Royal Assent received 23 May 2018 - just in time for GDPR
The Data Protection Bill received Royal Assent on 23 May 2018 and will come into force as the Data Protection Act 2018.
The Act covers those parts of the GDPR that allow for Member States to make provision for how it applies in the UK, such as setting the age of consent for children at 13 when it comes to consent for online services. It also implements the Law Enforcement Directive.
The new Act covers several other related areas, for example, processing related to immigration, the powers of the ICO themselves and application of data protection standards to national security agencies.
Section 1 of the Act (Overview), in part 1 of the Act (ss. 1 to 3) provides as follows:
(1) This Act makes provision about the processing of personal data.
(2) Most processing of personal data is subject to the GDPR.
(3) Part 2 [ss 4 to 28] supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Chapter 3).
(4) Part 3 [ss 29 to 81] makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.
(5) Part 4 [ss 82 to 113] makes provision about the processing of personal data by the intelligence services.
(6) Part 5 [ss 114 to 141] makes provision about the Information Commissioner.
(7) Part 6 [ss 142 to 181] makes provision about the enforcement of the data protection legislation.
(8) Part 7 [ss 182 to 215] makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament.
There are 20 schedules to the Act.
By virtue of s 212 of the Act and the Data Protection Act 2018 (Commencement No. 1 and Transitional and Saving Provisions) Regulations 2018 (SI 2018 No 625), the following provisions are in force on the dates in 2018 shown below.
Note that, presumably to cover anything overlooked, s 212(2)(f) provides that ‘any other provision of this Act so far as it confers power to make regulations or Tribunal Procedure Rules or is otherwise necessary for enabling the exercise of such a power on or after the day on which this Act is passed’.
Provisions not in force
It follows from the above provisions that, as of 6 June, the following are not in force and not subject to any commencement provision:
s 93 (right to information)
s 102 (general obligations of the controller)
s 103 (data protection by design)
s 104 (joint controllers)
s 105 (processors)
s 108 (communication of a personal data breach)
It is however worth noting that where provisions are brought into force requiring the Information Commissioner to prepare a code of practice, such as the age-verification code under s 123 (in force from 23 July), the obligation includes an obligation to consult. Post-consultation and preparation, there is a procedure for approval of the code (including a 40-day period after laying the code before Parliament). So the date on which such codes bite remains uncertain and is certainly well beyond 23 July.
Note too the very detailed transitional provision in sch 20 to the Act and the esoteric transitional and saving provisions relating to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 in reg 4 of SI2018/625.
The text of the Act as enacted is available on legislation.gov.uk at http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted. You can trace the history of the proceedings on the Parliament website at https://services.parliament.uk/bills/2017-19/dataprotection.html