The Department for Digital, Culture, Media and Sport has just published a ‘Statement of Intent’ on the Data Protection Bill. For those hoping to see the draft bill itself, sadly we will have to wait. It is not the draft bill, but simply a statement of what it plans to do to keep in line with EU laws. So we are still left waiting to see the detailed wording of implementation. Once you read through the document you quickly realise that it is largely restating provisions that are already known to be found within the General Data Protection Regulation, which will come into force on 25 May 2018, and the Data Protection Law Enforcement Directive.
There are nonetheless a few interesting points to note about the approach which the government is proposing to take:
- There is a general theme of adopting the current Data Protection Act (DPA) 1998 approach where the drafting of the GDPR permits derogations and/or clarification is required, to smooth the transition. Some examples are in relation to the lawful processing of sensitive or ‘special’ category data, where the intent is to implement derogations to enable processing of that data in line with the current schedule 3 permissions, and likewise to carry across the exemptions to notice and exercise of rights contained within the DPA. It is hoped, for example, this might apply in the context of subject access requests. Similarly clarification of what is public interest may be taken from paragraph 5 of schedule 2 DPA (which includes, for example, where required to perform a duty conferred by law).
- Age of consent – as expected, the UK government will place the age at which parent or guardian approval is required for consent at 13.
- Right of erasure – the statements on the so called ‘right to be forgotten’ largely mirror the right of erasure in the GDPR, including references to some limitations in its application, but there continues to be commentary about giving people a right to require social media platforms to delete information they posted during their childhood at age 18. It remains to be seen whether this is simply an example of the right of erasure in action or a more categorical application in that context with more limited exemptions.
- Criminal background checks – the public interest in the private sector and others being able to access criminal records in some circumstances is still recognised and so the derogation in the GDPR to enable this will be relied upon to sustain the current system and approaches under the DPA, for example for insurance and so that background checks can be conducted by employers where there is access to vulnerable persons. More broadly, the lawful basis for use of criminal records will mirror that of sensitive personal data under article 9(2).
- There will be some recognition that automated decision-making or profiling is permissible as legitimate processing in some contexts. This ties in with the limitation on the right to object to automated decision-making in some contexts.
- Again, rather than reinvent the wheel, and for consistency with the transparency laws, in response to the consultation ‘public authority’ will be defined by reference to the Freedom of Information Act 2000.
- On transfers the government will empower the secretary of state with order-making power to specify circumstances where a transfer is permitted to a third country in the absence of an adequacy decision for reasons of substantial public interest.
Perhaps the most eye-catching statements however, are in respect of new criminal sanctions. Hitherto the UK data protection law has had some, albeit limited, criminal sanctions. Under the new proposals there will be some more added:
- Widening the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if they initially obtained with consent). This is potentially very significant for data-sharing arrangements – particularly for the data processors who are already struggling to come to terms with the new direct impacts of the GDPR. There have been recent data security breaches which have revealed retention far longer than customers had expected from their service providers. Specific drafting and controls should be considered to address this.
- Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data – with an unlimited fine.
- Altering records with intent to prevent disclosure following a subject access request – with an unlimited fine (level 5 fine in Scotland).
Overall – the message is that GDPR is coming. There is no appetite to weaken the protection particularly – or significantly tamper in the way that some other countries appear inclined to do. The need to continue to offer equivalent strong protection to data is being recognised as important to the digital economy post-Brexit.