Government publishes data protection bill proposals

For those of you champing at the bit to learn of the Government’s plans for domesticating the GDPR, I have some good news. The Government has today, in the personage of Matt Hancock MP, Digital Minister, published its ‘statement of intent’ in respect of the new data protection bill – see here. Some key highlights of the proposals include the following:

  • fines – in line with the GDPR, the ICO is to be given the power to fine organizations who break the law up to a maximum of £17m or 4% of global turnover, whichever is the highest;
  • data breaches – again consistent with the GDPR, data breaches are to be notified to the ICO within 72 hours ‘where this is feasible, unless the breach is unlikely to result in a risk to the rights and freedoms of an individual’;
  • new criminal sanctions – a range of new offences are to be introduced including:
    • new offences of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, and knowingly handling or processing such data
    • a new offence of altering records with intent to prevent disclosure following a subject access request (it has always been a curiosity that the DPA did not provide for such an offence, in contrast with s. 77 of FOIA – the new offence will use s. 77 as a template)
    • a new offence of retaining data against the wishes of the data controller, even where the data was originally obtained lawfully (this would constitute a widening of the current offences provided for in s. 55 DPA)
  • subject access – the Government has confirmed that it intends to legislate so that SARs can be made free of charge ‘subject to the understanding that they are not “manifestly unfounded or excessive”’’
  • data protection and the media – the Government has perhaps somewhat unsurprisingly decided that the existing protections embodied in s. 32 DPA are largely fit for purpose in terms of balancing data protection rights with journalistic freedoms. Accordingly, it is seeking to replicate s. 32 in the new legislation, subject to giving the ICO wider powers to take enforcement action in media cases. This will doubtless come as a disappointment both to individuals looking to strengthen their hand against media organizations and to media organizations which had been hoping for a re-entrenchment of their freedoms in the new data protection age
  • right to be forgotten – consistent with its manifesto promise, the Government intends to rely on a derogation in the GDPR so as to enable individuals to request that social media platforms delete information held about them at the age of 18
  • direct marketing – the use of default opt out boxes or pre-selected tick boxes are to be outlawed
  • criminal justice – the Government intends to enact provisions amounting to a ‘bespoke framework for our criminal justice systems’, governing data processing for law enforcement agencies

The proposals will no doubt be pored over at length by all data protection practitioners. However, as with all such proposals, the devil is truly in the detail and there continues to be enormous pressure on the Government to publish the draft bill itself so that we can all properly understand the precise contours of the new proposed law.