Data protection: Preparing for GDPR

The long-awaited Data Protection Bill was published on 14 September 2017 and is currently being scrutinised by the House of Lords. Despite the accompanying 112 pages of explanatory notes, a four-page factsheet and a five-page impact assessment, there is still much confusion about the purpose and effect of the bill.

The bill has a number of aims, as explained below. It does not, though, contrary to popular belief, incorporate the General Data Protection Regulation (GDPR) into UK law. GDPR is a regulation and so directly applicable when it comes into force on 25 May 2018, replacing the Data Protection Act 1998 (DPA). GDPR does not need to be ‘signed into British law’ while the UK remains a member of the EU. Post-Brexit, it will still be the law (until the government decides to replace it) because of the provisions of the European Union (Withdrawal) Bill.

So what are the aims of the Data Protection Bill? Chapter 2 of part 2 of the bill supplements the GDPR. It fills in some of the gaps in GDPR – what are known as ‘derogations’, where members states are allowed to make their own rules. More on this later.

Chapter 3 of part 2 applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply: for example, where personal data processing is related to immigration and to manual unstructured data (held by a public authority covered by the Freedom of Information Act 2000 (FOI)). The bill applies GDPR standards to such data, while adjusting those that would not work in the national context.

Part 3 of the bill regulates the processing of personal data for law enforcement purposes, implementing the Law Enforcement Directive (EU) 2016/680. The provisions here are a cut-down version of GDPR. This part will only apply to competent authorities – that is, those that process personal data for the purposes of criminal offences or threats to public security, for example the police, regulatory services and so on.

Part 4 of the bill makes provisions about the processing of personal data by the intelligence services. National security is also outside the scope of EU law. The government has, though, decided that it is important the intelligence services are required to comply with internationally recognised data protection standards as set out in GDPR.

Parts 5 and 6 make provisions about the Information Commissioner and the enforcement of the data protection legislation.

Going back to chapter 2 of part 2 of the bill – this has to be read alongside the GDPR to make full sense of GDPR. The following provisions stand out in this respect:

Exemptions

The GDPR allows the UK to introduce exemptions from various GDPR obligations, for example transparency and individuals’ rights. All of the familiar exemptions from the DPA (see s.29-35 and schedule 7) are set out in schedules 2-4 of the bill, for example, crime and taxation, legal proceedings, management forecasts, legal professional privilege, negotiations. There is a new exemption for personal data processed for the purposes of immigration.

Part 5 of schedule 2 of the bill contains an exemption from some of the GDPR provisions for, among other things, data being processed for the purposes of journalism. This is similar to s.32 of the DPA, which seeks to balance the competing human rights of privacy and freedom of expression. The Information Commissioner’s Office (ICO) will, though, have wider powers than currently to take enforcement action in media cases.

Part 5 also allows research organisations and archiving services to decline subject access requests and other data subject rights, when this would seriously impair or prevent them from fulfilling their purposes, and provided that appropriate organisational safeguards are in place to keep the data secure.

Children and consent

Clause 8 of the bill lowers the age at which a child can consent to the processing of their personal data, in relation to information society services, from 16 to 13. Providers of such services, which include social networks and other online services, will have to take reasonable steps to obtain the consent of a parent or guardian where the child is under 13. The term ‘information society services’ is fully defined in EU Directive 2015/1535.

New offences

The bill creates two criminal offences. Clause 162 makes it an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the data controller responsible for de-identifying the personal data. Offenders will be liable on summary conviction, or on conviction on indictment, to a fine.

Clause 163 makes it an offence for the data controller or a person employed by it to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of information that a data subject enforcing their rights would have been entitled to receive. Offenders will be liable on summary conviction to a fine. This is similar to the offence under s.77 of FOI.

Automated decisions

Clause 13 places additional obligations on the data controller when its automated processing ‘is authorised by union or member state law’ under article 22(2)(b) of GDPR. These obligations include notifying the data subject, as soon as reasonably practicable, that a decision has been taken solely on automated processing and giving them an opportunity to object or appeal.

Public authorities

Under the GDPR, the ‘legitimate interests’ condition (article 6(1)(f)) cannot be relied upon to justify data processing by public authorities in the performance of their public tasks. Clause 6 of the bill defines ‘public authority’ as any organisation that is covered by FOI or its equivalent in Scotland.

Special category and criminal history data

The bill sets out ‘additional safeguards’ which a data controller has to have in place before processing Special Category Data (known as Sensitive Personal Data under the DPA) and criminal history data. It is not enough to meet one of the substantive conditions in schedule 1. These safeguards are set out in part 4 of schedule 1, and include the data controller having in place an ‘appropriate policy document’ that explains how it satisfies the principles under article 5 GDPR (principles relating to the processing of personal data), and explains its retention and erasure practices for the relevant data. That document should be retained and the controller’s records of processing (under article 30 GDPR) should also explain which condition from article 6 of GDPR is being relied on to justify the processing. Policy documents and processing records are good practice requirements under the DPA. They will be a legal requirement under GDPR.

Compensation

Article 82 of GDPR states that any person who has suffered material or non-material damage as a result of an infringement of GDPR shall have the right to receive compensation from the data controller or data processor for the damage suffered. Clause 159 of the bill explains that damage includes financial loss, distress and other adverse effects. This is in marked contrast to the DPA, section 13(2) of which only allows compensation for distress where it is linked to damage; although the Court of Appeal decision in Vidal-Hall v Google [2015] EWCA Civ 311 disapplied section 13(2) allowing claims for distress alone.

Finally, clause 156 sets out what individuals can expect if they submit a complaint to the ICO about the way their personal data has been processed under GDPR. Clause 157 sets out a mechanism for a complaint to the tribunal if the ICO fails to address it adequately.

The bill is at the committee stage in the Lords. There is, of course, plenty of scope for the bill to be amended before it becomes the Data Protection Act 2018, but there is not much time for change before GDPR comes into force.

Ibrahim Hasan is a solicitor and director of Act Now Training