The new UK Data Protection Bill (the Bill) was published on 14 September 2017 and, once enacted, will repeal the Data Protection Act 1998 (the DPA). The Bill preserves parts of the DPA and implements the standards of the General Data Protection Regulation (the GDPR) across the categories of data processing within the scope of the GDPR as well as the areas of data processing in which Member States have discretion. However, it also creates various new exemptions and derogations from the application of the GDPR in the UK as well as a number of new criminal offences relating to the processing of personal data.
The Bill is not short, comprising seven parts over approximately 200 pages. Structurally, there are five key parts to the Bill comprising:
Part 2: General Processing – covers the exemptions and derogations from the GDPR and also applies the GDPR standards to other forms of processing that are not already covered by the GDPR.
Part 3: Law Enforcement Processing – covers processing in a law enforcement context.
Part 4: Intelligence Services Processing – covers the processing of personal data by the intelligence services.
Part 5: The Information Commissioner – sets out the role, obligations and powers of the Information Commissioner.
Part 6: Enforcement – sets out the various enforcement actions available to the Information Commissioner including details of the new criminal offences.
There are also 18 schedules to the Bill which, together, are almost as long as the main body of the Bill.
How does the Bill interact with the GDPR
The Bill “implements” the GDPR in that it sets out how the GDPR standards will apply across both: (i) the categories of data processing within the scope of the GDPR; and (ii) the areas of data processing in which Member States have discretion. The Bill also supplements the GDPR, for example, by adding further conditions to the use of certain exemptions and derogations (discussed below). The Bill must therefore be read alongside the GDPR.
The Bill also goes further than the GDPR by applying broadly GDPR-equivalent standards to certain categories of data processing that are not within the scope of the GDPR regime. For example, the Bill applies broadly GDPR-equivalent standards to the processing of personal data, which is not automated or structured, by a public authority subject to the Freedom of Information Act 2000.
Key exemptions and derogations from the GDPR
Companies preparing for the GDPR will be particularly interested in the UK exemptions and derogations from the GDPR. A key derogation concerns the age of consent to data processing. The Bill proposes setting the age at which children can consent to the processing of their personal data at 13 years of age which is lower than the default position, under the GDPR, of 16 years of age. This derogation only covers consent in relation to the use of information society services (which do not include preventative or counselling services). Parental consent is still required for children under 13 years of age.
The exemptions in the Bill also largely reproduce the existing exemptions in the DPA, for example, in relation to the processing of sensitive personal data. The processing of sensitive personal data is generally prohibited under the GDPR unless a controller is able to rely on one of the 10 exemptions in Article 9. One exemption under the GDPR applies where the processing is necessary to carry out the obligations and exercise specific rights of the controller or the data subject in the field of employment and social security law or social protection law. This will be of particular assistance to employers who have to manage employee health and absence data on a day-to-day basis, and have traditionally relied upon consent as the legal basis for processing. The Bill, however, adds further conditions to enable this exemption to be used. Section 9(2) of the Bill requires that, when the processing is carried out, the controller has an appropriate policy document in place. This document should explain the controller’s procedures for securing compliance with the GDPR principles in relation to processing of the personal data in question, as well as its policies regarding the retention and erasure of such personal data. It should also include an indication of how long such personal data is likely to be retained.
Another GDPR exemption to the prohibition against processing sensitive personal data applies where the processing is necessary for: (i) archiving purposes in the public interest; (ii) scientific or historical research purposes; or (iii) statistical purposes, in each case in accordance with certain safeguards such as having technical and organisational measures in place to ensure respect for the principle of data minimisation. Paragraph 4 of Part 1 of Schedule 1 of the Bill, however, expands the public interest requirement so that, in order to rely on the exemption, processing which is necessary for scientific or historical research purposes or statistical purposes must also be in the public interest. It is not clear here what would justify processing in the public interest, and it will be interesting to see the view of the Information Commissioner’s Office (ICO) on this.
The Bill also sets out several types of processing which are exempt from certain sections of the GDPR. The most relevant for companies are probably those in relation to the disclosure of data required to be disclosed by law or in connection with legal proceedings. This disclosure would not be subject to various provisions in the GDPR, including the right to erasure and the right to data portability to the extent that the application of those provisions would prevent the controller from making the disclosure.
Criminal Offences / Fines
As expected the Bill introduces a number of criminal offences related to the processing of personal data, the most relevant ones being:
- Intentionally obstructing or failing to assist (without reasonable excuse) a person exercising the power of the Information Commissioner to inspect personal data.
- Failing to comply with an information notice, including knowingly or recklessly making false statements in response to such notice.
- Unlawfully obtaining or disclosing personal data without the consent of the controller where a person knowingly or recklessly discloses or obtains personal data without the consent of the controller.
- Re-identifying de-identified personal data where a person knowingly or recklessly re-identifies information that is de-identified personal data without consent of the data controller.
- Altering etc. personal data to prevent disclosure where a person alters, defaces, blocks, erases, destroys or conceals information with the intention of preventing disclosure of all or part of the information that a person making a subject access request would have been entitled to receive.
The penalties for these offences are limited to a fine whether or not a person is convicted of a summary or indictable offence. The levels of fines are not provided for England and Wales and will likely follow as part of separate sentencing guidelines. The Bill also refers to the maximum fines available under the GDPR (4% of global annual turnover or EUR20m, whichever is higher), which will be subject to the Bank of England spot conversion rate on the day on which the penalty notice is given.
Guidance and assessment notices by the ICO
The Bill sets out the general functions and obligations of the ICO including an obligation to prepare a direct marketing code with practical guidance, in addition to the data sharing code that it is required to prepare under the existing DPA. These codes must be submitted to the Secretary of State, who will lay them before Parliament. Parliament then has 40 days to respond to these codes or the codes will be issued. Although a failure by a person to follow a code does not of itself make that person liable to legal proceedings, a court may take a provision of a code into account in legal proceedings. The Secretary of State may additionally require the ICO to prepare other codes of practice giving guidance.
The ICO is also afforded more formal powers under the Bill to issue assessment notices. The existing DPA provides that assessment notices can only be issued against government departments, although the provision can be extended, by order, to designated public bodies or other data controllers in limited circumstances. The proposed Bill appears to enable the ICO to, with some restrictions, issue an assessment notice to any controller or processor. This would give the ICO a general audit power for the first time, in addition to their ability to carry out consensual audits on any controller or processor.
The Bill appears largely to adopt the principles of the GDPR that will apply in the UK and therefore should not be too much of a shock for organisations who already comply with the DPA and are gearing up to comply with the GDPR come May 2018. However, in particular, organisations should ensure they understand the impact of any new conditions set out in the Bill on exemptions on which they currently rely. The Bill is now due for its second reading and is subject to change. It remains to be seen what the final Act will look like and how this will be administered in practice.