well advised to formulate a “Plan B” to maintain cross border data flows from the UK, such as the use of model clauses in any contracts with overseas service providers, or implementing Binding Corporate Rules (BCRs) across its global operations to facilitate intragroup data transfers and the viability of seeking client and employee consent to cross border transfers of their personal data.