- By Rocio De la Cruz, Principal Associate, Gowling WLG (UK) LLP
On 21 June 2017, a new Data Protection Bill was announced in the Queen's speech. The bill demonstrates the fact that the UK government takes the protection of citizens' personal data seriously. This also shows that it is committed to maintaining a regime in line with the enhanced requirements under the forthcoming General Data Protection Regulation (2016/679), the new EU Directive on Law Enforcement data processing (2016/680), and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Treaty No. 108).
This means that, despite Brexit, organisations will need to continue to prepare for the new, stricter data protection regime that will come into force on 25 May 2018.
This position has been reaffirmed by a statement of intent released by the government on 7 August, about which Matt Hancock, Minister of State for Digital said, "The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world, and this new law will help it to thrive".
What is the purpose of the new Data Protection Bill?
The Data Protection Bill will replace the Data Protection Act 1998 and will incorporate the GDPR and new EU Directive on law enforcement data processing into national law.
The Bill is also intended to:
- give individuals stronger rights in respect of, and more control over, their personal data, including:
- a right to be forgotten when individuals no longer want their data to be processed (provided there are no legitimate grounds for retaining it);
- a right to require major social media platforms to delete information held about them at the age of 18;
- a right of data portability, for customers to move data between service providers;
- the right of access, to make it easier and free for individuals to require an organisation to disclose the personal data it holds on them;
- the right to withdraw consent to their data being processed; and
- the right to be informed in a clear way of the processing activities before consent is given.
- implement the accountability, privacy by design and privacy by default principles, as described in the GDPR, including the obligation to carry out data privacy impact assessments in order to understand what risks are involved and how to mitigate them;
- modernise the regime for data processing by law enforcement agencies, covering both domestic processing and cross-border transfers of personal data, enabling police and judicial authorities to exchange information quickly and easily with international partners;
- update the powers and sanctions available to the Information Commissioner, in line with those to be implemented by the GDPR (including powers to issue fines of up to £17 million, or 4% of global turnover, for breaches of data law);
- introduce new criminal offences, including the offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data (which may impact research activities), and the offence of altering records with intent to prevent disclosure following a data subject access request; and
- exercise the available derogations allowed by the GDPR, which may affect (amongst other things) the minimum age at which a child can consent to data processing, the processing of criminal conviction and offence data by bodies other than official authorities, the balance between the freedom of expression of the media and the right to privacy of individuals, and the processing of personal data for research purposes.
Why is the new Data Protection Bill significant?
New data protection legislation was to be expected during this parliamentary session given the need for the UK to pass national legislation dealing with those areas left to member states under the GDPR, and to implement the Directive on law enforcement data processing, both of which will need to be in place by May 2018.
As well as meeting the UK's obligations whilst it continues to be an EU member state, the government's briefing paper on the Queen's Speech notes that the Bill will also "help to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU". This clarifies the UK government's position on data protection post-Brexit and indicates that we can expect the government to retain an equivalent data protection regime to that provided under EU law when we leave the European Union in March 2019.
Is this a positive development?
Broadly, yes – both from the perspective of the data subject (who can expect greater rights, more control and enhanced protections in respect of the processing of their personal data), and of UK businesses (as they will not have to prepare for another major regime change when Brexit takes effect on 29 March 2019, and they will be supported to ensure that they are able to manage and secure data properly).
It will be particularly significant for UK businesses with multinational operations as the UK's commitment to maintaining a broadly equivalent data protection regime post-Brexit will be important in enabling personal data to continue to be freely transferred between the UK and the EU post-Brexit.
Will there be any additional requirements on UK businesses transferring personal data between the UK and the EU post-Brexit?
This remains to be seen – as yet, we do not know how closely the Data Protection Bill will mirror the EU data protection regime nor how it will be regarded by the EU.
EU data protection law provides that personal data can only be transferred to a country outside of the European Economic Area where that country ensures an adequate level of data protection. Whilst it seems clear that the UK government's intention is to secure a finding of adequacy from the EU in respect of its domestic data protection regime (which will enable data to continue to flow freely between the UK and the EU), this is by no means guaranteed.
If the UK is not able to obtain a finding of adequacy, then UK businesses may be required to put additional safeguards in place to continue to transfer data between the UK and the EU, for example incorporating model clauses into data-transfer agreements or using Binding Corporate Rules to govern the transfer of data to and from members of its group based in EU countries.
It is important to note that even if the UK does obtain a finding of adequacy in respect of its data protection regime on exiting the EU, this would be subject to review – the GDPR provides for adequacy decisions to be reviewed at least every four years. This suggests that UK legislation will need to keep pace with any subsequent changes to the EU data protection regime to avoid any adequacy decision subsequently being reconsidered.
When can we expect a draft of the new Data Protection Bill?
We are expecting more details to be revealed when Parliament reconvenes in September after the summer recess.
As the Bill will implement the Directive on law enforcement data processing into UK law, we assume the intention is for the Bill to become law by 6 May 2018 (being the deadline for the Directive's implementation), although the Bill's provisions may not all be brought into force on this date, for example, those relating to GDPR implementation may not come into force until 25 May 2018, and those relating to the post-Brexit data protection regime could be brought into force later still.
There is also no guarantee that the Bill will go ahead as currently envisaged – the government may reconsider its approach to these issues.
How your business can prepare for the new regime?
The announcement of the Bill and the subsequent statement of intent issued by the government suggest the UK will maintain a broadly equivalent data protection regime when the UK leaves the EU in March 2019.
In any case, the deadline for businesses to comply with the requirements of the GDPR remains as 25 May 2018, and so organisations should continue to prepare for full GDPR compliance by this date. To get ready, organisations should at least consider:
- https://www.teiss.co.uk/legislation/why-the-new-data-protection-bill-isnt-the-gdpr/undertaking an information gathering exercise to understand the processing activities carried out by their organisation;
- building a map where the flow of data is identified which includes detailed information concerning the types of personal data involved, the locations where each database is stored, the staff and other parties accessing each data set, the legal basis for processing personal data, and any transfers of data between parties (both internally and with third parties).
- updating privacy notices and any information given to customers and other data subjects (e.g. employees) to make sure that they are clear and justifiable and that they include all information required under the GDPR;
- reviewing the way their organisation is collecting consent, and assessing whether such consent would be considered to be legally given under the forthcoming GDPR;
- updating data protection and information security policies;
- reviewing agreements in place with third parties to identify roles (data controllers, joint data controllers or data processors) and ensuring that they include provisions in line with Articles 26 and 28 of the GDPR;
- increasing the level of awareness across their organisation by organising campaigns and training activities;
- carrying out regular checks in order to analyse risks. Feeling unprepared for regulatory changes was a key digital risk for many businesses we surveyed for our Digital Risk Calculator, and
- avoiding being obsessed with ghosts and myths related to the new levels of fines, and focussing on "doing your best" instead. In Elisabeth Denham's (the Information Commissioner) words, the main thing is for businesses to bear in mind that "This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that… Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world. But we intend to use those powers proportionately and judiciously." (From the ICO's article "GDPR-sorting the fact from the fiction")