The UK government has today introduced its “Data Protection Bill” (the Bill) in to the House of Lords.
The Bill, which will replace the Data Protection Act 1998 (the DPA), implements the EU General Data Protection Regulation (GDPR) and provides for appropriate exemptions and derogations, many of which are identical to those already contained in the DPA. It also covers the processing of personal data by intelligence services and implements the law enforcement directive (and nearly half the ‘front end’ of the Bill relates to these topics).
As expected, the Bill is extremely closely aligned with the GDPR, as this is essential to the Government’s hopes to obtain an ‘adequacy decision’’ (set out in their position paper on data protection earlier this month). Whilst there is nothing particularly novel or transformative about the Bill (and, in fact, only about a fifth of the 218 pages of the Bill will be relevant for most organisations), several notable points of interest include:
1. Children’s data: The GDPR provides that domestic law can determine the age at which a child can consent to their data being processed by providers of information society services (i.e. online services) as long as this is between 13 and 16. As expected, the Bill confirms that in the UK, this will be 13.
2. Conditions for processing special categories of data and criminal convictions data: Data controllers processing special / criminal data in an employment context or on grounds of substantial public interest will need to implement an ‘appropriate policy document’ as an additional safeguard which explains how they comply with the data protection principles and how long the personal data is likely to be retained. The policy document must be reviewed and updated and made available to the ICO on request.
3. Automated decision making: Where an automated decision is required or authorised by law then – as is the case under the DPA – individuals will have 21 days to request data controllers either reconsider a decision made about them via automated means or make a new decision that is not based solely on automated processing. Unfortunately, however, the Bill does not provide clarity on any other aspects of what is one of the most confusing articles of the GDPR.
4. ICO funding: The ICO will be able to require data controllers to pay charges to its office and may also charge fees for providing certain services, thereby answering the question of how the ICO will be funded once notifications are abolished.
5. Brexit: After Brexit, the UK government intends that the standards of GDPR will continue to apply. The Government would likely use the powers in the EU (Withdrawal) Bill to bring GDPR within the UK’s domestic law. Whilst the EU (Withdrawal) Bill is still being hotly contested in parliament, if the bill passes un-amended it could mean that once the UK has exited the EU ministers could modify UK data protection law without the usual degree of parliamentary scrutiny.