On 14 September 2017, the Government published the long-awaited draft of the Data Protection Bill (the Bill). The Bill was first announced in the Queen’s Speech on 21 June 2017 (see our previous blog) and will incorporate the General Data Protection Regulation (EU) 2016/679 (the GDPR) into UK law.
The Bill “will make data protection laws fit for the digital age”1 in which an ever-increasing amount of data is being processed and it will empower people to take control of their own data. As outlined in the statement of intent which the Government published in August (see our previous blog on this), the Bill will derogate from the GDPR in a number of areas as discussed below.
The Information Commissioner, Elizabeth Denham published a statement on 14 September 2017: “The introduction of the Data Protection Bill is welcome as it will put in place one of the final pieces of much needed data protection reform. Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime. I will be providing my own input as necessary during the legislative process.”
Exemptions from the Bill
While the Bill will repeal the existing Data Protection Act 1998 (the DPA), it preserves many of the tailored exemptions which continue to exist under the DPA. The Bill will include exemptions for data processing in the following cases: journalism as a means of freedom of expression and to expose wrongdoing, scientific and historical research (to the extent that data processing obligations would hinder the research), national bodies responsible for catching doping in sport, the financial services sector in respect of terrorist financing or money laundering, and employees who can access sensitive and criminal conviction data without consent to fulfil obligations of employment law.
Some key points to note:
- Liability of directors (section 177): directors may be found guilty of data breaches and be liable to be proceeded against and punished accordingly. No prosecutions were conducted under this offence under the DPA. It remains to be seen whether a different approach will be adopted as a result of the Bill.
- Child’s consent in relation to information society services (section 8): the Bill will set the age at which a child will be able to consent to the processing of their personal data at 13 years as opposed to 16 as set in the GDPR. The reference to “information society services” in the Bill does not include preventive or counselling services. The Government also plans to allow individuals to require social media platforms to, on request, delete information the individuals posted during their childhood.
- Sensitive personal data (Schedule 1, Part 2, sections 14 and 15): this condition is met if the processing: (a) is necessary for the purpose of carrying on insurance business; (b) is of data concerning health which relates to a data subject who is the parent, grandparent, great-grandparent or sibling of an insured person; (c) is not carried out for the purposes of taking measures or decisions with respect to the data subject; and (d) can reasonably be carried out without the consent of the data subject. The processing can only be considered reasonably carried out without the consent of the data subject where: (i) the data controller cannot reasonably be expected to obtain the consent of the data subject; and (ii) the data controller is not aware of the data subject withholding consent.
- Transfers of personal data to third countries, etc. (section 17): the secretary of state may specify the circumstances in which a transfer of personal data to a third country or international organisation is considered necessary for important reasons of public interest; and the circumstances in which a transfer which is not required by an enactment is not considered necessary for important reasons of public interest.
- Access rights: the Bill reproduces certain exemptions currently set out in the DPA relating to subject access requests. In particular, employers will not have to include information in their privacy notices or disclose information to employees in response to subject access requests for: (a) information that is covered by legal professional privilege; (b) information used for management planning by the employer; (c) information about the employer’s intentions during negotiations with the employee; and (d) confidential references given (but not those received) by the employer. The Bill also creates a number of new offences, including the offence of altering, destroying or concealing information to be provided to an individual through a subject access request.
- Data portability: this allows for individuals to have their personal data (which they previously provided to the data controller) returned in a structured, commonly used and machine-readable format, and to transmit the data to another data controller. This may include: (a) data collected through the tracking and recording of an individual (such as an app to record the heartbeat or technology used to track browsing behaviour); and (b) raw data generated by a smart meter.
While the Bill is only in draft form and is therefore subject to consultation and pre-legislative scrutiny, it provides a clear insight into the Government’s intentions. The extent to which the Bill will be subject to amendments following this consultation remains to be seen as it is due its second reading in the House of Lords on 10 October 2017. However, it is clear that the Bill will continue to allow the UK to set the ‘gold standard’ on data protection. The Bill gives consumers confidence that the UK’s data rules are fit for the digital age.