On the 7th August 2017, the UK’s Government Department for Digital, Culture, Media and Sport issued a Statement of Intent (the Statement) outlining its planned reforms of the UK’s data protection laws which are to be implemented by the Data Protection Bill (the Bill). The Statement anticipates the UK’s departure from the EU and makes it clear that following this, the Bill will transpose the General Data Protection Regulation (the GDPR) into domestic law, stressing the importance of continued efficiency of data flow between the UK and the EU in a post-Brexit world.
The Statement sets out a number of key reforms that will be included in the Bill, most of which merely repeat the innovations of, and are consistent with, the GDPR including:
- broadening the definition of ‘personal data’ to include IP addresses, internet cookies and DNA;
- raising the standard of consent to the level that is prescribed by the GDPR, simplifying the process for withdrawing consent for the use of personal data and requiring opt-in consent in order to send data subjects marketing materials;
- introducing the rights for data subjects to move data between service providers (right to data portability); to be able to ask for their personal data to be erased (right to be forgotten); and to request that decisions made by solely automated means are reviewed by a person;
- mandatory breach notifications, which will need to made to the Information Commissioner’s Office within 72 hours of a breach taking place and where there is a high risk, mandatory notifications to the data subjects concerned; and
- tougher sanctions, including fines which mirroring those imposed by the GDPR, i.e., up to 20 million Euros or 4% global turnover.
The Statement however also notes that while continued adherence to the provisions of the GDPR is required to ensure the efficiency of data flow between the UK and the EU, “the GDPR requires some modification to make it work for the benefit of the UK and the Data Protection Bill will make the necessary changes”. The proposed modifications all appear consistent with the permitted scope of EU Member State derogations set out in the GDPR.
The Statement summarises some of the notable derogations from the GDPR. These include:
- The minimum age at which valid consent can be given will increase from 12 years under existing ICO guidance to 13 years to be consistent with the GDPR (which permits Member States to select a minimum age between 13 and 16 years).
- An extension to the right to be forgotten will be introduced, whereby individuals will have the ability to ask social media companies to delete any or all of their posts when they are 18 years old (although no details are provided as to how this would differ from the vanilla GDPR right to be forgotten).
- The right of processing criminal conviction and offence data is limited under the GDPR to bodies vested with official authority, but the right under the Bill would apply to all organisations in certain specified circumstances. This preserves the continuity of existing UK data protection laws.
- The Bill introduces an exemption to a data subject’s right under the GDPR to object to decisions based on automated decision making. Under the Bill, this right would not apply if organisations have suitable measures in place which safeguard the data subject’s rights, freedoms and legitimate interests. A data subject will continue to have recourse to this right – consistent with the GDPR – in the event of unfavourable decisions based solely on automated means.
- The Bill broadly replicates section 32 of the existing Data Protection Act 1998 which deals with exemptions relating to personal data processed by the media and journalists, and exempts scientific, historical research and organisations which gather statistics or perform archiving functions in the public interest from compliance if this seriously impairs these organisations’ ability to work. These exemptions are broader than those that exist under the GDPR.
The Statement indicates that the Bill will also go beyond the GDPR in several respects, highlighting the Minister’s declaration that “the Data Protection Bill will allow the UK to continue to set the gold standard on data protection”. As part of this, the Bill will apply the new data protection provisions (and GDPR standards as applicable) to all personal data generally and not just areas of EU legal competence to ensure that a consistent approach is taken to data handling “in order to create a clear and coherent data protection regime” across the UK.
Further, the Bill will introduce two new criminal offences:
- the offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Those who also knowingly handle or process such data will be criminally liable; and
- the offence of altering records with intent to prevent disclosure following a subject access request.
Both these offences will carry a maximum penalty of an unlimited fine (but still no sign of custodial sentences). The Bill will also widen the existing offence of unlawfully obtaining data to cover individuals who retain data against the wishes of the data controller, even if this data was initially obtained lawfully.
As well as the GDPR, the Bill will implement the provisions of the EU Data Protection Law Enforcement Directive (the Directive), which covers the processing and cross-border sharing of personal data relating to criminal offences, criminal penalties and safeguarding against threats to the public. As with the standards of the GDPR, the Statement indicates that the Bill will implement the standards established by the Directive to all domestic as well as cross-border data processing.
It is clear that the UK Government is keen to ensure equivalence and adequacy with EU laws post Brexit for EEA import purposes.
The new criminal offences (which will affect offenders personally) will be useful tools in signalling the importance of respecting cryptographic safeguards applied to data and the unacceptability of last minute attempts to avoid the consequences of subject access transparency.
However, the Statement is short on vital detail and practitioners will have to wait for the publication of the Bill itself to get an idea of whether derogations will be sufficiently broad to legitimise some of the more problematic processing areas under the GDPR (for example, where consent is unobtainable).
Norton Rose Fulbright nominated for Cyber Law Firm of the Year
Norton Rose Fulbright has been shortlisted for ‘Cyber law firm of the year’ at the Insurance Insider Cyber Ranking Awards 2017. Voting is now open, and you can show your support for Norton Rose Fulbright by casting your vote ahead of the award ceremony on 29 September 2017.
The category of “Cyber law firm of the year” is a new addition to the Cyber Ranking Awards and provides brokers and underwriters with a chance to vote for the law firm that they believe has contributed the most to bringing innovative solutions to market over the past 12 months. We are honored to be included as a nominee, and believe that it reflects our leading experience within the cyber insurance sector.
Norton Rose Fulbright provides data protection, privacy and incident response services around the globe, and works closely with the insurance industry to address cyber and technology-related risks.