UK Government issues further information about the implementation of the GDPR
The Government has published a Statement of Intent, which sets out further information about how the General Data Protection Regulation (GDPR) and the accompanying Data Protection Law Enforcement Directive will be implemented.
The GDPR is immediately enforceable throughout the EU without the need for it to be transposed directly in to Member States' national law. It does, however, provide discretion over the application of certain provisions (derogations). The Government plans to pass a Data Protection Bill which will exercise the permitted derogations in the GDPR, repeal the Data Protection Act 1998 and implement into UK law the Data Protection Law Enforcement Directive.
In the Government's Statement of Intent, the Government has not set out all of the derogations which it may make in the Data Protection Bill, however, it has published information relating to some of these exemptions:
- The GDPR, without amendment, restricts the processing of criminal conviction and offence data to those authorised by law or under the control of official authority. The effect of this would be to severely restrict current private sector employers from being able to obtain details of criminal convictions and carry out criminal records check. The Government states that it plans to extend the right to process personal data on criminal convictions and offences under the GDPR to organisations not under the control of official authority.
- The GDPR provides individuals with the right not to be subject to automated decision making (including profiling). The UK government has decided to create an exemption to this right. It is not clear exactly what this will look like, except that the exemption will require a legitimate ground to do so and that the automated decision must not create legal effects without any human intervention.
- The age at which a person can consent to use of their personal data without parental or guardian approval will be set at 13 years old.
- Research organisations will not have to comply with data subject rights (such as to rectify data or restrict further processing) where this will seriously impair their ability to complete their work, provided appropriate safeguards are in place.
In order for the Information Commissioner to tackle data protection crimes effectively, the Government has set out plans in its Statement of Intent to introduce the following new offences (although it is not yet clear whether these will form part of the Data Protection Bill):
- A new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, with an unlimited fine as the penalty.
- A new offence of intentionally altering records to prevent disclosure during a subject access request. Again, this fine would be unlimited, and will use the similar offence in the Freedom of Information Act 2000 as a template.
- The existing offence of unlawfully obtaining data is to be extended to where data is retained against the wishes of the controller even if lawfully obtained initially.
Click here to read the Statement of Intent in full.
Privacy Shield extended to EEA Countries
The EEA joint committee adopted a decision last month to extend the EU-US Privacy Shield into the EEA Agreement, meaning that EEA countries (Iceland, Liechtenstein and Norway) are now part of the EU-US Privacy Shield personal data transfer framework.
The Privacy Shield is a current method by which personal data may be transferred from the EU to the US in compliance with EU data protection laws. It was established last year following the invalidation in late 2015 of the Safe Harbour scheme, although formal concerns regarding its legitimacy have already been raised within the European Parliament.
Click here to read the EEA Joint Committee decision.
ICO fine for sending unsolicited direct marketing emails
Moneysupermarket.com sent 7.1 million emails to customers, who had previously opted out of direct marketing, updated company terms and conditions and an option to update their marketing preferences. The section on updating marketing preferences stated:
"We hold an e-mail address for you which means we could be sending you personalised news, products and promotions. You've told us in the past you prefer not to receive these. If you'd like to reconsider, simply click the following link to start receiving our e-mails."
The ICO held that Moneysupermarket.com had breached article 22 of the Privacy and Electronic Communications Regulations 2003 by sending this to customers that had already opted out of direct marketing and fined the company £80,000 for this breach.
This fine is a stark reminder to organisations about the care that must be taken with marketing emails.
Click here to read the monetary penalty notice.