Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
What are the implications of the draft Data Protection Bill?
The much anticipated first draft of the UK’s Data Protection Bill (the Bill) has been introduced to the House of Lords.
With the aim of incorporating the European Union (EU) General Data Protection Regulation (GDPR) into English law, the Bill will eventually replace the existing Data Protection Act 1998. The Bill was put before the House of Lords on 13 September 2017 and is currently at the committee stage.
The Bill includes measures to ‘Brexit-proof’ the new legislation in advance of Britain’s departure from the EU. As the GDPR will cease to have direct effect post-Brexit, the Bill seeks to enable a straightforward and frictionless continuation of the process of personal data exchange between the UK and EU by closely mirroring GDPR standards.
Despite the GDPR having direct effect from 25 May 2018 in all Member State including the UK, there are areas of the Regulation which allow for Member States to implement their own laws such as in relation to processing of employee data or processing related to immigration. The Bill therefore sheds light on the UK’s interpretation and approach to the GDPR.
The Bill extends the reach of its GDPR-like data protection principles to aspects of the regime governing data processing by law enforcement and the security services as the Bill also implements the EU’s Law Enforcement Directive. In fact, much of the bulk of the Bill concerns the processing and transfer of data by public bodies, law enforcement and security services, areas which have received tough enforcement action by the UK data protection regulator, the Information Commissioner’s Office (ICO).
Whilst there is a focus on data processing in the context of B2C interactions, there are a number of areas which will be of interest to those data controllers and data processors handling data in a B2B context for instance, in relation to territorial application.
Whereas the Bill captures both controllers and processors based outside of the UK in respect of B2C interactions, there does not appear to be any express wording dealing with data controllers in a B2B context.
The Bill sets down that a controller must be ‘established’ within the UK and process personal data in the context of its activities, for it to be captured. From such drafting, it is therefore not immediately apparent yet if data controllers outside of the EU will be caught by the scope of the Bill. Clarity may be provided through further revisions of the Bill, however at present this represents a potential grey area post-Brexit.
The Bill provides new requirements for employers to fulfil in relation to their data processing and handling activities. In particular, the Bill requires employers to draft their own policy document demonstrating how they are complying with the GDPR and the Bill – for example in relation to sensitive data and any retention and erasure procedures.
Following from this, the Bill derogates from the GDPR in allowing employers to process sensitive and criminal conviction data without the consent of the data subject as long as there is legal justification to do so – in this context, to comply with employment law obligations, for example.
As explained above, the Bill appears to remain silent on data transfers in a B2B context. Although provisions are set out for the transfer of data to third party countries, the Bill only deals expressly with transfers made in regards to public interest considerations and in relation to law enforcement processing.
Despite the Bill being a lengthy piece of legislation, the content is on the whole reflective of the GDPR. Although the Bill adds some clarity in the areas where the GDPR does not legislate, there is still a large degree of uncertainty around the GDPR which the Bill fails to clear up for example in relation to extra territorial effect. Of course, the Bill may be amended during the legislative process when the Information Commissioner will also have the opportunity to provide input. In the meantime, organisations should continue to look out for guidance published by the ICO and the Article 29 Working Party.
Sign up to our e-Bulletin to make sure you stay up to date with legal developments.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.