The Department for Digital, Culture Media & Sport has
now published some details of the proposals that will be included in the Data
Protection Bill, which will be presented to Parliament, probably in September.
In a display of considerable chutzpah, the document is
entitled ‘A
New Data Protection Bill: Our Planned Reforms’ and generally claims
ownership of a number of provisions of the GDPR which will automatically become
a part of UK law in May. In the Ministerial Foreword, the Rt Hon Matt Hancock
MP states:
‘The Data Protection Bill, promised in our manifesto and announced in
the Queen’s speech, will bring our data protection laws up to date. It will
both support innovation by ensuring that scientists and businesses can continue
to process data safely. It will ensure that we can remain assured that our data
is safe as we move into a future digital world based on a system with more
accountability, but less bureaucracy. The Bill includes tougher rules on
consent, rights to access, rights to move and rights to delete data.
Enforcement will be enhanced, and the Information Commissioner given the right
powers to ensure consumers are appropriately safeguarded.
The
Bill will also bring EU law into our domestic law.’
Pedants might well point out that most of this will be UK
law in May 2018 whether this Bill is passed or not as the GDPR (already law)
will then be in force. We might find, given even the slightest hiccup in the
legislative process (quite likely, since it’s taken them ages to get to here), that
when given the Royal Assent the Data Protection Bill makes law that already
exists. In addition, there will close scrutiny of the Bill to make sure it does
match the GDPR as, if any diversion from the ‘true path’ is found, the effect
of the European Union (Withdrawal) Bill (when passed) will be to make the law
arising under the GDPR part of UK law; that could give rise to some interesting
disputes.
The Statement of Intent indicates that the Data Protection
Law Enforcement Directive will be applied by virtue of its provisions.
The Statement does have some meat. It states:
‘We are determined to ensure that the GDPR best supports UK
interests – for citizens and businesses. The GDPR requires some modification to
make it work for the benefit of the UK and the Data Protection Bill will make
the necessary changes. In particular, the Bill will:
- Exercise the available derogations in the GDPR that the UK
government negotiated. This will allow:
The implementation of key government commitments
including, the ability to require social media platforms to, on request, delete
information held about them at the age of 18.
A simpler shift for both business and consumers as we will
retain many of the enablers of processing essential to all sectors of the
economy, from financial services to academic research, under the new
legislation.
- Apply the new data protection standards to all general
data, not just areas of EU competence.
We are leaving the EU and businesses need a single
standard under which they can operate. We do not want differing standards for
legal areas which previously came under EU competence. The Bill will ensure
that quality standards are also simple to apply.
- Repeal the Data Protection Act 1998.
When the GDPR takes
effect it will be confusing for individuals, businesses and the courts if we do
not adjust our domestic law to remove inconsistencies. The Data Protection Bill
will make the necessary repeals to ensure clarity of roles and responsibilities
for all involved.’
Note that new offences are proposed. In particular, a new
offence of intentionally or recklessly re-identifying individuals from
anonymised or pseudonymised data. Offenders who knowingly handle or process
such data will also be guilty of an offence. The maximum penalty would be an
unlimited fine. Another new offence is that of altering records with intent to
prevent disclosure following a subject access request which would apply not
only to public authorities, but to all data controllers and processors. The
Statement also suggests that the Bill will widen the existing offence of
unlawfully obtaining data to capture people who retain data against the wishes
of the controller (even if they initially obtained it lawfully).
On derogations, the legislation will provide for a child
aged 13 years or older to consent to their personal data being processed. Also,
in news that will be a relief
to our recent authors on this issue, ‘we will legislate to extend the right
to process personal data on criminal convictions and offences so as to enable
organisations other than those vested with official authority to process
criminal convictions and offences data’. Predictably, the protection for ‘investigative
journalism’ in s 32 of the 1998 Act is to be renewed. The passage on
derogations also includes reassuring words about protecting research – the devil,
his pomps and all his angels will be in the detail of that one.
As to automated individual decision-making, the Statement
gives considerable detail on the proposed derogation:
‘According to the GDPR, an individual has the right not to
be the subject of automated decision making including “profiling”. This may
include, for example, an individual receiving an unfavourable credit rating,
which is decided by way of a purely automated process.
The GDPR also allows exemptions where suitable measures are
put in place to safeguard the individual’s rights, freedoms and legitimate
interests. It is important for an individual to have recourse in the event that
they are subject to an unfavourable automated decision. There are also
legitimate functions which are dependent on automated decision making. For
example, a bank, before agreeing to provide a loan, would be entitled to check
the creditworthiness of an applicant. In this context, an automated credit
reference check would be an appropriate means of achieving this outcome.
In view of this, we will legislate to implement this
exemption with a view to ensuring legitimate grounds for processing personal
data by automated means. Individuals will have the right not to be subject to a
decision, which may include a measure, evaluating personal aspects relating to
them which is based solely on automated processing and which produces legal
effects or similarly significantly affects them, such as automatic refusal of
an online credit application or e-recruiting practices without any human intervention.’