Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
UK GDPR implementation moves forward with Data Protection Bill proposal
Objective of new legislation to maintain the UK’s current position as the largest internet economy in the G20
On 7 August 2017, the UK government published a Statement of Intent (Statement) setting out its proposals for a new Data Protection Bill (Bill) to reform UK data protection laws, as first announced in the Queen’s Speech in June 2017 (see our previous blog post). The Statement, which follows a wide-ranging consultation with public and private sector stakeholders, confirms the UK Government’s intention to ensure that the UK will continue to have modern, world class data protection laws which will not put the UK at a commercial disadvantage following Brexit.
Why do data protection laws need reforming?
The UK’s principal data protection law, the Data Protection Act 1998, is now nearly 20 years old. It has become outdated due to rapid developments in technology such as social media, cloud based computing services, big data analytics and artificial intelligence. These developments have led to huge amounts of personal data being created about all of us daily and which is stored, transferred and used in different locations around the world, often without individuals being aware.
The need to reform data protection laws is an issue affecting the whole of the European Union (EU), as the laws in each Member State (such as the Data Protection Act 1998 in the UK) implement the now outdated EU Data Protection Directive 95/46/EC.
Following several years of negotiation, the EU reached agreement in May 2016 on the form of a comprehensive new data protection law, the General Data Protection Regulation 2016/279 (GDPR), which will apply directly throughout the EU from 25 May 2018 (see here for our previous GDPR blog posts). The GDPR aims to modernise and strengthen EU data protection laws to ensure that individuals continue to be adequately protected in an increasingly online world.
What are the Government’s objectives for the Bill?
The overriding objective of the Bill is to maintain the UK’s current position as the largest internet economy in the G20 by giving consumers confidence that its data rules are “fit for the digital age in which we live.”
More specifically, the Government has three interrelated objectives which it hopes to achieve through the Bill:
- Maintaining the public’s trust in how their personal data is collected and used.
- Facilitating future trade between the UK, EU and other countries around the world.
- Tackling crime by facilitating cooperation between criminal justice agencies.
Why are the key features of the Government’s proposals?
For businesses, the most important feature of the Bill is that it will repeal the current Data Protection Act 1998 and implement the GDPR into UK law to ensure that, following Brexit, the UK will continue to have data protection laws which offer equivalent standards to the GDPR, thereby ensuring that personal data can continue to be readily transferred between the UK and EU. The Bill will also implement into UK law the Data Protection Law Enforcement Directive 2016/680, which will modernise EU laws relating to the protection of individuals’ personal data in connection with criminal investigations and law enforcement action.
The Statement highlights a number of specific provisions which will be included in the Bill and will be of key relevance to businesses. Whilst many of these derive from the GDPR itself, a number of the provisions will be specific to the UK, including:
1. Creating new criminal offences with unlimited fines, including:
- intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence; and
- altering records with the intent to prevent disclosure following a subject access request. This would apply to all data controllers and processors, not just public authorities.
2. Widening the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller. This would apply even if the relevant data was initially obtained lawfully.
3. Exercising the derogations available to the UK in the GDPR, notably:
- to allow individuals to require social media platforms on request to delete information held about them at the age of 18;
- to allow the processing of personal data by automated means even where the individual has not explicitly consented or it is not necessary for entering or performing a contract. Measures will however be implemented to provide individuals with recourse against unfavourable automated decisions;
- to allow organisations other than authorised public bodies to process personal data on criminal convictions and offences (for example, employers running criminal records checks on potential employees); and
- to allow for journalistic activity in the public interest to be carried out by broadly replicating the current exemptions in section 32 of the Data Protection Act 1998 to balance freedom of expression of the media and the right to privacy for individuals.
4. Revising the GDPR default position on requiring parents or guardians to give consent to information services where a child is under the age of 16, by lowering this requirement to where a child is under the age of 13.
5. Applying the new data protection standards established by the Bill to all general data, not just those areas which fall within EU competence, in order to create a clear and coherent data protection regime.
6. Clarifying that in the UK the maximum fines for breaches of the law will be the greater of £17m or 4% of global turnover.
When will the Bill be published?
It is currently expected that the Bill will be published in September 2017, following which it will be subject to Parliamentary scrutiny and debate.
Amid the widespread uncertainty created by Brexit, businesses planning for the GDPR will welcome the greater clarity offered by the specific proposals set out in the Statement. These proposals should, if enacted in the form set out in the Statement, allow businesses to continue to progress their GDPR preparations with the assurance that the GDPR will apply to their businesses in the period between 25 May 2018 and prior to Brexit, and that equivalent standards will continue to apply in the period following Brexit.
The provisions of the Bill will not reduce the challenges faced by businesses in preparing for the GDPR. If implemented as currently proposed in the Statement, however, they should remove the additional regulatory and commercial hurdles which would have been created if a post-Brexit UK had less stringent data protection laws than the GDPR.
See the Government press release here.
See the Statement here.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.