The government has released a Statement of Intent (“the Statement”) for a new Data Protection Bill (“the Bill”). The Bill was originally announced in the Queen’s Speech earlier this year (see our previous blog on this). This Statement provides further detail on the government’s proposed reforms to data protection laws in the UK.
The Bill is intended to “bring EU law into domestic law” – referring to both the General Data Protection Regulation (“GDPR”) and the Data Protection Law Enforcement Directive (“DPLED”), which come into force next year. Essentially, the Bill helps the UK to prepare for post-Brexit and facilitate the uninterrupted flow of data between the UK and the EU.
The Bill will repeal the Data Protection Act 1998 (“DPA”). It will remove inconsistencies and avoid any confusion as to which data protection standards apply. The Bill will apply to “all general data”, not just areas of EU competence – this is to ensure that businesses have a single standard which they can operate.
Like the GDPR, the Statement introduces new measures for organisations which process personal data. For example, these include:
- Tougher rules on consent
- Enhanced rights for individuals
- Increased powers for the UK Information Commissioner’s Office (“ICO”)
In relation to the ICO’s powers, the Bill will allow the ICO to issue fines of up to £17 million, or 4% of global turnover, which is in line with the GDPR. The Information Commissioner, Elizabeth Denham, has commented on these proposed increased fines, stating she intends to use these powers “proportionately and judiciously” (see the recent ICO blog). She added that it would be “scaremongering” to make early examples of organisations for minor infringements, or for these maximum fines to become the norm. Businesses might take some comfort from these initial views of the ICO. Continue Reading