Government outlines intentions for Data Protection Bill
Last week, Digital Minister Matt Hancock announced the Government’s statement of intent on the contents of the Government’s new Data Protection Bill, which is expected to be published next month.
What is the Bill about?
Most of the changes proposed to the existing law were not a surprise, as the General Data Protection Regulation (GDPR) will have direct effect throughout the EU, including the UK before it leaves the EU, on 25 May 2018.
As the GDPR is a Regulation and not a Directive, the UK does not, technically speaking, have to pass any law in order for the GDPR to have effect from 25 May 2018. However the statement confirms that the Data Protection Act 1998 will be repealed and that the GDPR will apply before and after Brexit, subject to any changes the Government may make after Brexit.
What will the Bill contain?
Although the Government’s statement suggests that the Bill reflects its own agenda, it will, for the most part, copy and paste the GDPR into UK law. However the GDPR allows Member States to implement certain aspects of the GDPR in their own way, under what are known as ‘derogations’. The most notable derogations addressed in the statement include:
- Requiring parental consent for the processing of personal data relating to children under the age of 13, in the context of online services. This is lower than the GDPR’s default age of 16, though consistent with online privacy rules relating to children in the USA. Ireland has taken the same approach and it is likely that other Member States will follow suit as well;
- Introducing an obligation on social media platforms to delete information held about an individual at the age of 18 at their request. This is an extension of the so-called “right to be forgotten” and reflects growing concerns from some parties that things shared by social media users in their youth could continue to haunt them in their adulthood;
- Introducing an exemption to individuals’ rights of access, rectification, restriction and objection where those rights would seriously impede research, for example, where deleting an individual’s personal data from a statistical “pool” would lead to an inaccurate conclusion or diminish the positive impact of a particular piece of research;
- Introducing exemptions to the right not to be subjected to automated decision making, “where suitable measures are put in place to safeguard the individual’s rights, freedoms and legitimate interests”. There is not much detail on these exemptions, though they are likely to be narrow in scope, for example, permitted automated credit checks by lenders. Individuals may be given the right to request human review where they object to an automated outcome;
- Extending the right to process personal data relating to criminal convictions and offences beyond public bodies and official authorities (though this exemption will be consistent with the current law).
What penalties are being proposed?
The statement suggests that the Bill will increase the risks of intentional or reckless behaviour by:
- Extending the existing offence of “blagging”, whereby an individual unlawfully obtains personal data relating to someone else by pretending to be them or someone authorised by them, to retaining such data against the wishes of the organisation they obtained it from;
- Introducing a new offence for intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data (though there are concerns that this may inhibit research into re-identification techniques and that it may be impossible to enforce the offence against organisations do not have a UK presence); and
- Introducing a new offence for altering records with intent to prevent disclosure following a request by an individual for access to their personal data.
The maximum penalty for committing these offences would be an unlimited fine.
What do we think?
“While it will be interesting to see how some of the proposed derogations are reflected in the draft Bill when it is published, for most businesses the Government’s statement does not really change anything. The GDPR will take effect on 25 May 2018, by which time businesses will be expected to comply with its requirements (given that there has been a two year ‘run-in’ period, businesses should not expect much leniency from the ICO after that date). A number of specific derogations and exemptions mirror those that exist under the Data Protection Act 1998.
Given the volume of the responses to the Government’s consultation which preceded the statement, we can expect to see some lobbying around the derogations and exemptions which many will feel do not go far enough.”
How can we help?
If you need advice on the implications of the GDPR for your organisation, our Data Protection experts are on hand to help. From conducting audits and privacy impact assessments to preparing response plans in the event of a data security breach and providing on-site training, we are able to provide clear and pragmatic advice on this complex area of law.