The DCMS has published a statement of intent covering the proposed contents of the Data Protection Bill
The Department for Digital, Culture Media & Sport has now published some details of the proposals that will be included in the Data Protection Bill, which will be presented to Parliament, probably in September.
In a display of considerable chutzpah, the document is entitled ‘A New Data Protection Bill: Our Planned Reforms’ and generally claims ownership of a number of provisions of the GDPR which will automatically become a part of UK law in May. In the Ministerial Foreword, the Rt Hon Matt Hancock MP states:
‘The Data Protection Bill, promised in our manifesto and announced in the Queen’s speech, will bring our data protection laws up to date. It will both support innovation by ensuring that scientists and businesses can continue to process data safely. It will ensure that we can remain assured that our data is safe as we move into a future digital world based on a system with more accountability, but less bureaucracy. The Bill includes tougher rules on consent, rights to access, rights to move and rights to delete data. Enforcement will be enhanced, and the Information Commissioner given the right powers to ensure consumers are appropriately safeguarded.
The Bill will also bring EU law into our domestic law.’
Pedants might well point out that most of this will be UK law in May 2018 whether this Bill is passed or not as the GDPR (already law) will then be in force. We might find, given even the slightest hiccup in the legislative process (quite likely, since it’s taken them ages to get to here), that when given the Royal Assent the Data Protection Bill makes law that already exists. In addition, there will close scrutiny of the Bill to make sure it does match the GDPR as, if any diversion from the ‘true path’ is found, the effect of the European Union (Withdrawal) Bill (when passed) will be to make the law arising under the GDPR part of UK law; that could give rise to some interesting disputes.
The Statement of Intent indicates that the Data Protection Law Enforcement Directive will be applied by virtue of its provisions.
The Statement does have some meat. It states:
'We are determined to ensure that the GDPR best supports UK interests - for citizens and businesses. The GDPR requires some modification to make it work for the benefit of the UK and the Data Protection Bill will make the necessary changes. In particular, the Bill will:
The implementation of key government commitments
including, the ability to require social media platforms to, on request, delete
information held about them at the age of 18.
We are leaving the EU and businesses need a single standard under which they can operate. We do not want differing standards for legal areas which previously came under EU competence. The Bill will ensure that quality standards are also simple to apply.
When the GDPR takes effect it will be confusing for individuals, businesses and the courts if we do not adjust our domestic law to remove inconsistencies. The Data Protection Bill will make the necessary repeals to ensure clarity of roles and responsibilities for all involved.'
Note that new offences are proposed. In particular, a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine. Another new offence is that of altering records with intent to prevent disclosure following a subject access request which would apply not only to public authorities, but to all data controllers and processors. The Statement also suggests that the Bill will widen the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if they initially obtained it lawfully).
On derogations, the legislation will provide for a child aged 13 years or older to consent to their personal data being processed. Also, in news that will be a relief to our recent authors on this issue, ‘we will legislate to extend the right to process personal data on criminal convictions and offences so as to enable organisations other than those vested with official authority to process criminal convictions and offences data’. Predictably, the protection for ‘investigative journalism’ in s 32 of the 1998 Act is to be renewed. The passage on derogations also includes reassuring words about protecting research – the devil, his pomps and all his angels will be in the detail of that one.
As to automated individual decision-making, the Statement gives considerable detail on the proposed derogation:
‘According to the GDPR, an individual has the right not to be the subject of automated decision making including “profiling”. This may include, for example, an individual receiving an unfavourable credit rating, which is decided by way of a purely automated process.
The GDPR also allows exemptions where suitable measures are put in place to safeguard the individual’s rights, freedoms and legitimate interests. It is important for an individual to have recourse in the event that they are subject to an unfavourable automated decision. There are also legitimate functions which are dependent on automated decision making. For example, a bank, before agreeing to provide a loan, would be entitled to check the creditworthiness of an applicant. In this context, an automated credit reference check would be an appropriate means of achieving this outcome.
In view of this, we will legislate to implement this exemption with a view to ensuring legitimate grounds for processing personal data by automated means. Individuals will have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to them which is based solely on automated processing and which produces legal effects or similarly significantly affects them, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.’