The Department for Culture, Media and Sport (DCMS) has published a Statement of Intent in relation to the proposed Data Protection Bill, which was announced in the Queen’s Speech. The Statement follows a Call for Views conducted by DCMS prior to the General Election.
What’s been announced?
Contrary to media coverage of the Statement, today’s announcement contains little that is new.
Many of the measures announced in the Statement and the accompanying press release are not “proposals”. They form part of the General Data Protection Regulation (GDPR) and will come into force in the UK automatically on 25 May 2018. Indeed, as an EU Regulation in force at the date of Brexit, those measures would be imported automatically into UK law upon Brexit under the European Union (Withdrawal) Bill.
What the DP Bill will do is introduce national legislation dealing with the various member state derogations under the GDPR. The Statement provides some information on how the Government intends to approach these.
UK derogations under the GDPR
The DCMS Call for Views asked for feedback on how the UK should approach the various national derogations under the General Data Protection Regulation (GDPR). In the Statement, DCMS sets out its proposed approach to some of these:
- The UK will lower the digital age of consent to 13. When processing on the basis of consent, providers of online services will need the consent of a parent or guardian when obtaining consent from children under the age of 13.
- The UK will maintain existing rights under the Data Protection Act to process personal data relating to criminal convictions and other special (sensitive) categories of personal data. This means, for example, that employers will still be able to carry out criminal records checks.
- The UK will legislate to enable organisations to carry out automated decision making for certain legitimate functions, such as automated credit reference checks prior to making an offer of a loan.
- The UK will also legislate to maintain the existing provisions in the DPA in relation to freedom of expression in the media and research and archiving.
As trailed in the papers accompanying the Queen’s Speech, the DP Bill will also create two new criminal offences and one expanded offence:
- an offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data
- an offence of altering records with intent to prevent disclosure following a subject access request
- widening the offence of unlawfully obtaining data to include those who retain data against the wishes of the data controller (even if initially obtained lawfully)
Full details of the responses received to the Call for Views can be downloaded from the DCMS website (.zip, 27MB).
What else will the DP Bill do?
The DP Bill will repeal the Data Protection Act 1998. It also appears that it is intended to deal with the mechanical issues arising out of the importation of GDPR into UK law post Brexit – for example, making clear that the law applies to all personal data, not just EU-derived personal data.
What is not clear from the Statement is how some of these measures will work mechanically. Will there be further legislation to deal with data protection post-Brexit? Will the measures be suspensive upon Brexit occurring? It is not clear. We will need to wait until the draft Bill is actually published.
Implementation of the Law Enforcement Directive
The final thing to be dealt with by the DP Bill is the UK implementation of the Data Protection Law Enforcement Directive (DPLED). The DPLED sits alongside the GDPR and deals with processing of personal data by the police, prosecutors and other agencies involved in law enforcement.
As the DPLED is a Directive, not a Regulation, it must be implemented through member state legislation. The deadline for implementation is 6 May 2018.
Isn’t it a bit confusing having the law set out in the GDPR and the DP Bill?
In a word, yes.
The media coverage over this morning’s announcement and the Government’s “proposals” shows how much confusion exists over the GDPR. Individuals and organisations may be under the misapprehension that many of the things mentioned in the Statement of Intent are UK initiatives and will only apply once the DP Bill has come into force. That is not the case.
This muddies the waters in relation to efforts to increase awareness of the GDPR and the steps that organisations need to take to prepare. Rather than continuing to focus on raising awareness of GDPR, we will now be talking about two pieces of legislation, the GDPR and the DP Bill, that are largely identical in effect.
If the DP Bill is also intended to deal with data protection law post Brexit (as the Statement seems to imply), then there is also a risk that legislation on important national derogations under the GDPR is held up whilst Parliament debates what data protection law in the UK looks like post Brexit. That is not helpful to organisations trying to prepare for the GDPR and looking for clarity and certainty as to how the UK will approach those derogations.
It is not clear what form the DP Bill will take, but the GDPR is 88 pages long. Adding in the sections dealing with national derogations and implementation of the DPLED (itself 43 pages long), then it is clear that the DP Bill could be a substantial piece of legislation.
In my view, it would have been better for Parliament to deal first with the laws required to implement derogations under the GDPR and to implement the DPLED and only once those laws and GDPR had come into force to then deal with what will happen post-Brexit.
When will the DP Bill be published?
It is expected that the Government will publish the draft DP Bill in early September. In the meantime, visit our GDPR Hub to find out what you can be doing to prepare.