The United Kingdom has issued a statement of intent regarding a new data protection bill that is designed to make U.K. data protection laws consistent with the European Union’s General Data Protection Regulation (GDPR), so the flow of data between the U.K. and the EU can continue uninterrupted post-Brexit.
On August 7, 2017, the U.K.'s Department for Digital, Culture Media and Sport issued a statement of intent regarding a new data protection bill (U.K. bill), which will establish greater safeguards for individuals than those currently under the U.K. Data Protection Act of 19984 and impose more obligations on companies collecting data. The U.K. bill aims to conform U.K. law to the European Union's GDPR in advance of Brexit. The GDPR will come into effect on May 25, 2018, when the U.K. will still be a member of the EU. When the U.K. leaves the EU, the U.K. bill will ensure that U.K. laws remain consistent with the GDPR. In its statement of intent, the U.K. government said the U.K. bill aims to promote the uninterrupted flow of data between the U.K. and EU. A date has not yet been set for debate of the U.K. bill in Parliament.
Expansions in Consumer Rights
Through various changes to U.K. law, the U.K. bill will provide consumers with greater control over how companies use personal information, while broadening the definition of "personal data" to include IP addresses, internet cookies and DNA. The rules surrounding "consent" to collect personal information also will be strengthened. For example, the use of default pre-checked "consent" boxes for collecting personal data will be prohibited, and consumers will be able to withdraw consent more easily.
The U.K. also will enact rules requiring organizations to inform individuals, at no charge, as to what personal data they are holding (so long as such requests from consumers are not "manifestly unfounded or excessive"). In addition, the U.K. bill will make it easier for consumers to move their data between service providers. Individuals also will have the right to require companies, including social media providers, to erase personal data held about them, bringing U.K. law in line with the EU’s "right to be forgotten," which governs how search engines may index the personal data of EU citizens. The U.K. bill will provide protection against profiling based on the automated processing of personal data, as in the case of online credit applications. Under the U.K. bill, individuals will be able to request that such processing be reviewed by a person rather than machine.
The forthcoming U.K. bill will increase the fines for data breaches and create two new criminal offenses. Currently, the maximum fine for a data breach is £500,000; under the new bill, larger fines of up to £17 million or 4 percent of a company’s global turnover will be possible. In addition, the U.K. bill will criminalize intentionally or recklessly re-identifying individuals from anonymized or pseudonymized data. It also will criminalize altering records with the intent to prevent disclosure following an individual’s data access request.
Permitted Derogations From the GDPR
The GDPR specifies that parents must consent to personal data processing on behalf of children and allows member states to set the threshold at any age from 13 to 16 years old at which a minor can consent to such processing without parental consent. Under the U.K. bill, children 13 years or older will be able to consent to personal data processing.
The GDPR only allows official authorities to process personal data on criminal convictions and offenses, but permits member states to allow other entities to process such data. Currently, the U.K. allows all organizations to process this type of data under certain circumstances, such as criminal record checks and the underwriting of driver's insurance. To preserve continuity with this aspect of the U.K.'s current data protection laws and to promote certain benefits, such as allowing organizations to protect themselves from potential criminal acts, the U.K. will continue to allow organizations other than those vested with official authority to process criminal convictions and offenses data.
Under the U.K. bill, journalists and scientific and historical research organizations will be exempt from specific aspects of the data protection laws if necessary to perform their functions in the public interest. For example, research organizations and archiving services will not be required to respond to individuals’ data access requests when compliance would seriously impair or prevent them from fulfilling their purposes.
It was widely expected that the U.K. would strengthen its data protection laws to remain in step with the GDPR. By imposing greater requirements and penalties on companies that collect and process personal data of U.K. citizens, the U.K. bill should accomplish that goal. As a result, when the U.K. leaves the EU, companies should be able to freely transfer data between the U.K. and the EU. Companies should begin evaluating their U.K. data collection and processing practices and consider what steps they may need to take to conform to the new requirements. In addition, if a company’s “main establishment” for data processing in the EU is currently in the U.K. such that the lead supervisory authority under the GDPR would be in the U.K., companies should be aware that after Brexit they may need to identify a different lead supervisory authority located in the EU, if there is another EU country in which management decisions are made regarding data processing activities. If there is no such location within the EU after Brexit, then the company’s EU data processing activities may be subject to the jurisdiction of multiple member-state data protection authorities.