Although one of the main aims of the EU General Data Protection Regulation (GDPR) is to harmonise data protection law across the EU, it does allow member states some discretion as to how select provisions apply. It specifically allows them to introduce broad derogations concerning national security, prevention of crime and the enforcement of civil claims, where such derogations respect the essence of the individual’s right to data protection and are a necessary and proportionate measure. In addition, member states can provide exemptions or derogations in relation to specific processing activities, including processing that relates to freedom of expression and freedom of information; public access to official documents; national identification numbers; processing of employee data; processing for archiving and statistical purposes, security obligations; and churches and religious associations.
In the UK, the Information Commissioner’s Office (ICO) has included with its guide to the GDPR a list of exemptions made by the UK. The biggest takeaway from this guidance for businesses is that they should not apply exemptions in a blanket fashion, but rather on a case by case basis. The guidance also notes that most of the exemptions in the Data Protection Act 1998 (DPA 1998) are included, either within GDPR provisions or as exemptions in the Data Protection Act 2018 (DPA 2018). Since some of the exemptions have changed slightly, the ICO advises those who used to rely on specific exemptions under the old DPA 1998 to check what is covered by the exemptions in the new DPA 2018 to ensure that their use is appropriate and compliant.
Until the UK leaves the EU both the EU GDPR and the DPA 2018 will apply in the UK. Once the UK leaves the EU, the GDPR will form part of UK domestic law by virtue of the EU (Withdrawal) Act 2018 (EUWA). The DPA 2018 will continue to supplement the requirements of the GDPR, as well as set out UK specific derogations and deal with areas not covered by the GDPR (such as the processing of personal data by law enforcement authorities and the intelligence services). Exit Regulations, made under powers conferred by the EUWA, will come into force on exit day so that the UK’s data protection regime can continue to function properly. The Regulations replace references to EU laws and institutions in the GDPR with references to UK equivalents, creating “UK GDPR”, and also maintain the extra-territoriality of the UK’s data protection regime.
A summary of the position with regard to data protection in the event of a no deal Brexit is provided in our article “Data protection and a “no deal” Brexit – guidelines for businesses”. If the UK and the EU are able to agree the terms of the draft withdrawal agreement published in March 2018, a post-Brexit transition period will run from the date of the UK’s exit from the EU until 31 December 2020. If this deal is reached, the GDPR will continue to apply in the UK during the transition period, meaning that any references to ‘member states’ in the GDPR will be understood to include the UK during this time.
A summary of some of the key derogations and exemptions implemented by the UK and other EU member states are set out below.
Consent of children in relation to the use of information society services
The GDPR allows member states to lower the minimum age a data subject must reach in order to give valid consent to the processing of their own data. It sets the minimum age at 16, but gives member states the ability to allow children as young as 13 to give valid consent for the processing of their personal data. The UK has opted to lower the threshold to the minimum of 13, as has Denmark, Finland, Poland, Spain and Sweden. Other countries have not been as trusting in their youth’s ability to give valid consent; Germany, Italy, Ireland and the Netherlands have kept it at the default 16. Some member states have set the minimum age between these two, with Austria determining 14 as the age when a child can consent and the Czech Republic and France setting the minimum at 15. The complications caused by this staggered age of consent has led to some multi-jurisdictional organisations instituting a blanket minimum of 16, rather than adjusting the minimum depending on the location of the data subject, notably WhatsApp.
Special categories of personal data
Under Article 9 of the GDPR, the processing of special category data is generally prohibited. Article 10 provides that criminal conviction data must only be processed where authorised by member state law (or carried out by an official authority). Organisations in the UK can derive official authority for this processing from parts 1 to 3 of Schedule 1 of the Data Protection Act 2018 (DPA). This includes an exemption if the processing is for the purpose of legal advice, administration of accounts used in commission of indecency offences involving children or with consent, provided that the data controller has a valid, lawful basis for the processing, as required by Article 6 of the GDPR.
An important exemption for businesses processing special category data of their staff and candidates in the UK is the exemption set out in Schedule 1(1) of the DPA that allows such processing where it is necessary for the performance of rights and obligations in connection with employment. Situations where this exemption may be relied on include ensuring worker health and safety, checking entitlement of workers to work in the UK and complying with anti-discrimination laws. Businesses operating in the UK should ensure they are clear on the grounds being relied on to process the special category data of their staff and check these are still applicable under the DPA. While the DPA largely reproduces conditions in the previous data protection legislation, there is an additional requirement that businesses relying on this exemption have an appropriate data protection policy document in place setting out, in a clear and concise way, how they will deal with employee data. This should include information in respect of retention periods.
Businesses that process special category data of data subjects in other member states need to be aware of any derogations made to Article 9 in the country in which they operate, since there may be differences. For example, in its legislation enacting the GDPR, Spain has removed consent as an exemption from Article 9(2)(a) where the personal data falls under one of the following categories: ideological, trade union membership, sex, religion, belief or ethnic origin. If consent is obtained, it must be combined with one of the other grounds under Article 9(2) in order for the controller successfully to show that data is being processed in a lawful manner in Spain.
Automated decision making authorised by law
Under the GDPR data subjects, broadly speaking, have the right not to be subject to a decision solely based on automated processing where such a decision has significant or legal effects on the individual. Article 22 allows for member states to authorise specific forms of automated processing as long as “suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests” are set out. Section 14 of the DPA allows for automated ‘qualifying significant decisions’ to be made without the consent of the data subject, if the decision is required or authorised by law. Should a decision be made in this manner, the data controller must notify the data subject as soon as is practicable that the decision is based solely on automated processing and offer them the opportunity to request the controller re-considers the decision.
Reconciling freedom of expression and the GDPR
Article 85 of the GDPR explicitly requires that each member state makes its own provision determining how freedom of expression and the Regulation is reconciled. In the UK, Schedule 2 Part 5 of the DPA sets out the exemptions that may be relied on in relation to freedom of expression. The provisions listed in Schedule 2 para 26(9) are exempted if the ‘controller reasonably believes that the application of those provisions would be incompatible with the special purposes.’ The special purposes are journalism; academic; artistic or literary. The data controller must believe the publication of the material is in the public interest; to determine whether or not the publication is in the ‘public interest’ the controller should have regard for the codes and practices listed in Schedule 2 para 26(6), ie BBC Editorial Guidelines, Ofcom Broadcasting Code and the Editors’ Code of Practice. These exemptions are far reaching and allow the controller to disregard the requirement for consent, rectification and even erasure should it be in the public interest.
The UK originally derogated from Article 27 of the GDPR and removed the requirement in the UK for organisations that are not established in the EU, but are nonetheless subject to the GDPR, to have an EU representative. This is not explicitly allowed for in the GDPR and was presumably made in light of Brexit. Indeed, when the UK leaves the EU, the Exit Regulations introduce a requirement that organisations without a presence in the EU or the UK, but intending to offer goods and services and/or monitor individuals located in the UK, must appoint a UK representative under UK GDPR.
Penalties for breaches of the GDPR
Member states are required to implement their own penalties for breaches of the GDPR, other than the penalties already found in Article 84. Some, such as Spain, have chosen only to implement administrative penalties, but others, including Germany, Italy and the UK, have created criminal offences for breaches of the GDPR. In the UK the DPA 2018 sets out the criminal offences, which are similar to and build on the ones under the old regime. A new criminal offence of re-identifying anonymised or pseudonymised personal data has been added. The DPA 2018 also makes it a criminal offence, in relation to subject access requests, to alter or destroy information with the intention of preventing disclosure of all or part of the information to the person entitled to receive it. The DPA 2018 extends liability to the directors of an organisation should it be proved the company committed an offence with the consent or connivance of or to be attributable to neglect on the part of that director. However, unlike Germany or Italy, the UK has chosen not to impose imprisonment as a punishment for any crime under the DPA 2018.
Data Protection Officer
The UK has not made any derogations to the requirement for organisations to have a Data Protection Officer (DPO) found in the GDPR. Conversely, Germany has significantly lowered the threshold found in the GDPR. If a controller employs 10 people dealing with the automated processing of personal data; or undertakes processing subject to a DPIA, commercially processes data for transfer or anonymised transfer or for purposes of market or opinion research, a DPO must be designated, regardless of the number of employees.
Living data subjects
In general, data subjects must be alive for their personal data to be protected. Recital 27 of the GDPR, however, does state member states are allowed to determine their own rules on how the personal data of the dead is protected. France, Italy and Spain have taken similar approaches whereby the personal representatives of the data subject (or a similar individual) can exercise certain rights belonging to the deceased on their behalf. Denmark has taken a different approach and s 2(5) of its DPA 2018 equivalent states it applies to data subjects for 10 years from the date of their death.
Although the GDPR has harmonised a significant proportion of data protection law across the EU, there are still significant inconsistencies between member states. Following Brexit, organisations operating in the UK and the EU will need to comply with both UK and EU data protection law. Although on the exit date UK data protection law will look like GDPR, it is possible that it will diverge in the future, making it even more challenging for organisations to keep on top of both.
Organisations need to be aware of differences in data protection laws across Europe and ensure they are aware of any derogations from the GDPR made in a country in which they operate. Some may choose to adapt their offering from jurisdiction to jurisdiction, while others may take a broader approach and take measures that comply with the strictest of the derogations in order to reduce risk. Organisations with websites need to be especially aware, as without pulling the plug on EU users, as some US companies did on 25 May last year, it is very difficult to control the location of traffic to websites.