In a 30 page statement of intent, the Government set out its plans for a new data protection bill, which is yet to be introduced to Parliament. The planned legislation is set to follow the General Data Protection Regulation, which comes into effect on 25 May 2018, when the UK will still be a Member State of the EU.
It is interesting to note that the planned data protection law will include a number of derogations in national law from the GDPR:
- Giving consent to process data and protecting children online: The Government plans to legislate to allow for a child aged 13 years or older to consent to their personal data being processed.
- The GDPR only allows for bodies with “official authority” (the police etc.) to process personal data relating to criminal offences and/or convictions: EU member states can legislate at a national level in order to enable other bodies to process this category of data. The UK Government said it would seek to preserve continuity with current domestic legislation, for example, by allowing a private or third sector employer to obtain details of criminal convictions in order to carry out a criminal records check.
- Automated individual decision-making: The GDPR says an individual has the right not to be the subject of automated decision-making such as “profiling”. However the UK Government has stated that some functions, such as a credit check at a bank, are an appropriate means of automated decision making and thus should be allowed. The UK Government will legislate to allow automated data processing, yet individuals will have the right not to subject themselves to a decision made by an automatic means.
- Freedom of expression in the media: The GDPR provides for journalistic exemptions to certain areas of data protection to allow for journalistic activity in the public interest to be carried out. The new Data Protection Bill will strike the right balance between freedom of expression of the media and the right to privacy for individuals. Here, the UK Government plans on broadly replicating section 32 of the Data Protection Act 1998 in order to balance privacy and the freedom of expression.
- Research: The GDPR requires organisations to comply with specified obligations in relation to an individual’s personal data. Such obligations include, for example, the requirement that inaccurate personal data, upon notification, be rectified without delay, as well as rights of access. The GDPR, however, also allows the UK to legislate to allow scientific or historical research organisations, organisations which gather statistics or organisations performing archiving functions in the public interest, to be exempted from such obligations. However, this will only be the case if compliance would seriously impair these organisations’ ability to carry out research, archiving or statistics-gathering activities.
- Law enforcement data protection: The Data Protection Bill will transpose into UK law the EU Data Protection Law Enforcement Directive (DPLED), which must be implemented into domestic law before 6 May 2018 and will extend to domestic law enforcement as well as cross-border enforcement. Furthermore, the Government has decided that, in order to ensure consistency and certainty for criminal justice agencies, the standards which the DPLED establishes will be extended to all domestic data processing for law enforcement purposes.
- National security data processing: The UK plans to legislate on the revised Council of Europe Convention for the Protection of Individuals with Regards to Automatic Processing of Personal Data (Convention 108).
The EU’s e-Privacy Regulation is also set to come into effect by 25 May 2018, yet this was not referred to in the statement. The statement of intent does not give much detail as to what the final Bill will look like, however the Data Protection Act 1998 will be repealed.