Data protection law in the UK has been radically overhauled in recent months and further reforms are on the horizon. The EU's General Data Protection Regulation (GDPR) came into force in all Member States on 25 May 2018 and the majority of the provisions in the UK's Data Protection Act 2018 came into force on the same date. Following behind this is the EU's e-Privacy Regulation which is now expected to be approved in late 2018 and implemented in 2019.
The aim of the GDPR is to align the data privacy laws across all EU Member States and protect EU citizens' personal data regardless of where that data is processed (i.e. within the EU or beyond). Businesses that collect, record, use or disclose data relating to an identified or identifiable natural person are now required to comply with the GDPR standards on data processing, record keeping, risk management and data breach reporting, or face fines of up to the higher of €20m or 4% of annual global turnover.
Alongside the GDPR, the UK has enacted the Data Protection Act 2018. This Act replaces the Data Protection Act 1998 with a new, comprehensive data protection framework designed for the digital age. It implements the GDPR standards side by side with UK legislation covering law enforcement data and national security data (areas where the EU does not have competency), and permitted exemptions to the GDPR. It aims to ensure modern data use can continue whilst strengthening the control and protection individuals have over their data.
The new Data Protection Act is a lengthy piece of legislation, running to 339 pages. The key provisions in the Act include:
- Implementing the GDPR standards into UK law across all general data processing.
- Tailored exemptions from the GDPR for certain organisations operating in journalism, research, financial services and legal services.
- Setting the age when children can give consent for the online processing of their personal data at 13.
- Giving citizens more control over their data including the right for those aged 18 years or older to have their data deleted if there are no legitimate grounds for retaining it.
- Providing a bespoke regime for the processing of personal data by the police, law enforcement and criminal justice agencies.
- Providing appropriate safeguards to enable the intelligence agencies to manage security threats.
- Providing additional powers for the Information Commissioner to regulate and enforce data protection laws including the ability to levy fines up to the higher of €20m or 4% of an organisation's global annual turnover for the most serious breaches.
- The preservation of offences in the 1998 Act and the introduction of new offences of (i) intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data and (ii) altering records with the intent to prevent disclosure.
The new Regulation was intended to come in on 25 May 2018 to coincide with the GDPR, but it proved too ambitious to finalise the Regulation in time. At this stage, the e-Privacy Regulation is scheduled to be approved in late 2018/early 2019 and implemented sometime in 2019 but the date remains unfixed. It is unclear whether the UK will have left the EU by the implementation date but the UK has said it will maintain EU data protection standards after Brexit.
The e-Privacy Regulation will have the same territorial scope as the GDPR and will carry the same penalties for non-compliance.