The UK Government has now published its new Data Protection Bill, which will implement derogations and exemptions from the GDPR while closely following the principles of the Data Protection Act 1998.
The General Data Protection Regulation (GDPR) will take effect on 25 May 2018 and will be retained in UK law; the lengthy new Bill has extended the GDPR to non-EU matters, incorporated a distinct national security regime, given effect to the Law Enforcement Directive and created two new criminal offences, as well as implementing the exemption and derogation powers in the GDPR. The Data Protection Act 1998 will be repealed.
The General Data Protection Regulation (GDPR) takes effect on 25 May 2018 and Brexit is expected to happen in the Spring of 2019. The GDPR will therefore be law in the UK before the UK exits the EU. In order to make the law work efficiently the UK will have to fill in the gaps in the GDPR which have been left to the discretion of Member States. The GDPR applies only to personal data processing within the scope of EU jurisdiction – as such, national legislation will be required if similar rules are to apply to all personal data processing. Similarly, the Law Enforcement Directive 2016/680 ("LED") is already in force and Member States have until 6th May 2018 to transpose it into national law.
After Brexit, the GDPR provisions will be retained in UK law by clause 3 of the European Union (Withdrawal) Bill, which incorporates EU law into domestic law. This Bill has only just commenced its Parliamentary process. The government is anxious to ensure that UK data protection law mirrors EU law in order to facilitate trans-border data flows.
The government announced in August that it intended to promote a new Data Protection Bill in order to deal with all these matters. This Bill was introduced into the House of Lords on 13 September 2017, accompanied by lengthy Explanatory Notes.
It is clear from the Explanatory Notes that the Bill aims to replicate the Data Protection Act 1998 as far as possible. The derogations and safeguards permitted to Member States are closely modelled on those in the 1998 Act.
The Bill recognises the GDPR by refining some of the definitions and by implementing the discretions available to Member States, broadly modelling them on the 1998 Act.
The Bill extends the GDPR by applying its principles to the processing of personal data, with two exceptions. First, the processing of personal data by "competent authorities" for law enforcement, which is outside the GDPR and covered by the LED, is contained in a separate Part. This applies the LED to all such processing even though the UK's opt-out from criminal justice matters would not require such comprehensive application of the LED. Secondly, the Bill contains a Part (Part 4) setting out a new code of personal data processing for the intelligence agencies based on Convention 108 and the modifications to it currently under discussion in the Council of Europe.
Consequently, as a result of the Bill, until Brexit the UK will have four separate codes of data protection law. The Notes indicate that after Brexit, steps will be taken to unify the preserved GDPR and the ‘applied GDPR’ in a single piece of legislation.
The Bill is set out in seven parts:
Part 1 explains the structure of the Bill summarised above and contains some general definitions.
Part 2 has three chapters, the first of which contains definitions and general material.
Chapter 2 of Part 2 fills in gaps in the GDPR such as the definition of public authority and public interest. In particular the age of consent for children using information society services is reduced to 13 years of age, a system is set up to authorise certification providers and safeguards are established for processing for archiving, research and statistical purposes. Rules on automatic decision making seek to replicate the 1998 Act rules, but in practice apply a stricter regime. All these and the other provisions seek to adjust the GDPR to follow the 1998 Act as closely as possible.
Chapter 3 of Part 2 applies the GDPR to personal data processing to which the GDPR would not otherwise apply, including the processing of unstructured manual files by public authorities (in the same way as they are currently covered by the 1998 Act), but excluding law enforcement and intelligence agency processing.
Part 3 of the Bill, divided into six Chapters, transposes the LED into UK law. This applies to all processing for law enforcement purposes by a defined list of "competent authorities". The LED restricts the processing and disclosure of personal data to a narrowly defined set of functions, but the general rules are the well-known principles and other rules derived from previous legislation.
Part 4 provides a code of personal data processing for the intelligence agencies in six Chapters. It is said to have been drawn from Convention 108 and changes which are being made to it during the current ‘modernisation’ process. The rules in this Part are based on the usual principles with the predictable wide exemptions for national security processing.
As a consequence of repealing the 1998 Act, new provision has to be made for the Information Commissioner and that is set out in Part 5 of the Bill. These are also provisions which seek to closely replicate the existing law. The Commissioner continues in existence and is given the necessary functions under the GDPR.
In anticipation of Brexit, the Commissioner has the duty to develop wider international co-operation mechanisms. The provisions relating to the Data Sharing and Direct Marketing Codes and consensual audits are preserved, as are also the rules on disclosure of information to the Commissioner and the duty of confidentiality imposed on the Commissioner and her staff. The Commissioner may charge for services except to a data subject or a data protection officer. The charging powers in the Digital Economy Act 2017, which prospectively replaced notification fees, are consolidated in this Bill and the Commissioner is required to make the expected Annual Reports.
Part 6 of the Bill deals with enforcement. The Commissioner’s powers to issue Information, Assessment and Enforcement Notices are replicated with adjustments to take account of the GDPR. Similarly, the power to impose financial penalties is preserved with the higher maximum levels of fines set out in the GDPR. Appeals continue to lie to the First-tier Tribunal.
The complex procedures restricting enforcement action against anyone processing for the purposes of journalism, literature and art are retained and extended to academic purposes. This is said in the Notes to be a sufficient protection of the right to freedom of expression. The approach of closely following the 1998 Act is presumably intended to avoid re-opening the fractious debates with media representatives.
Data subjects are given a clear right to complain to the Commissioner who is under a duty to consider and respond to the complaint. Data Subjects can apply to the Tribunal to compel the Commissioner to consider a complaint. The right to complain is said in the Notes to be broadly equivalent to s. 42 of the 1998 Act. Data Subjects can also apply to a court to order compliance with the legislation by a controller or processor or seek payment of compensation.
The offence of unlawfully obtaining personal data and the related offences are replicated. Two new offences are created by the Bill: the first that of knowingly or recklessly re-identifying de-identified personal data and the second that of altering personal data to prevent its disclosure in response to a subject access request.
Part 7 of the Bill contains miscellaneous provisions such as order-making powers. The prohibition on enforced subject access is to be found in this Part as is the power of certain bodies to represent data subjects in proceedings. The penalties for offences are set out, some of which will now be recordable. The Commissioner will additionally have to follow PACE when conducting investigations. There are other provisions relating to prosecutions, the liability of directors, Tribunal proceedings, definitions and other minor matters including commencement.
The body of the Bill is then followed by 18 lengthy Schedules making 203 pages of substantive text.
The length and complexity of the Bill is notable and unwelcome. It is not at all clear that the separate Parts for law enforcement and intelligence agency processing are required. The general principles remain the same and the ‘applied GDPR’ with specific derogations and exceptions might well have served for those activities.
Nevertheless, the whole scheme of the legislation is highly ‘conservative’, seeking to depart from the 1998 Act as little as possible. This is understandable in the light of the both the short timescales available before the GDPR takes effect and the LED must be transposed and the Brexit process. Because of these factors it can be presumed that the government will seek to resist any Parliamentary departures from this conservative approach.
The definition of competent authorities refers to a Schedule containing a long list of prosecuting and law enforcement bodies, combined with a sweeping-up provision covering any other person with statutory law enforcement functions. Private prosecutions are deliberately excluded. It is not clear why such a narrow view has been taken of the meaning of ‘competent authority’ for law enforcement purposes. The LED defines it thus:
“‘competent authority’ means: (a) any public authority competent …; or (b) any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; …”
The institution of a prosecution by a private individual is not an exercise of a private civil right between parties, but the invoking of the powers of the state. This should surely fall within the second leg of the definition - that such private prosecutions are unknown in the rest of the EU is irrelevant.
Although the Part dealing with the intelligence services is said to be derived from the modernised Convention 108 – presumably to distance these matters from the EU –this scheme is more apparent than real, because one of the express objectives of the modernisation of Convention 108 is ‘to ensure consistency and compatibility with the EU legal framework.’
Article 85.1 of the GDPR provides that:
"Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression."
Journalism and the other purposes are mere examples. This Article goes much wider than the comparable provision in Directive 95/46/EC. The failure of the government to make full use of the scope of the Article will be a major disappointment to many. Failing amendment in Parliament, one might expect disputes to arise in which conflicts are alleged between the new Bill and the rights to freedom of expression enshrined in the Human Rights Act 1998.
The restoration of a clear right of Data Subjects to complain to the Commissioner is very much to be welcomed. These provisions cannot realistically be said to be broadly equivalent to the 1998 Act. The right to request an assessment under the 1998 Act was seen by many as a removal – or at least a severe dilution - of the right to complain given in the Data Protection Act 1984. That right has now been fully restored.
Equally welcome are the new prohibitions on re-identifying data and altering data to prevent its disclosure, although those handling large or complex subject access requests should ensure that they have a firm handle on the application of exemptions.
Notwithstanding the highly cautious approach of the government in seeking to depart as little as possible from the GDPR, the LED and the 1998 Act, this Bill will be subject to considerable scrutiny in Parliament. One cannot be confident that this Bill will reach the statute book materially unaltered.
However, for the commercial data protection officer, the Bill might come as some relief, for in spite of the complexity of the drafting and the GDPR changes which everyone has been adjusting to for more than a year, it attempts to preserve the data protection world as it has been known since 1998.