A new Data Protection Bill is due to be published either in September, after the UK Parliament’s Summer recess, in October, after the political party conference season.
The Bill will pave the way for a new Data Protection Act which will replace the existing DPA 1998. The UK requires a new Data Protection Act in order to enact into UK Law the EU General Data Protection Regulation (GDPR) which comes into force on 25 May 2018.
On 7 August 2017, Digital Minister Matt Hancock issued a Statement of Intent which outlines how the Government’s new Data Protection Bill aims to update and strengthen data protection laws. This statement indicates how the Government will exercise available derogations in the GDPR which give member states some flexibility.
Data Protection and Brexit
The Government has confirmed that the new Bill will implement the GDPR in full. This is aimed at ensuring a smooth transition process when the UK leaves the European Union, by aligning UK data protection law with that of the EU.
The UK needs to retain adequate data protection laws to allow for the free flow of personal data between the UK and the EU post-Brexit. If UK laws were deemed to be inadequate, cross border data transfers would be more difficult and could have a negative impact on commerce and trade.
The Statement says, “The ability to transfer data across international borders is crucial to a well functioning economy. We are committed to ensuring that uninterrupted data flows continue between the UK, the EU and other aicountries around the world. The Data Protection Bill will place us on the front foot in allowing the UK to maximise future data relationships with the EU and elsewhere.”
The new Bill, in line with the GDPR, aims to enhance the privacy rights of individuals and the Government has said it will:
• Make it simpler to withdraw consent for the use of personal data
• Give people the right to ask companies to erase the personal data held about them
• Expand the definition of persona data to include: IP addresses, internet cookies and DNA
• Make it easier and free for individuals to request an organisation discloses personal data it holds on them (Subject Access Requests)
There is a clear message in the statement, “We will ensure default reliance on opt-out or pre-selected tick boxes will be a thing of the past.”
Age of a child
Under Article 8 of the GDPR children are able to give their lawful consent to the processing of their personal data, in connection with the provision of information services, when they are at least 16 years old. However, the GDPR allows for Member States to lower the age, but no younger than 13.
UK Government proposes to allow children from the age of 13 to give consent to the processing of their personal data. Those under the age of 13 will require the consent of a parent/guardian.
Right to Erasure (right to be forgotten)
Under the GDPR individuals have the right for their personal data to be erased. The UK plans to extend this to give people the right to require social media platforms to delete information they posted before the age of 18.
Profiling & Automated Decision Making
The Government plans to implement the derogation under Article 22(2)(b) of the GDPR to allow for individuals to request that when a decision has been made about them, based solely on automated processing, that the processing is reviewed by a person rather than a machine. The Statement says, “We will legislate to implement this exemption with a view to ensuring legitimate grounds for processing personal data by automated means. Individuals will have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to them which is based solely on automated processing and which produces legal effects or similarly significantly affects them, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.”
What is not yet clear is what will be considered “legal or similarly significant effects”. The UK’s Information Commissioner’s Office published a discussion paper for feedback on profiling earlier this year. The ICO says the responses it received to this paper will inform their input into drafting EU guidance on profiling and automated decision making.
The DPN’s GDPR Compliance Ladder takes a look at what constitutes profiling and what organisations need to tell their customers.
As expected the Bill will enhance the powers of the ICO, the Statement confirms, “The data protection regulator, the Information Commissioner, will retain existing powers and gain additional authority to impose greater sanctions in the event of data breach.”
The bill also plans to introduce several new offences;
- Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data (the maximum penalty would be an unlimited fine)
- Altering records with the intent to prevent disclosure following a subject access request (the maximum penalty would be an unlimited fine in England and Wales or a Level 5 fine in Scotland and Northern Ireland)
There are also plans to widen the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if they initially obtained it lawfully).
The Statement says, “The government intends broadly to replicate section 32 of the Data Protection Act 1998. The main difference will be to amend provisions relating to the ICO’s enforcement powers to strengthen the ICO’s ability to enforce the re-enacted section 32 exemptions effectively.”
The Government plans to ensure research organisations will be exempt from complying with specific individual rights under the GDPR. The Statement says, “The government will legislate to exercise this exemption in order to ensure that the UK continues to be a centre for groundbreaking research. We will ensure that research organisations and archiving services do not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Research organisations will not have to comply with an individual’s rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure.”
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.