October 19, 2017

October 18, 2017

Subscribe to Latest Legal News and Analysis

October 17, 2017

Subscribe to Latest Legal News and Analysis

October 16, 2017

Subscribe to Latest Legal News and Analysis

UK Data Protection Bill Published

In line with the EU General Data Protection Regulation (GDPR), the UK has now published a Data Protection Bill, which is intended to “make our data protection laws fit for the digital age…” The Overview Factsheet for this Bill may be found here.  This legislative initiative parallels that of several other EU Member States that have introduced similar bills to implement the GDPR.

What does this mean for data protection laws in the UK and the impending GDPR, which is due to come into force throughout the EU on 25 May 2018?

Aim of the Bill

The draft Bill (which will come into force on the same date as the GDPR) is designed to replace the Data Protection Act 1998 (DPA) in the UK, implement the GDPR and transpose the EU Law Enforcement Directive into UK law.  As of May next year, the GDPR will become directly enforceable in the UK as in all other EU Member States, and this will remain the case until the UK’s withdrawal from the EU. The guidance published by the UK’s Department for Digital, Culture, Media & Sport explains the relationship between the GPDR and the Bill, following its enactment, as follows:

 The​ ​Bill​ ​adopts​ ​the​ ​GDPR​ ​standards​ ​for​ ​all​ ​general​ ​data​ ​in​ ​the​ ​UK.​ ​Until exit​ ​negotiations​ ​are​ ​concluded,​ ​the​ ​UK​ ​remains​ ​a​ ​full​ ​member​ ​of​ ​the​ ​EU and​ ​all​ ​the​ ​rights​ ​and​ ​obligations​ ​of​ ​EU​ ​membership​ ​remain​ ​in​ ​force.​ ​Until the​ ​UK​ ​leaves​ ​the​ ​EU,​ ​therefore,​ ​the​ ​GDPR​ ​will​ ​operate​ ​in​ ​tandem​ ​with the​ ​Bill.​ ​When​ ​the​ ​UK​ ​leaves​ ​we​ ​will​ ​restore​ ​a​ ​wholly​ ​domestic​ ​basis​ ​to our​ ​data​ ​protection​ ​laws​ but​ ​the​ ​Bill​ ​allows​ ​for​ ​the​ ​continued​ ​application​ ​of GDPR​ ​standards.​ ​These​ ​standards​ ​were​ ​shaped​ ​with​ ​significant involvement​ ​of​ ​the​ ​UK,​ ​and​ ​combine​ ​support​ ​for​ ​innovative​ ​use​ ​of​ ​data with​ ​robust​ ​protections.​ ​The​ ​standards​ ​will​ ​also​ ​help​ ​open​ ​up​ ​trade​ ​andinvestment.

Highlights

The Bill reinforces the message that businesses in the UK should continue to prepare for GDPR compliance, as the rights and obligations are largely the same.

However, one key purpose of the Bill is to provide additional detail where the GDPR leaves it up to Member States to add to or to vary certain provisions. The UK has made the most of these derogations to align the Bill with the current data UK protection rules, where possible. The Bill aims to:

 Preserve existing tailored exemptions that have worked well in the Data Protection Act, carrying them over to the new law to ensure that UK businesses and organisations can continue to support world leading research, financial services, journalism and legal services.

The Bill is complex and runs over 200 pages. Key points to note include:

  • Penalties – The maximum fine mirrors the GDPR at £17m (Euro 20 million) or 4% of global turnover. The ICO is also given powers to bring criminal proceedings where a controller or processor alters records with intent to prevent disclosure following a subject access request;

  • Special Categories – The Bill allows for special categories of personal data and criminal offence data to be processed without consent in certain situations including the following:

    • To allow employers to fulfil obligations under the employment law;

    • To allow historic or scientific research;

    • To prevent unlawful acts and fraud; and

    • To support processing for insurance or occupational pensions purposes.

  • DPO – The obligation to appoint a Data Protection Office (DPO), where relevant, applies only to controllers, unlike in the GDPR which imposes this obligation on both controllers and processors.

  • Children – The Bill sets the threshold for requiring parental consent to provide an information society service to a child at 13.

Law Enforcement

The Bill creates a privacy regime for the processing of personal data for law enforcement purposes by the police, prosecutors and other criminal justice agencies. This part of the Bill transposes the EU’s Law Enforcement Directive into national law. The Bill also covers additional privacy rules for the processing of personal data by intelligence services.

Conclusion

The Bill is still in draft form and has yet to be debated in Parliament. The Bill was introduced to the House of Lords on 13 September 2017. The next stage, scheduled for 10 October 2017, will be a second reading in the House of Lords with a general debate on all aspects of the Bill.

Lucia Hartnett also contributed to this article.

© Copyright 2017 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Francesca Fellowes, Squire Patton Boggs, intellectual property attorney, multi-jurisdictional project lawyer, commercial business regulatory legal counsel
Senior Associate

Francesca Fellowes’ practice covers both commercial and intellectual property work. She has substantial experience in all aspects of non-contentious commercial work and specialises in both contentious and non-contentious intellectual property work.

She also has a specialist knowledge of data protection law and in particular, advising on the compliance aspects of and project-managing multijurisdictional projects for global clients.

Francesca trained at a media and entertainment law firm in London and has been at Squire...

44-113-284-7459
Asel Ibraimova, Squire Patton, Media Industry Lawyer, data controllers attorney
Associate

Asel Ibraimova is an associate with expertise in European data protection matters.

Asel has worked in the healthcare industry and media industry, representing the interests of both data controllers and data processors. She has advised on methods of international transfer of personal data, on data protection issues related to the launch of websites, apps, mobile devices and online personalization services. She has negotiated data protection contracts with major online service providers, including cloud providers. Asel has drafted data protection policy documents for large organisations, templates of data protection clauses for procurement and employment purposes, technology contracts and strategic planning documents for legal teams in preparation for continuing changes in data protection law in Europe.

44-227-655-1208