The Government recently published updated versions of Keeling Schedules showing potential changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
Whilst no doubt there will be further amendments, the schedules are worth studying for a clear picture as to the impact of the Bill.
In a recent development, the Information Commissioner has weighed in on the debate surrounding the Data Protection and Digital Information Bill (DPDI Bill), legislation aimed at modernising data protection in the UK. While acknowledging the government’s efforts to strengthen the independence of the Information Commissioner’s Office (ICO) and update data protection practices, the Commissioner’s response highlights significant concerns, particularly around the use of personal data in social security contexts. We wrote a detailed breakdown on our blog here.
The response, detailed and thorough, applauds the government’s amendments to the bill, recognising their potential to enhance ICO’s autonomy and bring data protection practices up to date with the digital age. However, the Commissioner expresses reservations about the adequacy of safeguards in the current draft of the bill, especially in terms of personal data handling for social security purposes.
The Commissioner’s concern primarily revolves around the need for more precise language in the bill. This is to ensure that its provisions are fully aligned with established data protection principles, thereby safeguarding individual rights. The response suggests that the current wording might be too broad or vague, potentially leading to misuse or overreach in the handling of personal data.
Importantly, the Commissioner has provided detailed technical feedback for further improvements to the bill. It indicates a need for scrutiny and adjustments to the bill to ensure that it not only meets its intended purpose but also robustly protects the rights of individuals.
While the Commissioner supports the bill’s overarching aim to enhance the UK’s data protection regime, the emphasis is clearly on the necessity of refining the bill. This is to ensure it strikes the right balance between enabling data use for public and economic benefits and protecting individual privacy rights.
The response from the Information Commissioner is a significant moment in the ongoing development of the DPDI Bill. It underscores the complexity and importance of legislating in the digital age, where data plays a crucial role in both the economy and personal privacy.
As the bill progresses, the government and legislators should consider the Commissioner’s input. The balance they strike in the final version of the bill will be a key indicator of the UK’s approach to data protection in a rapidly evolving digital landscape.
In March, the UK Department for Science, Information and Technology (DSIT) published the Data Protection and Digital Information (No.2) Bill. The Bill is now going through Parliament. If enacted, it will make changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
Our director, Ibrahim Hasan, recently took part in a webinar organised by eCase. In this 45 minute session Ibrahim, alongside Data Protection experts Jon Baines of Mishcon de Reya and Lynn Wyeth of Leicester City Council, discusses the new Bill including:
The key changes
The differences with the current regime
What the changes mean for the public sector
The challenges
To access the webinar recording click here ((note: eCase email registration required to access)
The new Bill will be discussed in detail on our forthcoming GDPR Update workshop.
On 8th March 2023, the UK Department for Science, Information and Technology (DSIT) published the Data Protection and Digital Information (No.2) Bill (“the new Bill”). If enacted, it will make changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
According to the DSIT press release, the Bill will result in a “new common-sense-led UK version of the EU’s GDPR [and will] will reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online.” It also claims that the reforms are “expected to unlock £4.7 billion in savings for the UK economy over the next 10 years.” How this figure has been calculated is not explained but we have been here before! Remember the red bus?
How did we get here?
This is the second version of a bill designed to reform the UK data protection regime. In July 2022, the Government published the Data Protection and Digital Information Bill (“the previous Bill”). This was paused in September 2022 so ministers could engage in “a co-design process with business leaders and data experts” and move away from the “one-size-fits-all’ approach of European Union’s GDPR.” On 3rd October 2022, during the Conservative Party Conference, Michelle Donelan, then the new Secretary for State for Digital, Culture, Media and Sport (DCMS), made a speech announcing a plan to replace the UK GDPR with a new “British data protection system”. Another full consultation round was expected but never materialised.
The previous Bill have now been withdrawn. We will provide analysis and updates on the new Bill, as it progresses through Parliament, over the coming months. An initial summary of the key proposals, both old and new, is set out below:
What remains the same from the original bill?
Many of the proposals in the new Bill are the same as contained in the previous Bill. For a detailed analysis please read our previous blog post. Here is a summary:
Amended Definition of Personal Data: This proposed change would limit the assessment of identifiability of data to the controller or processor, and persons who are likely to receive the information, rather than anyone in the world.
Vexatious Data Subject Requests: The terms “manifestly unfounded” or “excessive” requests, in Article 12 of the UK GDPR, will be replaced with “vexatious” or “excessive” requests. Explanation and examples of such requests will also be included.
Data Subject Complaints: Data Controllers will be required to acknowledge receipt of Data Subject complaints within 30 days and respond substantively “without undue delay”. The ICO will be entitled not to accept a complaint, if a Data Subject has not made a complaint to the controller first.
Data Protection Officer: The obligation for some controllers and processors to appoint a Data Protection Officer (DPO) will be removed. However, public bodies and those who carry out processing likely to result in a “high risk” to individuals will be required to designate a senior manager as a “Senior Responsible Individual”.
International Transfers:There will be a new approach to the test for adequacy applied by the UK Government to countries (and international organisations) and when Data Controllers are carrying out a Transfer Impact Assessment or TIA. The threshold for this new “data protection test” will be whether a jurisdiction offers protection that is “not materially lower” than under the UK GDPR. (For more detail see also our forthcoming International Transfers webinar).
The Information Commission: The Information Commissioner’s Office will transform into the Information Commission; a corporate body with a chief executive.
Business Data: The Secretary of State and the Treasury will be given the power to issue regulations requiring “data holders” to make available “customer data” and “business data” to customers or third parties, as well as regulations requiring certain processing, such as collection and retention, of such data.
PECR: Cookies will be allowed to be used without consent for the purposes of web analytics and to install automatic software updates. Furthermore non-commercial organisations (e.g. charities and political parties) will be able to rely on the “soft opt-in” for direct marketing purposes, if they have obtained contact details from an individual expressing interest.Finally, there will be an increase to the fines from the current maximum of £500,000 to UK GDPR levels i.e. up to £17.5m of 4% of global annual turnover (whichever is higher).
What has changed?
The new Bill does not make any radical changes to the previous Bill; rather it clarifies some points and provides a bit more flexibility in other areas. The main changes are summarised below:
Scientific Research: The definition of scientific research is amended so that it now includes research for the purposes of commercial activity. This expands the circumstances in which processing for research purposes may be undertaken, providing a broader consent mechanism and exemption to the fair processing requirement.
Legitimate Interests: The previous Bill proposed that businesses could rely on legitimate interests (Article 6 lawful basis) without the requirement to conduct a balancing test against the rights and freedoms of data subjects where those legitimate interests are “recognised”. These “recognised” legitimate interests cover purposes for processing such as national security, public security, defence, emergencies, preventing crime, safeguarding and democratic engagement. The new Bill, whilst keeping the above changes, introduces a non-exhaustive list of cases where organisations may rely on the “legitimate interests” legal basis, including for the purposes of direct marketing, transferring data within the organisation for administrative purposes and for the purposes of ensuring the security of network and information systems; although a balancing exercise still needs to be conducted in these cases.
Automated Decision Making: The previous Bill clarified that its proposed restrictions on automated decision-making under Article 22 UK GDPR should only apply to decisions that are a result of automated processing without “meaningful human involvement”. The new Bill states that profiling will be a relevant factor in the assessment as to whether there has been meaningful human involvement in a decision.
Records of Processing Activities (ROPA): The previous Bill streamlined the required content of ROPAs. The new Bill exempts all controllers and processors from the duty to maintain a ROPA unless they are carrying out high risk processing activities.
The Impact
The EU conducts a review of adequacy with the UK every four years; the next adequacy decision is due on 27th June 2025. Some commentators have suggested that the changes may jeopardise the UK’s adequate status and so impact the free flow of data between the UK and EU. We disagree. Although the Government states that the new Bill is “a new system of data protection”, it still retains the UK GDPR’s structure and fundamental obligations. Some tinkering around the edges is not really going to have much of an impact (see the helpful redline version of the new Bill produced by the good people at Hogen Lovells). Organisations that are already compliant with the UK GDPR will not be required to make any major changes to their systems and processes.
The new Bill has been introduced at the first reading stage. The second reading, due to be scheduled within the next few weeks, which will be the first time the Government’s data protection reforms will be debated in Parliament. We expect the Bill to be passed in a form similar to the one now published and come into force later this year.
In an amendment made in the House of Commons, clause 12 of the Bill amend Article 15 of the UK GDPR so that when responding to a subject access request the Data Subject the data subject is only entitled “to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information”.
In July the Government published the Data Protection and Digital Information Bill, the next step in its much publicised plans to reform the UK Data Protection regime following Brexit.
In the Government’s response to the September 2021 consultation (“Data: A New Direction”) it said it intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” To achieve this, the new Bill proposes substantial amendments to existing UK data protection legislation; namely the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). There is no shiny new Data Protection Act 2022 or even a new colour for the UK GDPR! Perhaps a missed opportunity to showcase the benefits of Brexit!
In addition to reforming core data protection law, the Bill deals with certification of digital identity providers, electronic registers of births and deaths and information standards for data-sharing in the health and adult social care system. The notable DP provisions are set out below.
Amended Definition of Personal Data
Clause 1 of the Bill limits the scope of personal data to:
where the information is identifiable by the controller or processor by reasonable means at the time of the processing; or
where the controller or processor ought to know that another person will likely obtain the information as a result of the processing and the individual will likely be identifiable by that person by reasonable means at the time of the processing.
This proposed change would limit the assessment of identifiability of data to the controller or processor, and persons who are likely to receive the information, rather than anyone in the world. It could make it easier for organisations to achieve data anonymisation as they would no longer need to concern themselves with potential future identifiability, with the focus instead being on identifiability “at the time of the processing”. On the other hand, the change does not address the risk of indirect identification.
Vexatious Data Subject Requests
Article 12 of the UK GDPR allows controllers to refuse to comply with data subject rights requests (or charge a fee) when the requests are “manifestly unfounded” or “excessive”. Clause 7 of the Bill proposes to replace this with “vexatious” or “excessive”. Examples of vexatious requests given in the Bill are those requests intended to cause distress, not made in good faith, or that are an abuse of process. All these could easily fit into “manifestly unfounded” and so it is difficult to understand the need for change here.
Data Subject Complaints
Currently, the UK GDPR allows a data subject to complain to the Information Commissioner, but nothing expressly deals with whether or how they can complain to a controller. Clause 39 of the Bill would make provision for this and require the controller to acknowledge receipt of such a complaint within 30 days and respond substantively “without undue delay”. However, under clause 40, if a data subject has not made a complaint to the controller, the ICO is entitled not to accept the complaint.
Much was made about “privacy management programmes” in the Government’s June announcement. These are not expressly mentioned in the Bill but most of the proposals that were to have fallen under that banner are still there (see below).
Senior Responsible Individuals
As announced in June, the obligation for some controllers and processors to appoint a Data Protection Officer (DPO) is proposed to be removed. However, public bodies and those who carry out processing likely to result in a “high risk” to individuals, are required (by clause 14) to designate a senior manager as a “Senior Responsible Individual”. Just like the DPO, the SRI must be adequately resourced and cannot be dismissed for performing their tasks under the role. The requirement for them to be a senior manager (rather than just reporting to senior management, as current DPOs must) will cause problems for those organisations currently using outsourced DPO services.
ROPAs and DPIAs
The requirement for Records of Processing Activities (ROPAs) will also go. Clause 15 of the Bill proposes to replace it with a leaner “Record of Processing of Personal Data”. Clause 17 will replace Data Protection Impact Assessments (DPIAs) with leaner and less prescriptive Assessments of High Risk Processing. Clause 18 ensures that controllers are no longer required, under Article 36 of the UK GDPR, to consult the ICO on certain high risk DPIAs.
Automated Decision Making
Article 22 of UK GDPR currently confers a “right” on data subjects not to be subject to automated decision making which produces legal effects or otherwise significantly affects them. Clause 11 of the Bill reframes Article 22 in terms of a positive right to human intervention. However, it would only apply to “significant” decisions, rather than decisions that produce legal effects or similarly significant effects. It is unclear whether this will make any practical difference.
International Transfers
The judgment of the European Court of Justice (ECJ) in “Schrems II” not only stated that organisations that transfer personal data to the US can no longer rely on the Privacy Shield Framework as a legal transfer tool. It also said that in any international data transfer situation, whether to the USA or other countries, the data exporter needs to make a complex assessment about the recipient country’s data protection legislation to ensure that it adequately protects the data especially from access by foreign security agencies (a Transfer Impact Assessment or TIA) .
The Bill amends Chapter 5 of the UK GDPR (international transfers) with the introduction of the “data protection test” for the above mentioned assessment. This would involve determining if the standard of protection provided for data subjects in the recipient country is “not materially lower” than the standard of protection in the UK. The new test would apply both to the Secretary of State, when making “adequacy” determinations, and to controllers, when deciding whether to transfer data. The explanatory notes to the Bill state that the test would not require a “point- by-point comparison” between the other country’s regime and the UK’s. Instead an assessment will be “based on outcomes i.e. the overall standard of protection for a data subject”.
An outcome based approach will be welcome by organisations who regularly transfer personal data internationally especially where it is of no practical interest to foreign security agencies. However, this proposed approach will attract the attention of the EU (see later). (see also our forthcoming International Transfers webinar).
The Information Commission
Under clause 100 of the Bill, the Information Commissioner’s Office will transform into the Information Commission; a corporate body with a chief executive (presumably John Edwards, the current Commissioner).
The Commission would have a principal function of overseeing data protection alongside additional duties such as to have regard to the desirability of promoting innovation; the desirability of promoting competition; the importance of the prevention, investigation, detection and prosecution of criminal offences; and the need to safeguard public security and national security. New powers for the Commission include an audit/assessment power (clause 35) to require a controller to appoint a person to prepare and provide a report and to compel individuals to attend for interviews (clause 36) in civil and criminal investigations.
The Bill also proposes to abolish the Surveillance Camera Commissioner and the Biometrics Commissioner.
Privacy and Electronic Communications (EC Directive) Regulations 2003
Currently, under PECR, cookies (and similar technologies) can only be used to store or access information on end user terminal equipment without express consent where it is “strictly necessary” e.g. website security or proper functioning of the site. The Bill proposes allowing cookies to be used without consent for the purposes of web analytics and to install automatic software updates (see the GDPR enforcement cases involving Google Analytics).
Another notable proposed change to PECR, involves extending “the soft opt-in” to electronic communications from organisations other than businesses. This would permit political parties, charities and other non-profits to send unsolicited email and SMS direct marketing to individuals without consent, where they have an existing supporter relationship with the recipient.
Finally on PECR, the Bill proposes to increase the fines for infringement from the current maximum of £500,000 to UK GDPR levels i.e. up to £17.5m of 4% of global annual turnover (whichever is higher).
Business Data
The Bill would give the Secretary of State and the Treasury the power to issue regulations requiring “data holders” to make available “customer data” and “business data” to customers or third parties, as well as regulations requiring certain processing, such as collection and retention, of such data. “Customers” would not just be data subjects, but anyone who purchased (or received for free) goods, services or digital content from a trader in a consumer (rather than business) context. “Business data” would include information about goods, services and digital content supplied or provided by a trader. It would also include information about where those goods etc. are supplied, the terms on which they are supplied or provided, prices or performance and information relating to feedback from customers. Customers would potentially have a right to access their data, which might include information on the customer’s usage patterns and the price paid to aid personalised price comparisons. Similarly, businesses could potentially be required to publish, or otherwise make available, business data.
These provisions go much further than existing data portability provisions in the UK GDPR. The latter does not guarantee provision of data in “real time”, nor cover wider contextual data. Nor do they apply where the customer is not an individual.
Adequacy?
The Bill is currently making its way through Parliament. The impact assessment reiterates that “the government’s view is that reform of UK legislation on personal data is compatible with the EU maintaining free flow of personal data from Europe.” However, with the multiple amendments proposed in the Bill, the UK GDPR is starting to look quite different to the EU version. And the more the two regimes diverge, the more there is a risk that the EU might put a “spanner in the works” when the UK adequacy assessment is reviewed in 2024. Much depends on the balance struck in the final text of the Bill.
This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in September.
By popular demand Act Now Training has added an extra course in London for its GDPR Practitioner Certificate. This course is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.It will teach delegates essential GDPR skills and knowledge.
The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.
The new London course starts on 1st April 2019. Subsequent dates are 8th April, 15th April and 29th April.
This course has been super successful since launch. We ran it over 60 times in 2018 alone with over 900 delegates being trained. You can read some of the feedback here.
Make 2019 the year you achieve a GDPR qualification. Book early to avoid disappointment.
BREXIT UPDATE: If you want to know more about how a No Deal Scenario will impact on GDPR and the DPA 2018, Ibrahim Hasan is presenting a webinar on 18th March 2019. We also have a new webinar on international transfers pre and post Brexit.
Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps by enacting “derogations”; where Members states are allowed to make their own rules e.g. about exemptions and children’s consent. This part has to be read alongside the GDPR.
Much of the Act is the broadly the same as the Bill when it was introduced to Parliament e.g. children’s consent, automated decisions, Special Category Data etc. Read a summary of the Bill here.
Exemptions
Articles 6(3) and 23(1) of GDPR allow member states to introduce exemptions from various GDPR obligations e.g. transparency and individuals’ rights. All of the familiar exemptions from the old Data Protection Act 1998 (DPA 1998)(see S.29-35and Schedule 7) are set out in Schedules 2 – 4 of the new Act e.g.crime and taxation, legal proceedings, management forecasts, public functions, negotiations etc. There are some new exemptions and others have been changed.
Immigration: Paragraph 4 of Schedule 2 of the Act introduces a new exemption for personal data processed for the purposes of effective immigration control. This removes most of the Data Subjects’ rights (incl. subject access) where they would prejudice such matters. Campaigners have argued that this exemption means thatimmigrants, including the 3 million EU citizens in the EU, (and those affected by the Windrush scandal) will not have access to data and information regarding how the Government decides on their fate, including their potential deportation. This makes any defence and legal action against unlawful deportation by the Government extremely difficult. Open Rights Group and campaigners for EU citizens’ rights (the3million) are preparing to challenge this exemption in court. (More here.)
References: The DPA 1998 contained an exemption from the right of subject access for confidential references about a Data Subject given by, amongst others, an employer. However no such exemption applied to a request made for the same reference to a prospective employer. Thus employees could still see what their employer had written about them and challenge it.
Paragraph 24 of Schedule 2 of the new Act has undergone a fundamental change since the Bill stage. It now allows confidential references to be kept secret in all circumstances not just in the hands of the employer/giver of the reference. It also gives an exemption from the right to be informed under Article 13 and 14 of GDPR i.e. the need to mention it in a privacy notice.
This new blanket exemption (which now incudes volunteering) takes away important rights of employees and volunteers. It should concern everyone, not just the unions, especially as it was passed without any debate or discussion.
Legal Professional Privilege: Paragraph 19 of Schedule 2 of the Act contains an exemption for personal data that consists of legally privileged information (LPP). It is similar to the one contained in the DPA 1998 but slightly broader in that it also covers personal data which is subject to a duty of confidentially owed by a professional legal adviser not just that information covered by LPP. The latter will apply to a much narrower range of information than the former. This exemption allows lawyers to refuse subject access requests and disregard the duty to inform (Article 13 and 14 of GDPR).
Barristers have warned that the Act could hand ‘big brother powers’ to the Information Commissioner’s Office (ICO) by granting it access to privileged material without client consent and subsequently disclosing it. However Section 132 of the Act (Confidentiality of Information) seems to guard against this.
Freedom of Information
Part 1 of Schedule 19 of the Act amends the personal data exemption/exception under section 40 of the Freedom of Information Act 2000(FOI) and Regulation 13 of the Environmental Information Regulations 2004 (as well as the equivalent Scottish legislation). These are consequential amendments designed to ensure that the correct provisions of the GDPR and the new Act are referenced instead of the now repealed DPA 1998. They will not fundamentally impact when personal data can, and cannot, be disclosed in response to an FOI or EIR request.
Public Authorities
GDPR mentions public authorities in a number of places e.g. when stipulating who needs to appoint a Data Protection Officer in Article 37. Furthermore the ‘legitimate interests’ condition (Article 6(1)(f)) cannot be relied upon to justify data processing by public authorities in the performance of their public tasks. Section 7 of the Act defines ‘public authority’ as any organisation that is covered by FOI (or its equivalent in Scotland) as well as bodies specified by the Secretary of State. Certain bodies, pursuant to section 7(3), despite being subject to FOI, will not be deemed public authorities for GDPR purposes. Most notably this includes parish councils. Consequently parish councils do not need to appoint a DPO and can rely on the legitimate interests condition without restriction.
Criminal Offences
The Act creates two new criminal offences. Clause 171 makes it an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the Data Controller responsible for de-identifying the personal data. Offenders will be liable on summary conviction or on conviction on indictment, to a fine.
Clause 173 makes it an offence for the Data Controller or a person employed by it to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of information that a Data Subject enforcing his/her rights would have been entitled to receive. Offenders will be liable on summary conviction to a fine. This is similar to the offence under S.77 of the Freedom of Information Act (FOI).
The offence under section 55 of the DPA 1998 is now to be found in Section 170 of the new Act; obtaining or disclosing personal data without the consent of the Data Controller and procuring a disclosure to another person. It is extended to include retaining personal data after obtaining data it, without the consent of the Data Controller.
Complaints
Section 165 sets out what individuals can expect if they submit a complaint to the ICO about the way their personal data has been procesed under GDPR. Clause 166 sets out a mechanism for a complaint to the Tribunal if the ICO fails to address it adequately.The ICO is currently consulting on its Draft Regulatory Action Policy.
Compensation
Article 82 of GDPR states that any person who has suffered material or non-material damage as a result of an infringement of GDPR shall have the right to receive compensation from the Data Controller or Data Processor for the damage suffered. Section 169 of the Act explains that damage includes financial loss and damage not involving financial loss, such as distress. This is in marked contrast to the DPA 1998 which only allowed compensation for distress where it was linked to damage; although the Court of Appeal decision in Vidal-Hall v Google [2015] EWCA Civ 311 allowed claims for distress alone.
Notification and Fees
Under the DPA 1998 most Data Controllers had an obligation to register with the ICO (known as Notification). There is no such requirement in GDPR. However, as predicted on this blog last year, the Government has introduced a new charging structure for Data Controllers to ensure the continued funding of the ICO. The Data Protection (Charges and Information) Regulations 2018 also came into force on 25thMay 2018 and imposes different levels of fees depending the size of the Data Controller. Data Processors do not have to pay any fee to the ICO but then many will be Data Controllers in their own right.
The new regulations are made under a power contained in the Digital Economy Act 2017 (which is itself a controversial piece of legislation due to the wide ranging provisions about data sharing.) The ICO website has more details to help Data Controllers work out what fee is payable (See also our blog post here.)
Section 137 of the new Act goes further in that it allows regulations to be made which require Data Controllers to pay further charges regardless of whether the Commissioner has provided, or proposes to provide, a service to Controllers.
It’s never too late to put steps in place to comply with the DPA 2018 and GDPR. The Information Commissioner writes in her recent blog:
“The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018. From this date, we’ll be enforcing the GDPR and the new Act but we all know that effective data protection requires clear evidence of commitment and ongoing effort.”
STOP PRESS – JAN 2019 – GDPR and the DPA 2018 will be amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Read more here.
We are running DPA 2018 workshopsthroughout the UK. If you want a brief summary, Ibrahim is doing a webinarnext week.
Our ever popular GDPR Practitioner Certificate has availability in Leeds starting on 9th July. Book now.
On Monday, the Government published a Statement of Intent about the forthcoming Data Protection Bill. The idea behind the Bill is to fill in some of the gaps in the General Data Protection Regulation (GDPR), which will come into force on 25th May 2018. The full text of the Bill is likely to be published in September.
The Bill follows a consultation exercise run by the DCMS earlier this year calling for views on implementation of the “derogations” under GDPR. These are areas where EU member states are left to produce their own laws to fit their circumstances while keeping within the GDPR framework. Notable derogations, amongst others, include the minimum age at which a child can consent to data processing, when data about criminal convictions and offences can be processed and exemptions (including for freedom of expression in the media.)
That’s the real background to Monday’s statement. But this did not stop the media from peddling myths and misunderstandings. Upon reading the headlines, a layman or woman would get the impression that:
(GDPR is a Regulation and so directly applicable. It does not need to be “signed into British law” whilst we remain members of the EU. Post Brexit it will still be applicable because of the provisions of the Great Repeal Bill (More here.))
The BBC even reported that “the new law was drafted by Digital Minister, Matt Hancock.” Yesterday the story was changed to state that it was “drafted under Digital Minister, Matt Hancock.” (I have asked them about this.)
Then again the media is not entirely at fault. The Government’s statement is drafted (or spun) in such a way as to give the impression that GDPR is all their idea rather than the EU’s. Mr. Hancock, in his foreword, even suggests that the Bill is part of the Government’s grand Brexit plan (if there is a plan!):
“Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU.”
So what have we actually learnt about the Government’s GDPR intentions? Much of the statement explains the provisions of the GDPR or states the obvious. For example that the Data Protection Act 1998 (DPA) will be repealed. As if there was any choice!
The DCMS has today published (HT Bainsey1969 and the Open Rights Group) a list of derogation in the Bill and there proposed stance (Read here). The following stand out:
Children and Consent – The UK will legislate to allow a child aged 13 years or older to consent to their personal data being processed (rather than 16 which is GDPR’s default position).
Exemptions – The GDPR allows the UK to introduce exemptions from the transparency obligations and individuals’ rights. The Government will make the same exemptions available under GDPR as currently under the Data Protection Act (see S.29-35 and schedule 7 of the DPA).
New Offences – The Bill will create a number of new criminal offences:
Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, and knowingly handling or processing such data
Altering records with intent to prevent disclosure following a Subject Access Request (just like under S.77 of FOI)
Retaining data against the wishes of the Data Controller, even where the data was originally obtained lawfully (this would constitute a widening of the current offences provided for in s. 55 DPA)
Journalism – There will be a journalistic exemption in GDPR similar to S.32 of the DPA (balancing data protection rights with journalistic freedoms). The Information Commissioner’s Office (ICO) will have wider powers to take enforcement action in media cases.
Automated Decisions – There will be an exemption from the general rules in GDPR about automated decision making and profiling where such processing is in the legitimate interests of the Data Controller.
Research – There will be exemptions to the general rules in GDPR about Data Subjects’ rights. Research organisations and archiving services will not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Research organisations will not have to comply with Data Subjects’ rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure.
Data Controllers should not wait for the Data Protection Bill to be published before starting their GDPR preparations. There is so much to do now:
Revise your privacy polices in the light of the GDPR’s more prescriptive transparency requirements.
Review your information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
