The General Data Protection Regulation (GDPR) will take effect on 25 May next year and will be retained in UK law; the new Bill will extend the GDPR to non-EU matters, incorporate a distinct national security regime, give effect to the Law Enforcement Directive, create two new criminal offences and implement the exemption and derogation powers in the GDPR. The Data Protection Act 1998 will be repealed.
Some significant questions remain to be answered when the Bill is published.
In the Queen's Speech, the UK Government promised a Data Protection Bill to replace the Data Protection Act 1998. Shortly before the General Election was announced, the Department for Culture, Media and Sport put out a call for views on the implementation of the derogations permitted in GDPR. The responses to this call for views have now been published at the same time as the Statement of Intent which summarises the Government's proposal. Respondents to the Call for Views were also sent a document (the Annex) setting out in more detail the government’s approach to dealing with the derogations and flexibilities permitted by the GDPR. The general approach is to depart as little as possible from the 1998 Act.
Although mainstream press coverage – and the Government’s press release – suggest the UK Government is proposing its own data protection agenda, the Statement and Annex make it clear that the GDPR will be applied in the UK both before and after Brexit with a cautious approach to extending exemptions.
What we know now – a farewell to the Data Protection Act.
The Statement sets out some detail on the Government’s objectives and proposed approach. The Bill will repeal and replace the Data Protection Act 1998. The Bill will "bring EU law into our domestic law," addressing the GDPR and also implementing the Law Enforcement Directive. It will also include a "distinct framework" for national security based on principles set out in Council of Europe's Convention 108. The Government's objectives are described as being the maintenance of public trust, the ability to transfer data for international trade and the ability to collect, share and process data for national security. We focus below on the derogations from the GDPR, and the proposed new criminal offences.
Dealing with GDPR
- The GDPR will take direct effect in the UK on 25 May 2018 and will be consolidated into UK law by the Withdrawal Bill at the time of Brexit.
The 1998 Act will be repealed to "avoid confusion" between multiple standards. The Statement notes that "implementation will be done in a way that as far as possible preserves the concepts of the Data Protection Act."
The GDPR rights and obligations will be extended "to all general data" outside current EU competence to ensure consistency. This approach might assist in demonstrating that the UK is an adequate jurisdiction for EU data post Brexit: the Statement specifically acknowledges that the Government is "committed to uninterrupted data flows" and this is a key objective of this proposed legislation.
- Existing derogations under the Data Protection Act are likely to be retained – and rarely exceeded
The Government intends to "retain many of the enablers of processing essential to all sectors of the economy." The Annex confirms that there has been a policy decision to retain existing exemptions and derogations in the Data Protection Act (and presumably its associated statutory instruments) with any "necessary adjustments" for new GDPR rights. The Annex suggests that new exemptions will only be adopted where there is a specific provision in the GDPR inviting Member States to legislate.
Two specific examples are highlighted in the Statement. First, s.32 of the Data Protection Act on the protection of journalism, literature and art will be broadly replicated It is perhaps regrettable that the government has not taken the opportunity provided by Article 85 of the GDPR to implement wider protection for freedom of expression. It is possible that the judiciary might yet have to resolve conflicts between data protection legislation and the right to freedom of expression embodied in the Human Rights Act 1998.
Secondly, the existing approach of treating criminal offence data in a similar way to sensitive personal data will be retained.
- New derogations will be extended in specific areas, such as research, significant automated decision making and the manifesto's promised social media right to be forgotten
The Statement sets out, in limited detail, three new and "notable" derogations that will be included in the Bill. Some additional detail is provided in the Annex. These cover:
- Research: the Statement and Annex, discuss the introduction of an exemption to the rights of access, rectification, restriction and objection where those rights would seriously impede research – this is expressly permitted under Article 89(2) of the GDPR. Examples of circumstances where these exemptions could apply are given as protecting the integrity of statistical data where removal would affect the statistical "pool" and the importance of retaining inaccurate data where this might allow audits of a flawed decision-making process. No details are given on the "appropriate organisational safeguards" that will be needed to exercise this exemption.
- Automated Decision Making: the Government will provide an exemption to the right not to be subject to significant automated decision making under Article 22 of the GDPR. Member States are entitled, under Article 22(2)(b), to authorise significant automated decisions where certain safeguards are in place. The Annex states that this authorisation would be based on safeguards provided in the Data Protection Act. Although the Annex refers to "narrow" exemptions, the policy approach appears to preserve the existing UK approach, which allows such decisions to be made provided individuals can seek human review as a right of recourse.
- Social Media and Online Services: as widely expected, the UK will exercise its right under Article 8(1) to reduce the age at which parental consent for information services is required to 13. This will be welcomed by multinational social media platforms, given that this aligns with the age requirements set by COPPA in the United States. Less welcome will be the Government's continued commitment to introduce a specific additional right to require social media platforms to "on request, delete information held about them at the age of 18."
No clear intention to extend grounds for processing sensitive data
The GDPR introduces a number of areas where Member States can introduce new legal grounds for processing sensitive personal data in accordance with law. Examples of this include a legal basis for scientific and statistical processing and wider grounds for processing public health data.
The Statement does not deal with the UK's right to introduce any new legal grounds for processing sensitive data, and the Annex fails to discuss any legal grounds for processing sensitive data not already set out in UK law. This could signal what would be a regrettable decision to stick with the research ground in the existing Data Protection (Processing of Sensitive Personal Data) Order 2000, which is limited to research in the substantial public interest. Organisations who have been lobbying for new legal grounds due to changes to consent in the GDPR will also be concerned that the Annex talks specifically about retaining existing legal grounds rather than extending their scope.
New criminal offences will increase the risk of reckless or knowing non-compliance
The Government intends to extend one existing criminal offence and introduce two new criminal offences. These are:
- A new offence for "intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data." A similar proposed offence announced in Australia last October has struggled to make progress because of criticism from the research community and opposition parties.
- A further new offence for "altering records with intent to prevent disclosure following a subject access request." This is intended to mirror a similar provision under s.77 of the Freedom of Information Act 2000 – where the offence covers a broad range of activities that lead to information being unlawfully withheld from disclosure, and applies not only to organisations but to their officers and employees.
- The existing blagging offence for unlawfully obtaining data will be extended to "capture people who retain data against the wishes of the controller (even if they initially obtained it lawfully)."
All of these offences will incur an unlimited fine, and may be 'reportable' offences (which means that they may be included on a criminal record check). Exemptions will be granted for journalists and whistleblowers to avoid a chilling effect on journalism.
Some interesting procedural points
The Annex sets out some interesting if not unexpected details on changes to procedure. In particular:
- The Government confirms that, as required under Article 80, non-profit organisations will be permitted to bring cases on behalf of data subjects and seek compensation on their behalf. In a country that has limited rights for collective action, this may become a popular method of seeking redress.
- The broad wording used in paragraph 5 of Schedule 2 of the Data Protection Act will be used as a basis for "public interest purposes", and the definition of public authority will follow that of the Freedom of Information Act 2000.
- The Secretary of State will have the right to permit certain international transfers of data in the substantial public interest.
- Provisions on mutual assistance with EU data protection authorities will be included, with a view to facilitating a post-Brexit relationship.
What does this mean for organisations in the UK?
The Statement speaks of ensuring that there will be "less bureaucracy" and "simpler rules", but it is unlikely that any changes will be made to reduce the effect of GDPR given the concerns over trade with the EU. The derogations presented are relatively uncontroversial – indeed, the criticism may be that they do not go far enough to anticipate issues that may be faced by organisations dealing with a much tougher regulatory environment, particularly on the processing of sensitive data.
Given that the call for views received 170 responses from organisations across a wide variety of sectors, from science to sport, many organisations will be disappointed that their different GDPR challenges have not been fully addressed. Organisations who see unresolved issues presented by the GDPR will anxiously await the publication of the Data Protection Bill next month. If appropriate derogations or exemptions are not provided, DCMS, Ministers and MPs can expect the Bill to be subject to substantial lobbying and debate.