We unpack the new UK Data Protection Bill and how it relates to GDPR.
On 13 September 2017, the UK Government introduced the new Data Protection Bill (the Bill) in the House of Lords. If enacted, the Bill will repeal and replace the existing Data Protection Act 1998 and supplement the EU’s new General Data Protection Regulation (GDPR).
On 14 September Elizabeth Denham, Information Commissioner, said:
“The introduction of the Bill is welcome as it will put in place one of the final pieces of much needed data protection reform. Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime. I will be providing my own input as necessary during the legislative process.”
What is the Bill about?
The Bill deals with 5 key provisions:
- General processing. This part of the UK Data Protection Bill implements the GDPR standards across all general data processing and clarifies some of the definitions used in the GDPR.
- Law enforcement processing. The general processing provisions do not apply to processing by law enforcement or national security agencies. This part of the Bill therefore provides rules for the processing of personal data by the police, prosecutors and other criminal justice agencies for law enforcement purposes.
- Intelligence services processing. As with law enforcement processing, the Bill also creates rules for national security data processing. This part is based on the regime proposed, but not yet agreed, by the Council of Europe’s Convention 108.
- The Information Commissioner. This part confers upon the ICO the investigatory, authorization and advisory powers provided for in the GDPR. We are particularly excited to see that the Bill states that the Commissioner must prepare a direct marketing code of conduct.
- Enforcement. The Bill allows the ICO to levy administrative fines on data controllers and processors for the most serious breaches of data protection law of up to €20m or 4% of annual worldwide turnover, whichever is greater. The Bill also empowers the ICO to bring criminal proceedings for offences.
The Bill creates a new offence criminalising the re-identification of de-identified personal data and it comes with an unlimited fine. However, it does not make a specific reference to exemptions for security researchers.
It also provides certain exemptions from the GDPR.
Schedules 2 to 4 of the Bill set out negotiated exemptions from the GDPR. These exemptions include:
- the safeguarding of the processing of personal data by journalists for freedom of expression and to expose wrongdoing;
- the exemption of scientific and historical research organisations from certain obligations that would impair their core function;
- an exemption from the processing of personal data by national anti-doping agencies;
- an exemption for processing carried out the grounds of suspicion of terrorist financing or money laundering; and
- where justified, the processing of sensitive data without consent to allow employers to fulfil obligations of employment law.
The UK Data Protection Bill must still be debated in Parliament. The legislation is due for its second reading in the House of Lords – the first chance for peers to discuss the legislation – on 10 October.