The UK Data Protection Bill
The Government, after announcing a new UK Data Protection Bill during the Queens Speech, have now published a Statement of Intent setting out the main details of the proposed Data Protection Bill to be put to Parliament in September. In this blog, we highlight the main changes the Bill proposes to bring into Data Protection Law in the UK, as well as contrasting these changes with the GDPR.
What is the Data Protection Bill?
From our recent blog, we explained how the Data Protection Bill would bring the GDPR into UK law to ensure consistency in data protection laws between the UK and EU, even after the UK leaves the EU in 2019.
The GDPR allows for Member States to derogate from certain provisions and the Statement of Intent has cemented the UK’s position in relation to some of these derogations.
Until the full text of the Bill is released – this is expected in early September – we will not know the full extent of the changes to be brought in. However, below we have provided a brief summary of the main changes set out in the Bill and how this will impact upon UK data protection and the GDPR.
Definition of Personal Data
Following the GDPR approach, the UK Data Protection Bill intends to expand the definition of personal data to reflect the huge growth in technology over the last 20 years. Personal data will now include IP addresses, internet cookies and DNA.
In order to implement the GDPR higher fine levels of €20,000,000 or 4% of global turnover, whichever is higher, the UK Data Protection Bill will ensure that the ICO’s powers are extended to allow it to extend its fining powers from £500,000 to £17,000,000 or 4% of global turnover.
This will ensure that the UK legislation has the same impact in terms of fining ability which should ensure compliance, or organisations risk a heavy fine!
Criminal offences under the Data Protection Bill will be modernised to ensure that such prosecutions are effective and cover all of the threats to data protection. There are three main changes in relation to criminal offences:
- There will be a new offence created of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. This offence would attract an unlimited fine.
- There will be a new offence created of altering records with intent to prevent disclosure following a subject access request. This offence would attract an unlimited fine in England and Wales and a level 5 fine in Scotland and Northern Ireland (£5000)
- The existing offence of unlawfully obtaining data will be widened to ensure that those who retain data against the wishes of a data controller are caught.
The GDPR allows Member States to derogate from certain provisions to ensure there is national flexibility and standards in relation to sensitive issues. The UK, through the Data Protection Bill, have taken a UK stance and will legislate for these GDPR derogations which include:
(i) Consent from Children
The GDPR allows Member States to legislate a threshold for the minimum age at which a child can consent to data processing (between 13 and 16 years old). Within the UK, there are no specific rules on the minimum age at which a child can consent to data processing, however where restrictions apply, the UK age is currently 12 years old.
The UK, in the Statement of Intent have decided to allow children over the age of 13 to consent to data processing.
(ii) Processing Criminal Data
The GDPR, due to the highly sensitive nature of criminal data, only allows bodies vested with official authority to process such data. The GDPR does allow Member States to legislate to allow other such bodies to process criminal data.
The UK has chosen to exercise this derogation to ensure that current UK law is not impeded. Currently, the UK allows all organisations to process criminal data in specified circumstances.
This will ensure that all organisations have authority to process criminal data (and sensitive personal data as the government have confirmed they will take a similar approach in relation to this type of data processing).
Under the GDPR, individual data subjects have a right not to be subjected to profiling or automated decision making. Member States can derogate from this absolute right, where appropriate safeguards are put in place to protect data subject rights, freedoms and interests.
The UK have decided to derogate from this absolute right and will legislate for this exemption to ensure legitimate grounds for automatic decision making.
The GDPR contains obligations in relation to personal data (for example the right to rectification, the right of access etc.), however Member States can derogate from these obligations where the personal data is being used for research or statistical analysis.
The UK have decided to exercise this derogation to allow organisations that provide scientific, historical, statistical and archiving functions in the public interest to be exempt from such obligations in relation to personal data. The derogation will only apply where compliance with the rights would seriously impact upon the organisations ability to carry out their functions.
The GDPR does not cover processing of personal data for “prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.” Therefore, the UK will implement The Data Protection Law Enforcement Directive into UK law through the Data Protection Bill.
This ensures that there is a suitable framework in place within the UK, and beyond, to ensure the processing of personal data for these purposes and allows for safeguards to be put in place regarding the sharing of such information domestically and beyond.
The UK is keen to ensure increased cross-border data exchanges to allow UK law enforcement agencies to transfer data to counterparts in partner countries or international organisations.
National security is out with the scope of EU law, and therefore the GDPR does not deal with national security considerations in relation to personal data.
The UK plans to provide for a data protection framework which focuses on national security purposes.
Until the draft Data Protection Bill is released in early September, we will not know the exact terms of the UK’s derogations from the GDPR. However, from the Statement of Intent, we can see how the UK has viewed and acted upon the GDPR derogations and intends to implement these.
If your organisation operates in more than one EU member state, you should be aware of these derogations and have a system in place to adapt processes/systems to allow for variations between Member States.