UK Data Protection Bill Published
Friday, September 22, 2017
DPA, UK, GDPR, EU, internet
Print Mail Download i

In line with the EU General Data Protection Regulation (GDPR), the UK has now published a Data Protection Bill, which is intended to “make our data protection laws fit for the digital age…” The Overview Factsheet for this Bill may be found here.  This legislative initiative parallels that of several other EU Member States that have introduced similar bills to implement the GDPR.

What does this mean for data protection laws in the UK and the impending GDPR, which is due to come into force throughout the EU on 25 May 2018?

Aim of the Bill

The draft Bill (which will come into force on the same date as the GDPR) is designed to replace the Data Protection Act 1998 (DPA) in the UK, implement the GDPR and transpose the EU Law Enforcement Directive into UK law.  As of May next year, the GDPR will become directly enforceable in the UK as in all other EU Member States, and this will remain the case until the UK’s withdrawal from the EU. The guidance published by the UK’s Department for Digital, Culture, Media & Sport explains the relationship between the GPDR and the Bill, following its enactment, as follows:

 The​ ​Bill​ ​adopts​ ​the​ ​GDPR​ ​standards​ ​for​ ​all​ ​general​ ​data​ ​in​ ​the​ ​UK.​ ​Until exit​ ​negotiations​ ​are​ ​concluded,​ ​the​ ​UK​ ​remains​ ​a​ ​full​ ​member​ ​of​ ​the​ ​EU and​ ​all​ ​the​ ​rights​ ​and​ ​obligations​ ​of​ ​EU​ ​membership​ ​remain​ ​in​ ​force.​ ​Until the​ ​UK​ ​leaves​ ​the​ ​EU,​ ​therefore,​ ​the​ ​GDPR​ ​will​ ​operate​ ​in​ ​tandem​ ​with the​ ​Bill.​ ​When​ ​the​ ​UK​ ​leaves​ ​we​ ​will​ ​restore​ ​a​ ​wholly​ ​domestic​ ​basis​ ​to our​ ​data​ ​protection​ ​laws​ but​ ​the​ ​Bill​ ​allows​ ​for​ ​the​ ​continued​ ​application​ ​of GDPR​ ​standards.​ ​These​ ​standards​ ​were​ ​shaped​ ​with​ ​significant involvement​ ​of​ ​the​ ​UK,​ ​and​ ​combine​ ​support​ ​for​ ​innovative​ ​use​ ​of​ ​data with​ ​robust​ ​protections.​ ​The​ ​standards​ ​will​ ​also​ ​help​ ​open​ ​up​ ​trade​ ​andinvestment.

Highlights

The Bill reinforces the message that businesses in the UK should continue to prepare for GDPR compliance, as the rights and obligations are largely the same.

However, one key purpose of the Bill is to provide additional detail where the GDPR leaves it up to Member States to add to or to vary certain provisions. The UK has made the most of these derogations to align the Bill with the current data UK protection rules, where possible. The Bill aims to:

 Preserve existing tailored exemptions that have worked well in the Data Protection Act, carrying them over to the new law to ensure that UK businesses and organisations can continue to support world leading research, financial services, journalism and legal services.

The Bill is complex and runs over 200 pages. Key points to note include:

  • Penalties – The maximum fine mirrors the GDPR at £17m (Euro 20 million) or 4% of global turnover. The ICO is also given powers to bring criminal proceedings where a controller or processor alters records with intent to prevent disclosure following a subject access request;

  • Special Categories – The Bill allows for special categories of personal data and criminal offence data to be processed without consent in certain situations including the following:

    • To allow employers to fulfil obligations under the employment law;

    • To allow historic or scientific research;

    • To prevent unlawful acts and fraud; and

    • To support processing for insurance or occupational pensions purposes.

  • DPO – The obligation to appoint a Data Protection Office (DPO), where relevant, applies only to controllers, unlike in the GDPR which imposes this obligation on both controllers and processors.

  • Children – The Bill sets the threshold for requiring parental consent to provide an information society service to a child at 13.

Law Enforcement

The Bill creates a privacy regime for the processing of personal data for law enforcement purposes by the police, prosecutors and other criminal justice agencies. This part of the Bill transposes the EU’s Law Enforcement Directive into national law. The Bill also covers additional privacy rules for the processing of personal data by intelligence services.

Conclusion

The Bill is still in draft form and has yet to be debated in Parliament. The Bill was introduced to the House of Lords on 13 September 2017. The next stage, scheduled for 10 October 2017, will be a second reading in the House of Lords with a general debate on all aspects of the Bill.

Lucia Hartnett also contributed to this article.

© Copyright 2024 Squire Patton Boggs (US) LLP

Current Legal Analysis

More from Squire Patton Boggs (US) LLP

Identifying a Single Biomolecule Means Single-molecule Detection Sensitivity
by: Todd A. Ostomel
Singapore Looks to Tighten Corporate Disclosures of Directors’ Personal Data
by: Charmian Aw
In a Rare Win for California Employers, Good Faith is Good Enough to Avoid Wage Statement Penalties (US)
by: Melissa Legault
Employee Sent Packing After Empty Bag Theft — Mitigation in Dishonesty Dismissals (UK)
by: Sean Field-Walton
The General Code in Bite-Sized Chunks – Counting Members for General Code Compliance Is Definitely Not a Piece of Cake!
by: Anna Tomlinson
Upcoming/New CFIUS Filing: Premier American Uranium Inc. (Canada) and American Future Fuel Corporation (Canada)
by: International Trade Practice at Squire Patton Boggs
Private Equity’s Involvement in Health Care Under Increasing Scrutiny
by: Bevan Blake , Kaitlin E. Rittgers
Global Brand Protection – How to Manage an Anti-Counterfeiting Program
by: Rebecca Dücker , Jens F. Petry
Federal Court Strikes Down NLRB’s Expansive Joint Employer Rule (US)
by: Michael Carlin
Navigating the Regulatory Maze: Hemp Industry Calls for Additional Federal Action
by: Austin Harrison , Michael Cox

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins