UK Data Protection Laws – Repeal of DPA 1998
The Data Protection Bill and the GDPR – how does it work?
The Data Protection Bill (“the Bill”) will replace the 1998 Data Protection Act to provide a comprehensive legal framework for data protection in the UK. It will be supplemented by the European General Data Protection Regulations (GDPR) until the UK leaves the EU. When the UK leaves the EU, the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Bill, currently before Parliament.
The Data Protection Bill will update current provisions and hence repeal the current Data Protection Act 1998 and exercises available derogations to the European General Data Protection Regulations (GDPR) which were agreed last year. As Regulations, they become directly applicable in May 2018 (as a result of Article 288 of the Treaty on the Functioning of the European Union (“TFEU”). The Bill therefore does not reproduce the text of the GDPR but instead exercises available derogations. In order to fully understand the Bill, it is necessary to read it alongside the definitions found in the GDPR.
Progress of the Bill
The Bill had its first reading in the House of Lords on 13th September and the second reading is scheduled for 10th October.
A copy of the bill as introduced can be found here.
The detailed explanatory notes (Commentary on provisions of Bill) include a useful table comparing definitions under the GDPR and the DPA 1998.
What does the Bill cover?
The four main matters provided for in the Bill are:
- General data processing
- Law enforcement data processing
- Data processing for national security purposes (including processing by the intelligence services)
- Regulatory oversight and enforcement
Applies beyond the EU
Article 2(2) of the GDPR states that the Regulations do not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law. To avoid data controllers being compelled to do an assessment of whether the activity they are engaged in falls inside or outside the scope of Union law, the Bill contains provisions to extend the GDPR standards to data processing.
Part 1 includes essential definitions of matters such as “Personal data”, “Processing”, and “Filing system”.
Part 2 of the Bill concerns general data and makes provision for those areas where the GDPR gives Member States a discretion on specific points or definitions and the Government wants to exercise that discretion, or where it is mandatory for Member States to make their own rules.
Clause 8: Child’s consent in relation to information society services
Article 8 of the GDPR sets the age at which a child can consent to the processing of their personal data by ‘information society service’. Most online websites would meet the definition, ranging from online banking to search engines and social media. The GDPR gives Member States the flexibility to set this age provided that the age decided upon does not fall below age 13.
As drafted, the Bill allows a child aged 13 years or older to consent to his or her personal data being processed by providers of information society services.
Clause 9: Special categories of personal data and criminal convictions etc data
Clause 9 includes provision for the processing of special categories of personal data for reasons of employment, social security and protection (Article 9(2)(b)).
Such processing meets the requirement only if it meets a condition in Part 1 of Schedule 1 i.e. there is an appropriate policy document and additional safeguard and Schedule 4 PART 4.
This clause does not reproduce all of the conditions found in Schedule 3 to the 1998 Act because many of these are now found in similar form in the GDPR and have direct effect, eg ‘Article 9 (2)(a). The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where prohibited by law.
Clause 11: Limits on fees that may be charged by controllers
This clause provides The Secretary of State may by regulations specify limits on the fees that a controller may charge.
Clause 13: Some restrictions of automated decision-making authorised by law: safeguards
Clause 17: Transfers of personal data to third countries etc
Part 3 deals with Law Enforcement Processing
Unlike the GDPR, the Law Enforcement Directive (“LED”) is not directly applicable EU law; accordingly Part 3 of the Bill (together with provisions in Parts 5 to 7 which apply across the GDPR, LED and intelligence services regimes) transposes the provisions of the LED into UK law.
Part 4 of the Bill therefore provides a data protection regime for the processing of personal data by the intelligence services based on the Council of Europe modernised, but yet to be agreed, Convention 108.
Part 5: The Information Commissioner
Clause 119: Data-sharing code
The Commissioner must prepare a code of practice which contains practical guidance in relation to the sharing of personal data in accordance with the requirements of the data protection legislation.
Clause 120: Direct marketing code
This clause places the Commissioner under a duty to publish and keep under review a direct marketing code of practice. This preserves the effect of section 52AA of the Act 1998 Act.
Clause 124: Other codes of practice
This clause provides the Secretary of State with the power to direct the Commissioner to produce other codes of practice for guidance as to good practice in the processing of personal data.
Clause 132: Charges payable to the Commissioner by controllers
This clause provides the Secretary of State with a power to make regulations requiring data controllers to pay a charge to the Commissioner.
Clause 171: Prohibition of requirement to produce relevant records
This clause makes it an offence for an employer to require employees or contractors, or for a person to require another person who provides goods, facilities or services, to provide certain records obtained via subject access requests as a condition of their employment or contract. This clause is similar to section 56 of the 1998 Act, but the list of relevant records in Schedule 17 is wider because it now includes medical records.
Further details on this legislation will be provided once the bill has been passed through the House of Commons and the House of Lords.