UK government publishes new UK Data Protection Bill

Last week, the UK government published its new Data Protection Bill, intended to replace the Data Protection Act of 1998. This Bill establishes a comprehensive and modernised framework for the protection of personal data in the UK.

In essence, the Bill applies the GDPR standards across all processing activities covered by the GDPR, while also taking advantage of the discretion left to Member States to implement derogations and special conditions to certain processing activities; however, the scope of the Bill is broader than the GDPR, as it also regulates the processing of personal data by law enforcement and national security agencies, as well as other general processing activities falling outside of the scope of Union Law.

Structure and Content of the Bill

The Bill is structured into 5 main sections:

  • Part 2 – General Processing: This section clarifies certain GDPR terms and provisions, and establishes derogations and special conditions for certain processing activities covered by the GDPR.The Bill also establishes an equivalent data protection regime for other general processing activities that fall outside the scope of Union Law. Proposed changes from the GDPR include:
    • Lowering the age of consent for children using information society services to 13 years old
    • Special conditions for the processing of certain sensitive data and data relating to criminal convictions
    • Exemptions for processing of personal data for literary, journalistic or academic purposes
    • Restrictions on certain data subject rights, etc.
  • Part 3 – Law Enforcement Processing: This section creates a new framework for processing of personal data by the police, prosecutor, and other criminal justice agencies that is tailored to their needs. This section also implements the Law Enforcement Directive.
  • Part 4 – Intelligence Services Processing: This section creates a separate framework for processing of personal data by intelligence services for national security purposes, which is based on international standards, including the upcoming modernised Convention 108 of the Council of Europe (which, unlike the GDPR, does not exclude national security from its scope of application).
  • Part 5 – Information Commissioner: The Information Commissioner remains the UK’s data protection authority under the Bill and preserves all its powers. It also assumes additional missions in line with the GDPR, like receiving data breach notifications from controllers.
  • Part 6 – Enforcement: The Bill implements the offenses set out in the GDPR – including the maximum fine of £18 million (€20 million) – but also creates new offences, such as:
    • The voluntary re-identification of de-identified data
    • The alteration of personal data to prevent its disclosure to the person that made the request

Relationship with the GDPR

Once enacted, the Bill will operate in tandem with the GDPR, thus, supplementing it, until the UK leaves the EU. Since the Bill applies the GDPR standards, it will allow the continued application of these standards even after Brexit, which should facilitate compliance for businesses. This Bill also ideally positions the UK for an adequacy decision from the EU Commission regarding cross-border transfers from EU to the UK.

The Bill was submitted to the House of Lords on 13 September 2017. The text of the Bill can be found here, along with a series of factsheets and documents related to each of the main sections that we’ve briefly analysed in this post.

How OneTrust Helps

OneTrust provides a tool with templates and questionnaires which can help organisations comply with privacy obligations around the world. Tools with questionnaires can help your company comply with GDPR requirements, but these questionnaires can also be tailored by country to tackle specific requirements that are dependent upon your geographic location.