The General Data Protection Regulation (GDPR) will take effect on 25 May next year and will be retained in UK law; the new Bill will extend the GDPR to non-EU matters, incorporate a distinct national security regime, give effect to the Law Enforcement Directive, create two new criminal offences and implement the exemption and derogation powers in the GDPR. The Data Protection Act 1998 will be repealed.
Some significant questions remain to be answered when the Bill is published.
In the Queen's Speech, the UK Government promised a Data Protection Bill to replace the Data Protection Act 1998. Shortly before the General Election was announced, the Department for Culture, Media and Sport put out a call for views on the implementation of the derogations permitted in GDPR. The responses to this call for views have now been published at the same time as the Statement of Intent which summarises the Government's proposal. Respondents to the Call for Views were also sent a document (the Annex) setting out in more detail the government’s approach to dealing with the derogations and flexibilities permitted by the GDPR. The general approach is to depart as little as possible from the 1998 Act.
Although mainstream press coverage – and the Government’s press release – suggest the UK Government is proposing its own data protection agenda, the Statement and Annex make it clear that the GDPR will be applied in the UK both before and after Brexit with a cautious approach to extending exemptions.
What we know now – a farewell to the Data Protection Act.
The Statement sets out some detail on the Government’s objectives and proposed approach. The Bill will repeal and replace the Data Protection Act 1998. The Bill will "bring EU law into our domestic law," addressing the GDPR and also implementing the Law Enforcement Directive. It will also include a "distinct framework" for national security based on principles set out in Council of Europe's Convention 108. The Government's objectives are described as being the maintenance of public trust, the ability to transfer data for international trade and the ability to collect, share and process data for national security. We focus below on the derogations from the GDPR, and the proposed new criminal offences.
Dealing with GDPR
The 1998 Act will be repealed to "avoid confusion" between multiple standards. The Statement notes that "implementation will be done in a way that as far as possible preserves the concepts of the Data Protection Act."
The GDPR rights and obligations will be extended "to all general data" outside current EU competence to ensure consistency. This approach might assist in demonstrating that the UK is an adequate jurisdiction for EU data post Brexit: the Statement specifically acknowledges that the Government is "committed to uninterrupted data flows" and this is a key objective of this proposed legislation.
The Government intends to "retain many of the enablers of processing essential to all sectors of the economy." The Annex confirms that there has been a policy decision to retain existing exemptions and derogations in the Data Protection Act (and presumably its associated statutory instruments) with any "necessary adjustments" for new GDPR rights. The Annex suggests that new exemptions will only be adopted where there is a specific provision in the GDPR inviting Member States to legislate.
Two specific examples are highlighted in the Statement. First, s.32 of the Data Protection Act on the protection of journalism, literature and art will be broadly replicated It is perhaps regrettable that the government has not taken the opportunity provided by Article 85 of the GDPR to implement wider protection for freedom of expression. It is possible that the judiciary might yet have to resolve conflicts between data protection legislation and the right to freedom of expression embodied in the Human Rights Act 1998.
Secondly, the existing approach of treating criminal offence data in a similar way to sensitive personal data will be retained.
The Statement sets out, in limited detail, three new and "notable" derogations that will be included in the Bill. Some additional detail is provided in the Annex. These cover:
No clear intention to extend grounds for processing sensitive data
The GDPR introduces a number of areas where Member States can introduce new legal grounds for processing sensitive personal data in accordance with law. Examples of this include a legal basis for scientific and statistical processing and wider grounds for processing public health data.
The Statement does not deal with the UK's right to introduce any new legal grounds for processing sensitive data, and the Annex fails to discuss any legal grounds for processing sensitive data not already set out in UK law. This could signal what would be a regrettable decision to stick with the research ground in the existing Data Protection (Processing of Sensitive Personal Data) Order 2000, which is limited to research in the substantial public interest. Organisations who have been lobbying for new legal grounds due to changes to consent in the GDPR will also be concerned that the Annex talks specifically about retaining existing legal grounds rather than extending their scope.
New criminal offences will increase the risk of reckless or knowing non-compliance
The Government intends to extend one existing criminal offence and introduce two new criminal offences. These are:
All of these offences will incur an unlimited fine, and may be 'reportable' offences (which means that they may be included on a criminal record check). Exemptions will be granted for journalists and whistleblowers to avoid a chilling effect on journalism.
Some interesting procedural points
The Annex sets out some interesting if not unexpected details on changes to procedure. In particular:
What does this mean for organisations in the UK?
The Statement speaks of ensuring that there will be "less bureaucracy" and "simpler rules", but it is unlikely that any changes will be made to reduce the effect of GDPR given the concerns over trade with the EU. The derogations presented are relatively uncontroversial – indeed, the criticism may be that they do not go far enough to anticipate issues that may be faced by organisations dealing with a much tougher regulatory environment, particularly on the processing of sensitive data.
Given that the call for views received 170 responses from organisations across a wide variety of sectors, from science to sport, many organisations will be disappointed that their different GDPR challenges have not been fully addressed. Organisations who see unresolved issues presented by the GDPR will anxiously await the publication of the Data Protection Bill next month. If appropriate derogations or exemptions are not provided, DCMS, Ministers and MPs can expect the Bill to be subject to substantial lobbying and debate.