Statement of Intent on Data Protection Bill
On 25 May 2018 all organisations in the EU (and in some cases, organisations outside the EU) that process personal data will be subject to the General Data Protection Regulation ("GDPR"). The GDPR is an EU Regulation which is directly applicable across all EU Member States. That means that the GDPR will automatically become part of UK law without the UK having to pass any legislation. We have commented previously on the impact this will have on organisations.
The Government has now issued a statement of intent regarding a UK Data Protection Bill. Any legislation the UK passes regarding data protection will need to sit alongside the GDPR from 25 May 2018 until the date that Brexit occurs (at which point GDPR will no longer automatically apply in the UK). There are a number of reasons why the Government has decided that a Data Protection Bill is necessary:
1. To update UK legislation to ensure consistency with the GDPR. When Brexit occurs it is vital that an uninterrupted data flow is maintained between the UK and the EU. Failure to do this could hamper the UK's trade with the EU.
The European Commission can examine the laws of a country located outside the EU to determine whether that country's data protection laws are adequate and (if they are) formally recognise them as such by issuing an "Adequacy Decision". Personal data can be transferred to countries outside the EU who have received an Adequacy Decision on the same terms as if the recipient were located in the EU.
The House of Lords has recently recommended that the UK pursues an Adequacy Decision post Brexit. In order to do this, the Government will need to ensure that the data protection laws adopted by the UK offer equivalent protection to the GDPR. If an Adequacy Decision has not been obtained by the UK following Brexit there are other methods of transferring personal data between the UK and the EU, but they are not practical long term solutions.
2. The GDPR has a number of derogations, or flexibilities, where Member States can determine how particular provisions are applied in their country. The UK will exercise the available derogations through the Data Protection Bill. Notable derogations include: reducing the age at which children are able to give consent to the processing of their personal data from 16 to 13; applying exemptions to ensure freedom of expression in the media; and applying exemptions to ensure that research organisations and archiving services do not have to respond to subject access requests where it would impair or prevent them from fulfilling their purposes.
3. The GDPR does not cover the processing of personal data for "prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties". The processing of personal data for such purposes will be governed by the Data Protection Law Enforcement Directive ("the Directive"). Unlike the GDPR, the Directive is not directly applicable in the UK. The UK is required to implement the Directive into UK legislation by 6 May 2018 and it will do this through the Data Protection Bill.
The Government expects to publish the text of the Data Protection Bill in September. It will be interesting to see how the Government has decided to exercise the available derogations. In the meantime, organisations should continue to make preparations for the GDPR.
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.