The EU General Data Protection Regulation (GDPR) will automatically come into force on a harmonised basis across the EU from 25 May 2018. Yet EU Member States are able to derogate from certain requirements of the GDPR and, as an EU law, the GDPR needs to be implemented into UK domestic law in a way which makes the UK’s transition from the EU as smooth as possible.
With a view to addressing these, and broader policy issues, on 7 August 2017 the UK government published a Statement of Intent, which describes its approach to updating and strengthening UK data protection laws through a new Data Protection Bill. So what are the key elements of the UK government’s proposals?
1. Full implementation of GDPR into UK law, subject to exercise of certain derogations
The Bill will bring all of the core provisions of the GDPR into domestic UK law, from enhanced accountability for those controlling personal data to greater sanctions for those not safeguarding it properly. However, the Statement of intent includes a number of new “notable” derogations where the UK government will be exercising its (limited) rights to derogate from the terms of the GDPR. The new derogations will cover, for example:
- Protecting children online – the UK government will legislate to allow a child aged 13 years or older to consent to their personal data being processed without parental consent also being required (so broadly consistent with the ICO’s existing guidance of 12 years old and aligned with equivalent rules in the US).
- Social media – the UK government looks set to supplement an individual’s right to be forgotten under the GDPR with a specific right for those over 18 to require social media platforms to delete information held about them (subject to “very narrow” exemptions).
- Automated decision making – an individual has the right not to be the subject of automated decision making under the GDPR, but Member States are entitled to restrict these general rights where suitable safeguards are in place to protect an individual’s “rights, freedoms and legitimate interests.” The UK government will legislate to restrict these rights where legitimate functions rely on automated decision making (for example, credit reference checks and e-recruiting practices), provided that appropriate protections exist, which may include the ability to seek human intervention as a right of recourse.
2. Put the UK in the strongest position to secure uninterrupted EEA-UK data flows post-Brexit
As explained in our earlier article here, the GDPR will restrict businesses from transferring personal data from the European Economic Area (EEA) to the UK under any post-Brexit model in which the UK falls outside of the EEA, unless a suitable solution is found to legitimise those transfers. An adequacy decision from the European Commission is a particularly attractive long-term transfer solution for the UK government to resolve this issue, but is by no means a foregone conclusion.
The Statement of Intent describes the steps the UK government will take to ensure that UK data protection laws remain “essentially equivalent” to those in the EU post-Brexit, thereby putting the UK in the best position to secure unhindered data flows once it has left the EU. For example, the UK government plans to apply the new data protection standards in the GDPR to all general data, not just data which is inside an area of exercised EU legal competence, and the UK government has been particularly cautious when derogating from the GDPR.
3. Repeal and replace the Data Protection Act 1998, but preserve its key concepts
The Bill will remove inconsistencies between existing domestic law and the GDPR by repealing and replacing the Data Protection Act 1998 (the DPA), which currently underpins the UK’s data protection regime.
That said, the UK government remains committed to integrating the full GDPR in a way that as far as possible preserves the concepts of the DPA – both with a view to making the shift to the GDPR for businesses and consumers as simple as possible and to avoid “gold-plating” the implementation of the GDPR in a way which stifles innovation. For example, the UK government plans to retain existing exemptions and derogations under the DPA, such as the existing UK approach of treating criminal offence data in a similar way to sensitive data and the existing journalistic exemption.
4. Introduce criminal offences for organisations intentionally or recklessly processing data
The Bill will modernise and expand existing criminal offences for breaches of UK data protection laws by:
- Introducing two new offences, of: (a) intentionally or recklessly re-identifying individuals from anonymised or psuedonymised data (for example, by piecing together different data fields held separately to identify an individual’s online browsing habits); and (b) altering records with intent to prevent disclosure following a subject access request.
- Widening the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if they initially obtained the data lawfully).
Each offence would receive an unlimited fine and the Bill will ensure that the most serious data protection offences become recordable on the Police National Computer database.
5. Give effect to the Data Protection Law Enforcement Directive (DPLED)
The Bill will also implement the DPLED, which covers how personal data is processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or for the execution of criminal penalties (all areas outside of the scope of the GDPR). In particular, the UK government intends to use the Bill to create a bespoke law enforcement regime which upholds the highest standard of data protection, while allowing unhindered cross-border data sharing.
When will we know more?
According to the UK government, the Bill is likely to be published as soon as September 2017. A wave of substantial business lobbying and debate is likely to follow as the Bill moves through the UK Parliament, not least around critical areas for business where the Bill remains silent. For example, the UK government has not exercised its discretion to extend the grounds on which processing of “special categories of data” under GDPR (currently known as “sensitive personal data” in the UK) is permitted, despite widespread industry expectation that it would do so.
It may, therefore, still be some time before we get any certainty on the final text of the Bill. Until then, the key message for businesses will be to continue with GDPR projects as planned, while keeping up to speed with guidance at a national and international level on how it should be interpreted. For example, the Information Commissioner’s Office (ICO) still intends to publish guidance on contracts and liability, and the processing of personal data relating to children, and the Article 29 Working Party’s Action Plan for 2017 includes the intention to issue guidance on a range of topics.