As final ICO guidance on consent gets pushed back to the end of the year and we still await the final text of the proposed ePrivacy Regulation, we can bring news about steps towards the UK’s new Data Protection Act.
A data protection Bill is expected to be introduced in Parliament next month. The Department of Digital Culture, Media and Sport (DCMS), has said “we’re aiming to introduce the Bill as soon as we can once the houses are back from summer recess.” (As reported on the Hawktalk blog).
The Bill will in effect incorporate the EU General Data Protection Regulation (which comes into force in May 2018) into UK Law. It was announced in the Queen’s Speech last month that it will reiterate the UK’s commitment to the privacy principles enshrined in the EU Regulation. A complex piece of legislation, it is unlikely to be enacted until Spring 2018.
When the UK leaves the EU, the new Data Protection Act would replace the GDPR. The Act is therefore crucial in ensuring the UK retains adequate data protection laws to allow for the free flow of personal data between the UK and the EU post Brexit. If UK laws were deemed inadequate, cross board transfers of personal data would be more difficult thereby impacting on commerce and trade. Director of Opt-4 Rosemary Smith commented, “It would be a significant burden on UK businesses if our data protection regime was not up to European standards and this is not something the Government or the ICO would want to see.”
It’s anticipated the new Bill will cover how the UK will apply statutory controls to areas of the GDPR where Member states have been given some flexibility. Chris Pounder, Director of Amberhawk says, “The Bill is very welcome for both data controller and data subject groups to assess what flexibility the UK should adopt.” For example, the Bill could include specific UK data protection rules in relation to;
• the individual rights of objection and access where data is being processed for scientific, historical or statistical purposes
• the transfer of “special categories” of personal data to ‘third’ countries for important public interest reasons
• which organisations would be expected to appoint a dedicated Data Protection Officer
• the age of a child – the GDPR states that if consent if the basis for processing a child’s personal data, a child under the age of 16 can’t give that consent themselves. However, it does allow for member states to provide for a lower age in law, as long as it is not below 13
The powers of the Information Commissioner’s Office (the UK’s data protection regulatory body), are also set to be updated and the sanctions available to it, in line with the GPDR.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.