Today the UK Government published its draft Data Protection Bill (“Bill“), which will replace the Data Protection Act 1998 (“DPA“). The EU General Data Protection Regulation (“GDPR“), which comes into force in May 2018, empowers Member States to introduce their own national derogations from the GDPR in certain situations.
The current Bill utilises this power by supplementing the GDPR in places and importing a number of existing exemptions from the DPA. The Bill also provides more detail on the way in which the GDPR will be enforced in the UK (e.g. fines and enforcement) and incorporates the Law Enforcement Directive into domestic law.
The Bill is intended to come into force in May 2018 and will continue to apply post-Brexit. We set out some of the Bill’s key points below.
Crucially, the Bill ensures that under the GDPR, the UK will retain many of the exemptions and derogations which it enjoyed under the DPA. This will be welcomed by many UK businesses which might have been uncertain as to whether their processing activities would continue to be lawful under the GDPR.
While the rights of the data subject will be strengthened under the new legislation, the UK Government has been quick to reassure businesses that the Bill contains important exemptions and derogations which will allow businesses to continue to process personal data where necessary for legal or public interest reasons. Launching the Bill, Matt Hancock, Minister of State of Digital and Culture pledged that “[t]here are circumstances where the processing of data is vital for our economy, our democracy and to protect us against illegality. Today, as we publish the Data Protection Bill, I am offering assurances to both the public and private sector that we are protecting this important work.”
The exemptions contained within the Bill cover a wide range of areas, including legal professional privilege and social work and educational records. In particular, the Bill permits the processing of special categories of data (e.g. health or criminal conviction data) in the following situations:
- by journalists where necessary for freedom of expression and to expose wrongdoing
- by organisations such as museums and universities where necessary for scientific and historical research purposes
- by national anti-doping organisations to detect drug cheating in sport
- by financial services bodies which suspect terrorist financing or money laundering
- in relation to criminal conviction data, by employers where this is necessary to fulfil its obligations under employment law
- where necessary for the purpose of child protection
- where necessary to prevent and detect fraud
The Bill replicates many of the existing offences under the DPA and also introduces a new one: It will now be a criminal offence for a data processor or controller to alter its records with intent to prevent disclosure following a subject access request. The Information Commissioner has the power to bring proceedings in this regard.
In line with the GDPR, the Information Commissioner may levy fines of up to £17 million or 4% of global turnover for the most serious data protection breaches.
Age of consent
Teenagers from the age of 13 may now consent to the processing of their personal data by information society services (“ISS“). This is the lowest age of consent permitted by the GDPR. Non-exhaustive examples of ISS include online sellers, ISPs and search engines.
To conclude, the Bill seeks to harmonise EU and UK data protection laws so far as is possible, whilst retaining the DPA exemptions which UK businesses have grown familiar with. The intended result is that UK businesses will not find their processing activities unduly hampered by new legislation, provided that the processing is carried out for a legitimate purpose. The derogations contained in the Bill will be welcomed by many organisations, which can now use these as a basis for planning their GDPR programmes.
The Bill will be debated at its second reading in the House of Lords on 10 October 2017.