On September 14, 2017, the UK Government introduced a new Data Protection Bill (the “Bill”) to Parliament. The Bill is intended to replace the UK’s existing Data Protection Act 1998 and enshrine the EU General Data Protection Regulation (the “GDPR”) into UK law once the UK has left the European Union. The GDPR allows EU Member States to enact, via national law, exemptions from the various provisions of the GDPR, which the Bill also seeks to implement.
In addition to implementing the GDPR into UK law, the Bill contains provisions intended to implement into UK law the EU Directive on the processing of personal data by government authorities for the purposes of the prevention, investigation, detection and prosecution of crime (the “Law Enforcement Directive”).
The Bill is structured as follows and contains the following key provisions:
- Part 2 implements the GDPR into UK law.
- Part 3 implements the Law Enforcement Directive into UK law in so far as it pertains to processing of personal data by UK law enforcement agencies.
- Part 4 implements the Law Enforcement Directive into UK law in so far as it pertains to the processing of personal data by UK intelligence services and agencies.
- Part 5 contains provisions relating to the role of the UK Information Commissioner’s Office (the “ICO”) under the new UK data protection regime provided for in the Bill. This Part, in particular, confers upon the ICO the investigatory, authorization and advisory powers provided for in the GDPR.
- Part 6 contains provisions relating to enforcement actions by the ICO. This Part provides the ICO the power to issue fines for violations of the Bill of up to the greater of €20,000,000 or 4% of annual worldwide turnover, or €10,000,000 or 2% of annual worldwide turnover.
- Schedule 1 sets forth additional grounds upon which data controllers may process sensitive personal data, including for scientific or historical research purposes, or for statistical purposes, as provided for in the GDPR.
- Schedule 2 and 3 set forth additional exemptions, as permitted by the GDPR, in relation to the requirements to provide a privacy notice to data subjects and to uphold data subject rights provided for by the GDPR, such as when personal data are processed for the purposes of detecting or preventing crime.
Before the Bill can receive Royal Assent and officially become law, the Bill must be approved by both the House of Lords and the House of Commons. No firm date for Royal Assent has yet been provided, but the Bill is intended to take effect prior to the GDPR’s May 25, 2018 effective date.