The Data Protection Bill (the Bill) had its first reading in the House of Lords on 13 September 2017.
The Department for Digital, Culture Media & Sport has produced a set of factsheets, including an Overview of the Bill. This factsheet explains that, once enacted, the new Bill will:
The Bill, which runs to just over 200 pages, comprises five main parts:
Clauses 3-26 of the Bill implement the GDPR standards across all general data processing and provide clarity on the definitions used in the GDPR in the UK context. Until the UK leaves the EU, the GDPR will operate in tandem with the Bill. Once the UK has left, the Bill will allow for the continued application of GDPR standards.
Although the Bill builds on the provisions in the GDPR, it includes special rules (enabling the enactment of derogations by Member States from rights and duties enshrined in the GDPR in certain circumstances) for the processing of personal data. Some of these rules have been carried forward from the DPA and aim to ensure a measure of continuity for those who operate in accordance with existing exemptions. The Bill recognises, for example, that it is sometimes appropriate to disclose personal data for purposes to do with criminal justice or the taxation system, such as the prevention or detection of crime.
Some of the key GDPR derogations in the Bill are as follows:
Clauses 27-79 of the Bill create a bespoke framework for the processing of personal data by the police, prosecutors and other criminal justice agencies. The Bill strengthens the rights of data subjects, while providing exemptions for law enforcement agencies to prevent investigations from being undermined. The EU Law Enforcement Directive (LED) covers cross-border processing for law enforcement purposes. To ensure a coherent regime, the Bill creates a single domestic and trans-national regime.
National security is outside of the scope of EU law, and the GDPR was therefore not designed to apply to processing by the intelligence services. Clauses 80-111 of the Bill provide a specific data protection regime for the intelligence services, which will ensure that the processing of personal data is subject to proportionate controls.
The final parts of the Bill (clauses 112-168) set out the role, powers and duties of the UK Information Commissioner. Consistent with the GDPR, the Bill provides for maximum fines of up to £18 million or 4% of global turnover. Two new offences are also created by the Bill, namely, the 're-identification of de-identified personal data' and the 'alteration etc. of personal data to prevent disclosure'.
Organisations will be pleased to learn that the Bill does not contain any surprises and also that a number of exemptions under the DPA will be carried over into the new Bill. The key exemptions and derogations from the GDPR will be of particular interest, and we will write further articles about their impact in our next bulletin.
The Bill is scheduled for a second reading before the House of Lords on 10 October 2017.
Contributor: Jenai Nissim
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2017. Specific advice should be sought for specific cases. For more information see our terms and conditions.