21 September 2017
The Government published, on 14 September 2017, the Data Protection Bill 2017 (‘the Bill’), following its statement of intent made in August 2017. In particular, the Bill aims to implement the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680), as well as provide a framework for the processing of personal data by intelligence services.
William Long, Partner at Sidley Austin LLP, told DataGuidance, “The Bill is both complex and lengthy and its structure is also somewhat confusing as it contains separate parts relating to processing by law enforcement and intelligence agencies that replicate many of the provisions in the general processing section of the Bill. The Bill attempts to track the Data Protection Act 1998 to the extent possible, whilst also implementing the GDPR. It supplements and must be read alongside the GDPR, which further increases the challenge of interpreting the Bill. Some would argue that the Bill could have been drafted in a clearer form and following a more logical structure […] The GDPR is itself a complex and sometimes confusing piece of legislation and the Bill adds an extra layer of complexity. However, it is important to remember that in most cases, achieving compliance with the GDPR will also ensure compliance with the Bill, and vice versa. Organisations therefore need to focus on the significant practical challenges of compliance with the GDPR and should not be too concerned by the interaction between the Bill and the GDPR, especially as the Bill is still in draft form.”
The Bill exercises several of the agreed derogations to the GDPR, including in areas relating to the processing of data in the employment context, academic research and financial services. It also sets the age limit below which parental consent will be required for information services provided to a child to 13 years of age, which is within the range of 13-16 years of age found in the GDPR. According to theDepartment for Digital, Culture, Media & Sport, such provisions aim to ensure that ‘the GDPR’s provisions work better in the UK.’
Overall, the key message for UK businesses is that any preparations already underway to comply with the GDPR must not stop
Long noted, “The Bill goes beyond the GDPR by applying GDPR equivalent standards to processing that is out of the scope of the GDPR, for example, processing by a public authority subject to the Freedom of Information Act 2000. The Bill also generally exercises derogations under the GDPR in a way that falls within the parameters of the derogation under the GDPR, [though] in a few instances the GDPR imposes additional requirements which effectively narrow the scope of an exemption found in the GDPR. For example, the GDPR allows an exemption from the prohibition on processing sensitive personal data when the processing is necessary to carry out obligations of the controller in the field of employment law. The Bill includes this exemption but also adds an additional requirement that a controller has an appropriate policy document in place before relying on the exemption.”
The Bill is due to receive its second reading in the House of Lords on 10 October 2017. Following committee and report stages and a third reading, the Bill will then pass to the House of Commons for a similar debate, culminating in the consideration of any proposed amendments prior to receiving Royal Assent.
Eduardo Ustaran, Partner at Hogan Lovells LLP, concluded, “I think the Bill is a good attempt at achieving a two-fold objective: demonstrating that the UK is adopting the GDPR in full, while maximising the scope for tailored-made tweaks. This is not an easy task by any means. As everybody knows, the moment the UK departs from the letter or the spirit of the GDPR, it risks missing out on adequacy. That would be damaging for everyone but also frustrating for the Government, when it is so clear that the UK wishes to remain a safe jurisdiction for data. Overall, the key message for UK businesses is that any preparations already underway to comply with the GDPR must not stop.”
Alexis Kateifides | Privacy Analyst