On 7 August, the UK government released its statement of intent, which set out its proposals for a Data Protection Bill (the “Bill”) to replace the Data Protection Act 1998 (“DPA”) and “bring data protection laws in the UK up to date”.
In the forward to the statement of intent, Matt Hancock, Minister of State for Digital, outlines that the Bill, due to be published in September, will “allow the UK to continue to set the gold standard on data protection”.
The Bill’s primary function will be to bring the EU General Data Protection Regulation (“GDPR”) into domestic law (although technically the GDPR will have direct effect in the UK from 25 May 2018, the government appears to be taking this approach to ensure these new data protection laws will continue to apply following Brexit). A summary of the primary changes that the GDPR will effect is available here.
In addition to implementing the GDPR, the government states that the Bill will modify the GDPR to make it work for the benefit of the UK. These modifications are to:
- exercise available derogations in the GDPR (more detail below);
- apply the new data protection standards to all general data, not just areas of EU competence;
- bring the Data Protection Law Enforcement Directive (which protects individuals when their personal data is processed by authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences, or for the execution of criminal penalties) into UK domestic law;
- create new criminal offences related to breaches of data protection law; and
- repeal the DPA.
None of these modifications appears to impact on the UK’s full compliance with the GDPR and this is important to ensure that the UK is able to continue to transfer data to and from the remaining EU Member States without restriction post-Brexit. Nevertheless, following the UK’s departure from the EU it will be necessary for the European Commission to decide under Article 45 of the GDPR whether the UK has an adequate level of protection to allow transfers of personal data to/from the European Union. Full implementation of the GDPR in UK domestic law will help to assist with obtaining an adequacy decision from the European Commission, although factors such as the competency of the regulator will also have an impact.
As outlined above, the government intends to make use of a number of derogations available under the GDPR. A full list of the proposed derogations is available via the Open Rights Group’s website. Of note are the following:
- Consent for processing of children’s personal data – the default position under the GDPR is that where a child is under 16, processing of their personal data shall only be lawful where consent is given by the holder of parental responsibility over the child. The UK proposes to allow children between 13 and 16 to personally consent to the processing of their data;
- Personal data pertaining to criminal convictions and offences – the unmodified position under the GDPR is that processing of personal data relating to criminal convictions and offences can only be undertaken under the control of bodies vested with official authority. The UK intends to derogate from this restriction to allow the processing of personal data relating to criminal convictions and offences by organisations that would not be classed as an official authority, but who currently process criminal convictions (for example to continue to allow employers to conduct criminal records checks); and
- Exemptions from transparency obligations and individuals’ rights – the GDPR allows Member States introduce restrictions to the rights and obligations set out in the GDPR where it is a necessary and proportionate measure required to safeguard an important public interest objective. The UK has stated that it intends to import the same exemptions as currently exist under the DPA, to the extent that this is permitted under the GDPR.
The government has also outlined that the Bill will create three new criminal sanctions as follows:
- an offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data;
- an offence of altering records with intent to prevent disclosure following a subject access request; and
- a widening of the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if they initially obtained it lawfully).