The government has released a Statement of Intent (“the Statement”) for a new Data Protection Bill (“the Bill”). The Bill was originally announced in the Queen’s Speech earlier this year (see our previous blog on this). This Statement provides further detail on the government’s proposed reforms to data protection laws in the UK.
The Bill is intended to “bring EU law into domestic law” – referring to both the General Data Protection Regulation (“GDPR”) and the Data Protection Law Enforcement Directive (“DPLED”), which come into force next year. Essentially, the Bill helps the UK to prepare for post-Brexit and facilitate the uninterrupted flow of data between the UK and the EU.
The Bill will repeal the Data Protection Act 1998 (“DPA”). It will remove inconsistencies and avoid any confusion as to which data protection standards apply. The Bill will apply to “all general data”, not just areas of EU competence – this is to ensure that businesses have a single standard which they can operate.
Like the GDPR, the Statement introduces new measures for organisations which process personal data. For example, these include:
- Tougher rules on consent
- Enhanced rights for individuals
- Increased powers for the UK Information Commissioner’s Office (“ICO”)
In relation to the ICO’s powers, the Bill will allow the ICO to issue fines of up to £17 million, or 4% of global turnover, which is in line with the GDPR. The Information Commissioner, Elizabeth Denham, has commented on these proposed increased fines, stating she intends to use these powers “proportionately and judiciously” (see the recent ICO blog). She added that it would be “scaremongering” to make early examples of organisations for minor infringements, or for these maximum fines to become the norm. Businesses might take some comfort from these initial views of the ICO.
The Statement provides some insight into how the government intends to apply the EU Member State derogations that are permitted under the GDPR. Some specific areas to note:
- Consent from children – protecting children online: the GDPR requires consent from a parent or guardian where a child is below the age of 16, unless the Member State legislates for a lower age of no less than 13. The government confirms that it shall lower the age of consent to 13 years, which will no doubt be welcomed by social media platforms. In doing so, the government has acknowledged that age control should be better enforced. The government also plans to go further than the prescribed ‘right to be forgotten’, and allow individuals to require social media platforms to delete information they posted during their childhood.
- Processing criminal conviction and offence data: under the GDPR, companies are not allowed to process personal data on criminal convictions and offences unless permitted by bodies vested with official authority, or specifically authorised by Member State law. The government intends to legislate to extend the right to process criminal conviction and offence data so organisations other than those vested with official authority can process the data. The UK will, therefore, take a similar approach to processing sensitive data. This is important where companies have a legitimate need to process such data – e.g., organisations which need to perform accurate criminal records checks to safeguard children and vulnerable adults.
- Automated individual decision-making: according to the GDPR, an individual has the right not to be the subject of automated decision-making, including “profiling”. Member States may provide for an exemption to this where suitable measures are in place to safeguard the individual’s rights. The Bill will ensure there are legitimate grounds for processing personal data by automated means. Individuals will, however, have the right to request that processing is reviewed by a person, not a machine, where decisions are based solely on automated processing.
- Freedom of expression in the media: the government has clarified that it intends to broadly replicate section 32 of the DPA (i.e., processing is undertaken with a view to publication).
- Research: the government provides that a research exemption will be available to research organisations and archiving services, which do not have to respond to subject access requests where this would seriously impair or prevent them from fulfilling their purposes.
- Criminal sanctions: The Bill will create two new offences – (1) intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data; and (2) altering records with intent to prevent disclosure following a subject access request.
The green light is still switched on for UK organisations to focus on GDPR compliance.
While the Statement provides more clarity on how the government intends to align the UK’s data protection laws with the EU, there’s not a great deal of new information. Most of the proposals reflect the requirements under the GDPR, and businesses should already be preparing for this. Many of the proposed derogations follow the current regime under the DPA, and where these seem to go further than the GDPR, detail is still lacking.
We now hold our breath for the draft Bill to be published.