logo text

Thursday, 14 September 2017

UK government publishes draft Data Protection Bill

In what has been a frantic week of activity at Parliament this week, the government has published today the details of its proposed new Data Protection Bill (“the Bill”).

The Bill is a huge document amounting to some 218 pages and contains 194 clauses and 18 schedules (many containing cross-references to other applicable parts of the Bill, the General Data Protection Regulation (“GDPR”) and other legislation). It is complemented by 112 pages of explanatory notes. To read and understand it properly will take some time, strong coffee and much patience.

Background to the Bill

The main purpose of the Bill is to:
  • Implement and apply the EU’s GDPR in a manner that is intended to function in the UK post-Brexit (see Part 2, Chapter 3 of the Bill). Only time will tell whether this is likely to be the case in practice. We will carry out more detailed analysis on this in due course and following the strong coffee noted above. Meanwhile, we note that the current text appears to reserve a certain amount of discretion for the UK. So, for example, where the GDPR lays out points for consideration when determining the adequacy of a country’s data protection regime (for the purposes of international data transfers), those considerations appear to be simply omitted in the Bill. We would have expected similar considerations to be applied, but it is perhaps an interesting sign of how the UK government wishes to approach EU-derived legislation post-Brexit. We will have to await the EU’s view on whether this approach may cause adequacy issues for the UK in due course.

  • State the UK position as regards the various derogations and exemptions permitted under the GDPR. See below for examples of some of the particularly significant derogations and exemptions that we have identified through our initial analysis of the Bill.

Parts 3 and 4 of the Bill incorporate the EU’s Data Protection Law Enforcement Directive, and create a GDPR-style regime. This Directive protects individuals when their personal data is processed by law enforcement agencies and intelligence services for the purposes of crime prevention. The Bill covers the free movement of such data, too.

Part 5 of the Bill delineates the role of the Information Commissioner. In it, the Information Commissioners Office (ICO) is given the investigatory, authorisation and advisory powers that the GDPR sets out.

Part 6 of the Bill relates to enforcement actions that the ICO can take, such as giving notices, using its powers of entry and inspection and issuing monetary penalties. As expected under the GDPR, the maximum amounts now set for the higher tier of monetary penalties are up to the greater of €20 million or 4% of annual worldwide turnover. For the lower tier, monetary penalties are up to the greater of 10 million or 2% of annual worldwide turnover. These fines will be subject to the Bank of England spot conversion rate on the day on which the monetary penalty notice is issued. To avoid some of the GDPR scaremongering that has arisen, the ICO has, however, already blogged here in relation to the sensible approach that it plans to take to the application of such fines.

Regarding the role of the Information Commissioner and its wider enforcement powers under the Bill, there are a few other aspects of particular note at this stage of our analysis:
  • Statutory codes of practice.
    The ICO is required (under section 120 of the Bill) to prepare a statutory direct marketing code, in addition to the statutory data-sharing code (required under section 119 of the Bill) that it has already prepared under the current regime (see here). It is made clear that further codes of practice may also be required, at the Secretary of State
    s discretion. These statutory codes of practice can be taken account of by the ICO, the courts and tribunals when making an assessment of compliance with the Bill. The ICO has, of course, already produced guidance around direct marketing issues (see here), but many of our clients are looking forward to a revised, updated and hopefully more detailed code. In particular, and further to the ICOs recent consultation on these issues, we look forward to more detailed views from the ICO on the use of the consent and legitimate interests fair-processing conditions under the GDPR/Bill and in light of the proposed new e-privacy regulations. Further ICO views in relation to the use of profiling would also be very welcome.
  • ICO audits.
    Under the Data Protection Act 1998 (
    DPA), the ICO can currently only carry out mandatory dawn raid”-style audits/investigations against central government departments (since April 2010) and against NHS organisations (since February 2015). However, the Bill appears to extend the ICOs powers so that it can issue assessment notices against any controller or processor organisation. By doing so, the ICO would have a general dawn raid audit power for the first time. Although this is not really a great surprise, given the ICOs consistent lobbying and campaigning for these powers over recent years, the ICOs powers will undoubtedly be enhanced considerably by this change. The Bill sets out certain controls on the ICO using these powers and we fully expect that the ICO will update its current audit guidance to clarify situations where the ICO is likely to use these powers in a measured way in practice. Organisations should, however, update their internal risk registers to take account of these more likely proactive dawn raidinvestigations.
  • New criminal offences.
    A number of criminal offences have been reintroduced or created under the Bill. These include (among others) the following key offences that will be subject to a fine only (whether or not a person is convicted of a summary or indictable offence). The exact levels of the fines will need to be provided for in separate sentencing guidelines in due course:
    • Intentionally obstructing or failing to assist (without reasonable excuse) a person exercising the ICOs powers under section 117 and Schedule 15 of the Bill to inspect personal data.
    • Under section 139 of the Bill, failing to comply with an ICO information notice or knowingly/recklessly making false statements in response to such a notice (unless the person can prove that he/she exercised all due diligence to comply with the notice).
    • Under section 161 of the Bill, unless a listed defence can be shown, knowingly or recklessly obtaining or disclosing personal data without the consent of the controller or after obtaining personal data, retaining it without the consent of the person who was the controller in relation to the personal data when it was obtained. It is also an offence to sell or to advertise/offer to sell any such personal data obtained in circumstances in which such an offence was committed.
    • Under section 162 of the Bill, unless a listed defence can be shown, knowingly or recklessly re-identifying personal information that had been anonymised without the consent of the controller responsible for de-identifying the personal data.
    • Under section 163 of the Bill, unless a listed defence can be shown, altering, defacing, blocking, erasing, destroying or concealing information with the intention of preventing disclosure of all or part of the information that a person making a:

      • Data subject access request; or
      • Request in relation to law enforcement or intelligence services processing; or
      • Request in relation to their rights to portability

      would have been entitled to receive in relation to those rights.
    • Under section 171 and Schedule 17 of the Bill, unless a listed defence can be shown, there are also offences in relation to requiring individuals to provide certain records to you relating to health, convictions or cautions or certain statutory functions in connection with the recruitment of an employee, the continued employment of a person or a contract for the provision of services to you.

Key derogations and exemptions from the GDPR

As well as a number of set restrictions being stated under Article 23 of the GDPR, the GDPR anticipates and permits a number of exemptions and additions to be made under member state law. These derogations and exemptions are to be set out under the Bill. More detailed analysis of the proposed Bill and its explanatory guidance is required in time. Following our initial review, the following key derogations and exemptions are worthy of note:
  • Personal data breaches.
    Following the requirements of the GDPR, it will be mandatory for personal data breaches to be reported to the ICO within 72 hours (unless there is reasonable justification), where there has been a breach that is likely to result in a risk to the rights and freedoms of individuals. The GDPR had created a potential derogation for member states to decide whether their public authorities should have to report to the regulator in the same way. This derogation has not been applied in the UK, with the result that UK public authorities, like any other organisation, will face the potential fines referred to above. The ICO has recently written an article, in its myth-busting blog series, in relation to breach reporting under the GDPR here.
  • Age of consent to data processing.
    The GDPR states that, if consent is your basis for processing a child’s personal data, children under the age of 16 must obtain consent from their parent or guardian before their personal data is processed for “information society services” (as the same term is defined in the E-Commerce Directive). The GDPR does, however, permit member states to provide for a lower age in law, as long as it is not below the age of 13. The Bill therefore clarifies the UK position as allowing children from the age of 13 to consent to the processing of their own personal data (see Part 2, Chapters 1 and 2 of the Bill). It is important to note that this age limit for consent only applies in the context of information society services. Children will continue to be able to make their own decisions without consent and without an age limit in relation to other data protection issues, if they are believed to have capacity or Gillick competency in medical law. Those handling data protection matters in Scotland will also need to consider clause 187 of the Bill, which replicates existing Age of Legal Capacity (Scotland) Act 1991 provisions setting out that children aged 12 or over are presumed to be of sufficient age and maturity, unless the contrary is shown.
  • Processing of sensitive personal data.
    Following our initial analysis, the fair-processing conditions set out in the Bill to justify the processing of sensitive personal data mainly reproduce the existing conditions that are set out in the DPA and that are permitted under the GDPR in Articles 9 and 10.

    One of those conditions applies where the “processing is necessary [to carry out] the obligations and [exercise] specific rights of the controller or of the data subject in the field of employment and social security and social protection law.” To permit this condition to be used, the Bill further requires that “when the processing is carried out, the controller has an appropriate policy document in place.” This document should explain “the controller’s procedures for securing compliance with the principles in … the GDPR … relating to processing of personal data” in relation to the personal data in question. It should also detail its policies regarding the retention and erasure of such personal data and indicate how long such personal data is likely to be retained.

    Article 9 of the GDPR also allows processing of sensitive personal data where the “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.” Paragraph 4 of Part 1 of Schedule 1 of the Bill expands the public interest requirement to apply to processing for scientific or historical research purposes or statistical purposes, too. We await the ICO’s opinion in due course to see what they believe would justify such processing in the public interest.
  • Replication of DPA exemptions and new exemptions.
    As was expected, the current exemptions set out in the DPA seem to be replicated in Schedules 2–4 of the Bill. This includes those more well-used exemptions for use in relation to national security; prevention and detection of crime and taxation; journalistic, artistic and literary purposes; confidential references; examination marks; parliamentary privilege; management forecasting and planning; legal professional privilege; negotiations; the fields of health and social care, education, child abuse and adoption cases, etc. There is a new exemption added for where data is used for immigration purposes and a revised exemption clarifying how data can be used for archiving and research purposes. The previous DPA s35 exemption for use when disclosing data where required by law or in connection with legal proceedings has been retained under the Bill, but has been amended to clarify the new exemptions from the rights to deletion and to data portability if applying those provisions would prevent the controller from disclosing the data. Use of this revised exemption requires careful review.

Other key points of note

  • Compensation.
    The Bill sets out, under clause 159, that compensation claims can be brought by those damaged by data protection breaches where that causes financial loss, distress and other adverse effects. The GDPR permitted member states to consider a derogation to allow consumer support groups to take class actions and to seek redress without a data subject’s consent, but the UK government has decided not to introduce that derogation in the Bill.
  • Public authorities.
    The Bill sets out that where public authorities or bodies are referred to in the Bill/under the GDPR, in the UK, this means the organisations that are already or are in the future subject to the UK Freedom of Information Act (“FOIA”). There is currently a push to extend the remit of the FOIA, for example, to organisations delivering public contracts. Any organisation ultimately brought within the remit of the FOIA will also need to carefully consider its additional responsibilities as a then designated public authority under the Bill, too.
  • ICO notification regime.
    Existing requirements under the DPA obligate organisations (unless they are exempted) to notify the ICO about their data-processing activities and to pay a tiered fee of either £35 p.a. or £500 p.a. for this notification process (see here for more detail). The ICO carried out some analysis some time ago into its likely shortfall in funding following introduction of the GDPR, which included removal of the regulatory notification and fee requirements. The ICO has, for some time, lobbied for a continuation under UK law of similar requirements in order to assist with this funding deficit. Unsurprisingly then, the Bill provides, under Clause 129, for the ICO to continue charging notification fees and other fees, as agreed by the Secretary of State. It is understood that the Department for Digital, Culture, Media & Sport is currently consulting on such new fees, with a proposal for larger organisations with over 250 employees paying a doubled fee of £1,000 p.a. plus further charges for those carrying out direct marketing.

This much-anticipated draft Bill is now awaiting debate in the House of Lords on 10 October 2017. You can follow the progress of the Bill through Parliament here and should watch out for any potential amendments to it as it does so. Should the Bill eventually be enacted, which is intended to take place before the GDPR comes into effect on 25 May 2018, the DPA will be repealed.

If you have any questions about the implications of the GDPR or the new Data Protection Bill for your organisation, please don’t hesitate to contact Pritchetts for advice and support.

No comments:

Post a Comment