On September 13, the U.K. government introduced in Parliament the Data Protection Bill. The main aim of the bill is to implement the General Data Protection Regulation (EU) 2016/679 into U.K. domestic law. However, as perhaps reflected in the length and complexity of the bill, it is also intended to do several other things, including:
- Implementing the Law Enforcement Directive 2016/680, which member states have until May 6, 2018, to transpose into national law;
- Adopting the standards of the Council of Europe’s draft modernized Convention 108 on processing of personal data carried out by the intelligence services; and
- Ensuring that the GDPR, as implemented by the bill, will continue to apply to the U.K. after Brexit.
The table at the end of this article provides an overview of the structure of the bill.
The Explanatory Notes accompanying the bill make it clear that although it will replace the existing U.K. Data Protection Act 1998, the bill replicates much of the content of the 1998 Act, particularly in relation to derogations and exemptions from the GDPR. In this respect, the bill is meant to function as a bridge between the existing U.K. approach to data protection under the 1998 Act and the new framework created by the GDPR and the LED. The effect of this is a lengthy document without many surprises or controversial rules.
Some key observations to understand the structure and content of the bill are as follows:
- Applying the GDPR. First and foremost, the bill applies the GDPR to U.K. law, so that the articles in the GDPR are to be taken as if they were part of an act forming part of U.K. domestic law. The 480 references to the GDPR are testament to this. Schedule 6 contains modifications to be made to the GDPR articles (e.g., by changing references to member states to refer to the United Kingdom) so that they will continue to apply after Brexit. This is a subtle but powerful message which confirms that the regime introduced by the GDPR will be part of the U.K.’s statutory framework for the foreseeable future.
- Sensitive personal data. Schedule 1 of the bill contains the conditions for the processing of special categories of personal data and personal data relating to criminal convictions and offences. The bill replicates much of the current position under the 1998 Act with the additional requirement that in many circumstances, the controller must have in place an appropriate policy document that explains the controller’s procedures for ensuring compliance with data protection principles and the controller’s policies regarding retention and erasure of personal data.
- Automated decision-making. Section 13 of the bill is key, as it provides the additional safeguards that apply where automated decision-making is authorized by law by requiring the controller to inform the data subject when an automated decision has been made and allowing the data subject to request reconsideration of the decision. This is based on Section 12(2) of the 1998 Act, and therefore should not come as a big surprise.
The wording in parentheses in Section 13(1), which refers to Article 22 of the GDPR as a “prohibition on taking significant decisions based solely on automated processing” may be cause for concern. However, paragraph 112 of the notes clearly refers to Article 22 as the “right not to be subject to a decision based solely on automated processing” and ultimately, given the growing role of automated processing, it is unlikely that U.K. will interpret this issue more restrictively than what was intended by the EU legislators.
- Exemptions. The exemptions from certain rules of the GDPR for specific circumstances (e.g., processing for crime and taxation purposes, the performance of functions of regulatory bodies or research, historical or statistical purposes, etc.) are detailed in Schedules 2 to 4 of the bill. These provisions are very similar to the current position under the 1998 Act ensuring an element of continuity with current practices.
- Children. The age of consent for “information society services,” which includes online banking, social media and other online services, is set at 13 years of age.
- Penalties. The ICO’s existing powers to issue information, assessment and enforcement notices are retained with the adjustment for higher maximum monetary penalties of EUR 20 million or 4 percent of turnover as set out in the GDPR.
- Criminal offenses. The existing offense of unlawfully obtaining personal data under Section 55 of the 1998 Act is retained with the penalty of unlimited fines. Two new offenses are created: (1) re-identification of personal data which is contained in an anonymized dataset; and (2) alteration of personal data to prevent disclosure in response to a data subject access request.
The bill is currently at the beginning of the parliamentary process, with the first reading in the House of Lords held on September 13, to be followed by a second reading scheduled for October 10. It is possible that the bill as currently drafted will undergo some changes, but these are unlikely to radically alter the government’s approach. Crucially, the current draft provides a useful starting point from which organizations will be able to glean useful insight into where this is all headed. Based on this initial draft of the bill, it appears that this is all heading into familiar territory by fully implementing the GDPR and broadly preserving the current position under the 1998 Act in relation to derogations and exemptions from the GDPR.
Structure of the bill
The bill consists of seven Parts and 18 Schedules. The table below provides an overview of the structure of the bill.
This article first published on IAPP’s Privacy Tracker.