Thursday, 14 September 2017 was an exciting day for data protection practitioners. Why? It was the day that the UK Government finally published its long-awaited Data Protection Bill (DPB) to apply the EU General Data Protection Regulation (GDPR) into UK law and replace the existing Data Protection Act 1998 (DPA).
As someone with a passion for data protection and privacy law for almost two decades, my face lit up as I clicked on the link on the UK Parliament’s website and the DPB was exposed to me in all of its splendour. 7 parts, 194 sections and 18 schedules, spread over 218 pages. While not comparable in size to the likes of the Companies Act 2006, the DPB is not to be shirked at for a piece of legislation that regulates the single subject of informational privacy. By comparison, the DPA, after almost 20 years of amendments and updates, ended up being not dissimilar in length to the DPB’s starting point.
But the DPB is a different type of beast. The DPA was implemented to give effect to the EU Data Protection Directive, as Directives do not directly apply in the EU Member States. Regulations, on the other hand, are directly applicable in the EU Member States, which means that they automatically apply on the specified date, without the need for further implementation – which is 25 May 2018 in the case of the GDPR. This background helps the reader put the manner in which the DPB has been constructed into context and is the first step in understanding its complex – but arguably logical – topology.
First, because of direct applicability, the DPB was never going to ‘copy and paste’ the GDPR into UK law. This was already clear from the outset (see: Case 39/72 Commission v. Italy , where it was held that it was wrong for a Member State to do so in the case of a Regulation). The UK Government’s Statement of Intent, published in August, also provided hints as to the shape of the Bill, particularly the UK Government’s noted desire to focus on the permitted derogations in the GDPR, to extend the application of the GDPR to areas in which the EU does not have the competence to legislate and to also implement the EU Law Enforcement Directive as part of the DPB.
As if the data protection legal landscape was not already complex and multi-faceted enough, the Council of Europe (another supranational organisation, not to be confused with the Council of the European Union) is in the process of revising its Convention 108, which dates back to 1981 and provided the impetus for the original Data Protection Act 1984. While the UK Government could have waited for the revised Convention to be agreed, the DPB provided an indisputably attractive vessel through which to begin the UK implementation journey.
If one keeps in mind the foregoing, the structure and manner in which the DPB is drafted is perfectly logical. The negativity that shrouded the DPB on social media last Thursday and throughout the weekend is, in my view, unnecessary and untenable. The key to understanding the DPB is to break it down into the following digestible chunks:
Part 2, Chapter 2 DPB: is supplementary to the GDPR and covers the areas where the UK can enhance or derogate from the provisions of the GDPR. The net effect of this part is to put a DPA ‘skin’ on to the GDPR. Some of the provisions have been lifted directly from the DPA, and while the route to the answer might not be as direct or easy as the DPA, it just involves some stops along the way in the form of reading the GDPR provision in the light of the Part 2 DPB enhancement or derogation and cross-reference to one or more parts of Schedules 1 to 5 to the DPB – all at the same time. This Chapter is deceptively brief, but arguably the most complex and the most important part of the DPB.
Part 2, Chapter 3 DPB: this is referred to as the ‘applied GDPR’ in the DPB in that it applies the GDPR (with some modifications contained in Schedule 6 DPB) to areas outwith the scope of EU legislative competence (except for personal data processing for the purposes of law enforcement and the intelligence services, which are dealt with in Parts 3 and 4 DPB, respectively). An example here is in relation to personal data held by public authorities in unstructured paper format e.g. notebook entries, pieces of paper not held in a structured paper file, etc. The Freedom of Information Act 2000 made amendments to the DPA in 2005, as a result of which personal data contained in unstructured paper documents held by public authorities is covered (to a limited extent) by the DPA. This chapter essentially replicates this so far as the DPB is concerned, but what is interesting is that it removes the category of semi-structured paper personal data that exists under the DPA so that only personal data held in structured paper filing systems and in unstructured paper format by public authorities is subject to the DPB. Although the DPA classifications of structured, semi-structured and unstructured public authority paper personal data have worked well under the DPA, it is perhaps indicative of the broader scope of structured paper personal data under the GDPR that the semi-structured category was considered unnecessary in the DPB.
Part 3 DPB: this does not refer to the GDPR and only applies to personal data processing undertaken by ‘competent authorities’ for law enforcement purposes. These authorities are listed in Schedule 7 DPB and include the law enforcement functions of UK Government departments, the Scottish Ministers and authorities with investigatory functions, amongst others (including the Information Commissioner’s Office (ICO) and the Scottish Information Commissioner). Part 3 DPB transposes the Law Enforcement Directive into UK law and extends it to apply to internal UK personal data processing for law enforcement purposes, not just cross-border personal data processing (the Directive only applies to the latter). This is currently governed by the DPA.
Part 4 DPB: covers the intelligence services’ (the Security Service, the Secret Intelligence Service and GCHQ) processing of personal data, which is currently covered by the DPA. The provisions have a GDPR ‘feel’ to them, but are in fact the UK’s transposition of the yet to be finalised revision of Council of Europe Convention 108. Like Part 3 DPB, this is detailed and does not refer to the GDPR.
Once these chunks have been digested, the reader can then explore the routes to finding the applicable law and answer to data protection issues falling within the scope of the DPB (the answer will not, from my reading and interpretation of the DPB, be significantly different to the DPA’s solution in most cases). Along the way, the reader will come across some interesting landmarks:
While ICO annual registration and the associated fees have disappeared, the DPB permits the ICO to impose fees and charges for its services. The level of fees and charges is currently being consulted upon by the Department for Digital, Culture, Media and Sport, with larger businesses potentially having to pay up to £1,000.
The circumstances in which an individual can sue an organisation for breach of data protection law have been broadened to include situations where the individual has not only suffered damage or distress (as per the DPA), but also where the individual has suffered ‘other adverse effects’.
The DPB enhances some of the existing DPA offences and includes some notable additions e.g. the offence of re-identifying anonymised personal data without the consent of the data controller and the offence of altering personal data to prevent its disclosure to the data subject upon receipt of a subject access request for a copy of that personal data (it only applies if the data subject would be entitled to access that personal data in response to the request).
A new provision allowing representative bodies e.g. campaign groups to exercise specified rights on data subjects’ behalf, including the rights to complain to the ICO and to receive compensation.
For those handling children’s personal data in Scotland, a particularly significant development in the form of children’s capacity to consent to data processing. The DPA was silent on this point, but the DPB provides that a child of the age of 12 years and over has sufficient understanding and maturity to consent to data processing, unless the contrary is shown. This is subject to an earlier provision in the DPB, which sets the minimum age of consent for ‘information society services’ (e.g. online purchases and subscription to social media networks) as being 13 years.
My advice to those studying the DPB is this: do not dispose of your copy of the GDPR just yet because it remains your faithful companion when navigating the high seas of data protection. And this is just the beginning of the voyage. The DPB grants extensive powers to the Secretary of State to make secondary legislation with supplementary provisions, which is likely to appear on the horizon very soon.