UK data protection after Brexit – UK Government statement of intent contains few surprises
On the August 7, 2017, the UK’s Government Department for Digital, Culture, Media and Sport issued a Statement of Intent (the Statement) outlining its planned reforms of the UK’s data protection laws which are to be implemented by the Data Protection Bill (the Bill). The Statement anticipates the UK’s departure from the EU and makes it clear that following this, the Bill will transpose the General Data Protection Regulation (the GDPR) into domestic law.
This stresses the importance of continued ease of data flow between the UK and the EU in a post-Brexit world.
The Statement sets out a number of key reforms that will be included in the Bill, most of which merely repeat the innovations of, and are consistent with, the GDPR including:
- broadening the definition of ‘personal data’ to include IP addresses, internet cookies and DNA;
- raising the standard of consent to the level that is prescribed by the GDPR, simplifying the process for withdrawing consent for the use of personal data and requiring opt-in consent in order to send data subjects marketing materials;
- introducing the rights for data subjects to move data between service providers (right to data portability); to be able to ask for their personal data to be erased (right to be forgotten); and to request that decisions made by solely automated means are reviewed by a person;
- mandatory breach notifications, which will need to made to the Information Commissioner’s Office within 72 hours of a breach taking place and, where there is a high risk, mandatory notifications to the data subjects concerned; and
- tougher sanctions, including fines which mirroring those imposed by the GDPR, i.e., up to 20 million Euros or 4 per cent of global turnover.
The Statement however also notes that while continued adherence to the provisions of the GDPR is required to ensure the efficiency of data flow between the UK and the EU, “the GDPR requires some modification to make it work for the benefit of the UK and the Data Protection Bill will make the necessary changes”. The proposed modifications all appear consistent with the permitted scope of EU Member State derogations set out in the GDPR.
The Statement summarises some of the notable derogations from the GDPR. These include:
- The minimum age at which valid consent can be given will increase from 12 years under existing ICO guidance to 13 years to be consistent with the GDPR (which permits Member States to select a minimum age between 13 and 16 years).
- An extension of the right to be forgotten will be introduced, whereby individuals, when they are 18 years old, will have the ability to ask social media companies to delete any or all of their posts (although no details are provided as to how this would differ from the vanilla GDPR right to be forgotten).
- The right of processing criminal conviction and offence data is limited under the GDPR to bodies vested with official authority, but the right under the Bill would apply to all organisations in certain specified circumstances. This preserves the continuity of existing UK data protection laws.
- The Bill introduces an exemption to a data subject’s right under the GDPR to object to decisions based on automated decision making. Under the Bill, this right would not apply if organisations have suitable measures in place which safeguard the data subject’s rights, freedoms and legitimate interests. A data subject will continue to have recourse to this right – consistent with the GDPR – in the event of unfavourable decisions based solely on automated means.
- The Bill broadly replicates section 32 of the existing Data Protection Act 1998 which deals with exemptions relating to personal data processed by the media and journalists, and exempts scientific, historical research and organisations which gather statistics or perform archiving functions in the public interest from compliance if this seriously impairs these organisations’ ability to work. These exemptions are broader than those that exist under the GDPR.
The Statement indicates that the Bill will also go beyond the GDPR in several respects, highlighting the Minister’s declaration that “the Data Protection Bill will allow the UK to continue to set the gold standard on data protection”. As part of this, the Bill will apply the new data protection provisions (and GDPR standards as applicable) to all personal data generally and not just areas of EU legal competence to ensure that a consistent approach is taken to data handling “in order to create a clear and coherent data protection regime” across the UK.
Further, the Bill will introduce two new criminal offences:
- the offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Those who also knowingly handle or process such data will be criminally liable; and
- the offence of altering records with intent to prevent disclosure following a subject access request.
Both these offences will carry a maximum penalty of an unlimited fine (but still no sign of custodial sentences). The Bill will also widen the existing offence of unlawfully obtaining data to cover individuals who retain data against the wishes of the data controller, even if this data was initially obtained lawfully.
As well as the GDPR, the Bill will implement the provisions of the EU Data Protection Law Enforcement Directive (the Directive), which covers the processing and cross-border sharing of personal data relating to criminal offences, criminal penalties and safeguarding against threats to the public. As with the standards of the GDPR, the Statement indicates that the Bill will implement the standards established by the Directive to all domestic as well as cross-border data processing.
It is clear that the UK Government is keen to ensure equivalence and adequacy with EU laws post Brexit for EEA import purposes. Personal data can currently flow efficiently across EU member states, and from EU member states to certain non-EU jurisdictions where the EU Commission has deemed that those jurisdictions provide safeguards to personal data which are equivalent to the EU’s standards (Approved Jurisdictions). In order to transfer personal data from within the EU to non-Approved Jurisdictions, an additional export mechanism needs to be put in place, for example EU model clauses or binding corporate rules. Implementing these mechanisms can be administratively burdensome and costly for organisations. Having the GDPR transposed into domestic law demonstrates the UK’s priority on being deemed an Approved Jurisdiction following Brexit so that UK based organisations can continue to participate in efficient data sharing with the EU. This is made apparent further by the Government’s recent publication which discusses the importance of a future partnership between the EU and the UK with respect to the exchange of personal data. The publication in particular discusses the Government’s desire to explore an EU-UK model for exchanging personal data based on the existing adequacy model, given the UK’s current and future alignment with EU data protection law.
The new criminal offences (which will affect offenders personally) will be useful tools in signalling the importance of respecting cryptographic safeguards applied to data and the unacceptability of last minute attempts to avoid the consequences of subject access transparency.
However, the Statement is short on vital detail and practitioners will have to wait for the publication of the Bill itself to get an idea of whether derogations will be sufficiently broad to legitimise some of the more problematic processing areas under the GDPR (for example, where consent is unobtainable).