Anyone who has anything to do with data protection will know that the UK’s Data Protection Bill was published and put before Parliament on Thursday 14 September. But to digest it in full, one needs time, commitment, and coffee. It is not a straightforward read. It seeks to implement the GDPR in full and in Brexit-proof fashion, to plug the gaps that the GDPR requires member states to fill, and also to apply a GDPR-like regime to areas of data processing that are not covered by the GDPR itself. The Bill is of course liable to change in the coming months, but here are some observations and highlights in the meantime.
The structure is roughly this:
- The aim is of course to implement the GDPR in full. So if you are familiar with the rights and duties laid down by the GDPR, the substance of the Bill will not surprise you.
- The Bill has 7 parts. Parts 1 and 2 deal with definitions and general processing – the bulk of the GDPR. Parts 3 and 4 deal with data processing in the context of law enforcement and the intelligence services: the Bill offers a GDPR-like regime for these important areas that are not themselves covered by the GDPR. Part 5 is about the ICO (including fees payable to the ICO). Part 6 is about enforcement, and Part 7 is a miscellany of offences, additional data subject rights, territorial application and the like.
- There are 18 Schedules. A few will be of widest and most immediate interest. Schedule 1 sets out the conditions for processing ‘special category’ personal data (formerly known as ‘sensitive personal data’ under the DPA 1998) and criminal conviction information (which has historically been treated as ‘sensitive’ under UK law, but not under Directive 95/46/EC). Schedules 2-4 set out exemptions from the GDPR rights and duties.
- Schedule 6 seeks to Brexit-proof the legislation, i.e. by tinkering with the terms so that once the UK leaves the EU and is thus no longer directly bound by the GDPR, this domestic legislation that replicates the GDPR will stand on its own feet.
Here are some nuggets of observation (this post is not a comprehensive walk-through of the 218-page document):
- The Bill defines a ‘public authority’. Bearing in mind the limitations on public authorities’ abilities to rely on their own legitimate interests to justify their processing of personal data (Article 6(1)(f) GDPR), this is important. Clause 6 confirms that you will be a ‘public authority’ or ‘public body’ for GDPR purposes if you are (a) a public authority for FOIA/FOIA purposes, or (b) you are designated as one in regulations made by the Secretary of State. Remember that FOIA treats publicly-owned companies as public authorities, and this will carry through to data protection law.
- When it comes to conditions for the lawful processing of special category data and data about criminal convictions, Schedule 1 is the place to look. Much will be familiar, with this important innovation: in many cases, you will need to have an ‘appropriate policy document’ in place (see Part 4 of Schedule 1) that explains how you comply with the principles in Article 5 GDPR and how your retention and erasure policies work.
- The exemptions (Schedules 2-4) will also be largely familiar from the DPA 1998, from crime and taxation purposes (and also a specific exemption for immigration purposes) through to management forecasts and negotiations. The provisions for health and social work are consolidated and tidied up.
- There are, however, important tweaks to some of the familiar exemptions. For example, the exemption for legal proceedings includes an additional test that goes beyond our current section 35 of the DPA 1998: you will now need to consider the extent to which the application of the relevant GDPR principle ‘would prevent the data controller from making the disclosure that they need to make for the purposes of legal proceedings or protecting their legal position. In other words, there is something like a prejudice test when it comes to the legal purposes exemption.
- Journalism: the regime here is basically the same as under the DPA 1998, both in substance and in procedure (preserving the mechanism for staying court proceedings pending an ICO determination when the journalism exemption is invoked).
- Subject access requests and ‘mixed personal data’: the Bill basically preserves the section 7(4) provision under the DPA 1998 for balancing the requester’s rights with those of other data subjects. Note, however, that there are specific circumstances in which there is a statutory presumption that the disclosure of a third party’s personal data will be reasonable: see Schedule 2, Part 3. These are largely related to health, education and social work contexts.
- Children’s age of consent for ‘information society’ services (broadly speaking, social networks and other online services): the GDPR allows member states to set an age between 13 and 16. The UK is going for 13.
- Profiling and automated decision-making: this will be a difficult and important issue from 2018 onwards. Clause 13 of the Bill merits close attention. It implements Article 22 GDPR, but there are some minor – though potentially significant – changes in wording, for example about significant effects on data subjects.
- The ICO’s powers: powers to issue enforcement notices, information notices and monetary penalties remain in place. The DPA 1998 has a ‘soft enforcement’ provision under section 42 that allows the ICO to make an ‘assessment’, i.e. to express an opinion on a complaint. The DP Bill contains a new type of ‘assessment notice’ – it is effectively a notice requiring the data controller to facilitate the ICO’s investigation.
- Monetary penalties: again, the GDPR scales are domesticated here, with penalties of up to £18 million. There is an express power for the ICO to vary its monetary penalties, and the current bright-line statutory test for issuing a penalty (section 55A of the DPA 1998) gives way to a more open-textured test, with lists of relevant considerations rather than strict yes/no conditions.
There is lots more to ponder in the Bill. Panopticon will bring you more comment as we make our way towards the Data Protection Act 2018.
Robin Hopkins @hopkinsrobin