On 7 August the UK Government’s Department of Digital, Culture, Media and Sport published a Statement of Intent in relation to the new Data Protection Bill. This comes only a month before we were led to expect to see the draft Bill itself.
At first glance, notwithstanding some of the headlines in the press, it looks more like a statement of what we already know. It combines a summary of some of the new elements of the GDPR (such as the new fines, rights for individuals and obligations on data controllers and processors), with a reiteration of some messages we have already heard, including the importance of cross border data flows to our economy.
So, what do we learn that is new? In between the summaries and restatements there are a few interesting points to note:
1. Implementation: For smooth transition, the Rt Hon Matt Hancock MP (Minister of State for Digital) in his foreword says that implementation will be done in a way that as far as possible preserves the concepts of the UK Data Protection Act, while complying with the GDPR in full. The slight surprise comes later in the Statement in a section entitled “Repeal the Data Protection Act 1998”. One would think that this section would describe that the DPA will be repealed by the Bill, but in fact it talks about adjusting our domestic law to remove inconsistencies and making the necessary repeals to ensure clarity of roles and responsibilities. Is this leaving room for a more patchwork approach? It is also left unclear as to how far GDPR requirements will be reproduced in the text of the Bill so that that they continue to apply automatically in the UK following Brexit
2. New criminal offences: Perhaps the most interesting part is on the new criminal offences that the Bill will create. The following new offences will be created:
– a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonomised data with a maximum penalty of an unlimited fine;
– a new offence of altering records with intent to prevent disclosure following a subject access request. Again the maximum penalty would be an unlimited fine; and
– a widening of the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller, even if they initially obtained it lawfully.
3. UK derogations: The Statement gives us a glimpse into the government’s approach to derogations following their consultation including:
– an ability to require social media platforms, on request, to delete information held about you at the age of 18
– children aged 13 years or older can consent to data processing (this is the lower end of the age range of 13-16 permitted under the GDPR)
– the right to process personal data on criminal convictions and offences will be extended beyond the official bodies, taking a similar approach to that taken for sensitive personal data, thereby enabling all organisations to continue to process such data in appropriate circumstances
– an intention to broadly replicate s32 of the DPA on freedom of expression in the media while strengthening the ICO’s ability to enforce it
– the research exemption is intended to ensure that the UK continues to be a centre of ground breaking research – much as now research organisations and archiving services won’t have to respond to DSARs or rights to rectify, restrict, or object where it would seriously impair them from fulfilling their purposes (as long as there are appropriate security safeguards).
4. Accountability with less bureaucracy: The Statement promises to build accountability, one of the cornerstones of the GDPR, but with less bureaucracy. It is unclear how the UK government hopes to achieve this as the extensive accountability obligations in the GDPR, such as keeping records of processing, conducting impact assessments (DPIAs) for risky processing, and notifying data breaches within 72 hours, will necessarily require an audit trail and various checks, processes and actions.
5. Still no more clarity on how they will address cross border data flows: Despite the concerns expressed recently by the House of Lords European Union Committee who were struck by the apparent lack of detailed thinking into how the Government plans to achieve the unhindered flow of personal data across borders, the content of this Statement is still vague. It repeats that bringing EU law into domestic law will help to prepare our future, and again expresses a commitment to ensuring uninterrupted data flows, but there is still no concrete strategy expressed as to how the Government plans to achieve this. Assuming the UK looks for an “adequacy decision” from the European Commission, there is likely to have to be a transitional period while this is agreed. According to the Statement, the Data Protection Bill will place us on the front foot in allowing the UK to maximise future data relationships with the EU and elsewhere. It remains to be seen if the Bill addresses this point and, if so, how it purports to do so, particularly in relation to transfers “elsewhere”.
So there are a few new pointers, and a preview of some new offences, but we are still rather in the dark and can only wait for the draft Bill.