The UK Government has published a statement of intent containing details of its proposed Data Protection Bill. The full text of the Bill is expected in September 2017, when the UK Parliament returns from its summer break.
The Bill will enshrine the EU General Data Protection Regulation (GDPR) into UK domestic law. It will also implement the requirements of EU Directive 2016/680 (The Law Enforcement Directive) which covers the processing of personal data for crime prevention, and the free movement of such data.
Why is a UK bill needed?
The GDPR is an EU regulation and therefore will have direct effect in all EU Member States (including currently the UK) without the need for implementation at the national level. The Data Protection Bill aims to ensure that, post-Brexit, UK data protection law will remain in-step with its EU trading partners.
The change is necessary because after the UK leaves the European Union, it will become a “third country” for data protection purposes. EU data protection law prohibits the transfer of EU personal data to third countries which do not ensure an adequate level of protection. Adequacy does not require identical laws but the third country must provide ‘essentially equivalent’ protection. The implementation of GDPR-style legislation in the UK makes it more likely that the EU Commission will make an adequacy decision in favour of the UK under Article 45 of the GDPR.
What does the statement say?
The statement of intent suggests that UK data protection law will align with the requirements of the GDPR meaning severe penalties for breach (€20 million or 4% of global turnover) will be applied to UK-based companies. The content of the statement does not mark a significant departure from the language of the GDPR and, on the face of it, would not require companies to take alternative compliance steps in the UK.
However, the statement does set out three new offences to be contained in the Bill. In particular, it:
- Creates a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine.
- Creates a new offence of altering records with intent to prevent disclosure following a subject access request. The offence would use section 77 of the Freedom of Information Act 2000 as a template. The scope of the offence would apply not only to public authorities, but to all data controllers and processors. The maximum penalty would be an unlimited fine in England and Wales or a Level 5 fine in Scotland and Northern Ireland.
- Widens the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if the they initially obtained it lawfully).
The details of the first offence will be interesting to see.
The UK Government also states that “default reliance on the use of default opt-out or pre-selected “tick boxes”…will become a thing of the past.” It is not clear whether the exception for consent to e-marketing by existing customers, contained in the e-Privacy Directive, will be included in the Bill. Indeed, the statement does not mention the current e-Privacy Directive or the proposed e-Privacy Regulation which will also require similar implementation post-Brexit.
There also seems to be some confusion as to the meaning of “privacy by design and default.” It suggests the principle can be achieved by “giving citizens the right to know when their personal data has been released in contravention of the data protection safeguards, and also by offering them a clearer right of redress.” The concept of privacy by design and default promotes compliance with data protection laws and regulations from the earliest stages of initiatives involving personal data and does not necessarily relate to notification and redress.
What should businesses be doing?
Although companies with a UK footprint will need to familiarise themselves with the Bill when it is published, it is unlikely to represent a major departure from the requirements of the GDPR in the authors’ view.
In order to be compliant under both the GDPR and the Bill, companies will need to ensure that they have robust policies and procedures in place. With the risk of heavy fines under the GDPR and the Bill, not to mention the reputational damage and potential loss of consumer confidence caused by noncompliance, nothing should be left to chance. In terms of key first steps, companies might consider prioritising the following as a minimum in order to comply with both pieces of legislation:
- Review privacy notices and policies—ensure these are compliant. Do they provide for the new rights individuals have?
- Prepare/update the data security breach plan—to ensure new rules can be met if needed.
- Audit your consents—are you lawfully processing data?
- Set up an accountability framework—e.g., monitor processes, procedures, train staff.
- Appoint a DPO where required.
- Consider if you have new obligations as a processor – is your contractual documentation adequate? Review contracts and consider what changes will be required.
- Audit your international transfers—do you have a lawful basis to transfer data?
For those businesses who have yet to consider their obligations, the advice is to start thinking about compliance under the GDPR as soon as possible and the Bill once it is published. Not only will compliance be crucial for retaining customer trust it will also avoid being made an example of in a way that will not only hurt your reputation, but also your bottom line.