Update on Data Protection Bill
But it also deals with a number of issues relating to the implementation of the General Data Protection Regulation (GDPR) in the UK.
If you have had the good fortune of seeing the Bill, you will know first-hand that it is a lengthy and complex piece of legislation.
This complexity arises partly because of the Bill’s interaction with GDPR, which comes into effect on 25 May 2018.
The Bill sets out the UK’s approach to certain derogated matters under GDPR. However, as the current Data Protection Act 1998 applies to certain types of processing beyond that covered by EU law, it is also necessary to fill the gaps that would otherwise be created by the repeal of the 1998 Act.
After the UK leaves the EU, GDPR will be incorporated into UK law through the European Union (Withdrawal) Bill. The UK Government has emphasised that, above all else, it wants to ensure that UK data protection law mirrors EU law in order to facilitate international data flows. The aim of the Data Protection Bill is to deal with these matters.
It is encouraging that the UK Government has taken this stance. Impediments to the free movement of personal data between the UK and EU are likely to prove tricky for international businesses operating within a post-Brexit UK but creating an environment that supports cross-border data flows will support them.
However, the European Commission will not automatically declare finding of adequacy and will also consider things such as the compatibility of surveillance powers and data retention for law enforcement purposes.
What does the Data Protection Bill cover?
The Bill is divided into seven parts. The main focus for most will be on Parts 1 and 2, which set out the foundations of the data protection regime.
Parts 3 and 4 deal with processing in the law enforcement and intelligence services. Part 5 also preserves the office and functions of the Information Commissioner’s Office. Part 6, notably, sets out the data protection enforcement framework. And Part 7, finally, captures a number of loose ends, including criminal offences and additional discrete rights for data subjects.
Part 2 (general processing of personal data), supplements GDPR. For example, a “public authority” is any organisation that is a public authority for the purposes of freedom of information law. Part 2 also carries over many of the conditions for processing and exemptions that exist under the 1998 Act. Safeguards for processing for archiving, research and statistical purposes are established, and a regime is set up to authorise certification providers.
Notably, the digital age of consent is reduced to 13 years of age, the lowest age permissible under GDPR. When processing on the basis of consent, providers of online services will need the consent of a parent or guardian for children under the age of 13.
Finally, the Bill carries over a number of offences from the 1998 Act, but will also introduce new offences in relation to altering records to prevent disclosure following a subject access request, and intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data.
Status of the Bill
The Bill is still at the early stages of the legislative process and will be subject to considerable scrutiny in Parliament over the coming weeks, particularly given its length and complexity and the wide ranging delegated powers that it proposes to provide to ministers.
It remains to be seen whether this leads to substantial changes being made to the Bill. Either way, the Bill will need to be in place for GDPR coming into force.