UK government announces Data Protection Bill

Shield defense on blue technology background with digital code Print publication


The “new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit” according to Digital Minister Matt Hancock.

The government’s press release confirms that the Data Protection Bill will implement GDPR in the UK, as well as enacting the Conservative Party’s manifesto pledge to enable people to ask social media channels to delete information they posted in childhood.

The key points to note from the press release are:

  • Opt-out boxes will not be a valid method of collecting consents.
  • Businesses will be supported to ensure they are able to manage and secure data properly.

There is no detail on what form this support will take, but in light of the huge fines for getting data protection wrong under GDPR together with the lack of guidance which has been published to date, businesses will surely welcome all support that is available to ensure that they meet the required standards.

  • New criminal offences will be created to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymised data.

Again there is no detail on how these new offences will operate or the penalties for committing them, but these go beyond GDPR and will be specific to the UK.

However, what is most interesting is what is not included in the press release:

  • There is no mention of the new fee structure which has to be approved by Parliament.

Under the current regime data controllers are required to notify the ICO of their data processing activities and pay an annual fee of £35 (for smaller organisations and £500 for organisations with 250 or more employees and a turnover of more than £25.9 million).  These notification fees make up 80% of the ICO’s funding for data protection.  Under GDPR, the requirement to notify the ICO is removed.  Together with the fact that the UK’s Information Commissioner has said (in a wide-ranging evidence session in March 2017 before the EU Home Affairs Sub-Committee on the topic of the EU Data Protection Package) that she needs another 200 people over the next three years, this creates a funding shortfall for the ICO of over £22 million.  The ICO has said that this will need to be covered by a new fee structure for the UK which has to be approved by Parliament.

Sections 108 to 110 of the Digital Economy Act 2017 came into force on 31 July 2017 which gives the Secretary of State power to make regulations requiring data controllers to pay fees of amounts yet to be specified.

Depending on the level of fees to be set, this could have budgetary implications particularly for smaller organisations, but there is no mention of the new fee structure in the press release.

  • There is no mention of how much of the existing Data Protection Act will be repealed.

For example, section 55 of the Data Protection Act 1998 makes it a criminal offence for a person to knowingly or recklessly obtain or disclose or procure the disclosure of personal data, so an organisation cannot require an employee to make a subject access request to obtain information from other organisations.  It also makes it an offence to sell personal data which was unlawfully obtained.

This is a UK specific provision which is not replicated in GDPR. There is no indication whether this will be retained in the Data Protection Bill.

  • Under GDPR there is scope for the UK to set the age at which children are able to give consent (somewhere between 13 and 16).

There is no indication in the press release of where the UK will set the age of consent.

  • There is no mention of the derogations that the UK will apply.

The Department for Digital, Culture, Media & Sport consulted on the derogations (flexibilities) to GDPR where the UK can exercise discretion over how certain provisions will apply, such as the mandatory appointment of data protection officers, the processing of sensitive personal data etc.

The ICO’s “general approach is to favour replicating existing arrangements under the [Data Protection Act 1998] where experience shows that they work satisfactorily”.

The consultation closed on 10 May 2017 and the results of the consultation have still not been published.  However, as the Data Protection Bill is said to be implementing the GDPR into UK law, it should cover these derogations and how they will be applied in the UK, but there is no reference to the derogations in the press release.

  • There is no mention of how data flows between the UK and the EU will be maintained following Brexit.

One of the key concerns post-Brexit is the basis on which personal data will be transferred between the EU and the UK.  Once the UK leaves the EU, it will be a third country.  This means that personal data will only be able to be transferred to the UK without additional transfer mechanisms (such as model contract clauses) being put in place, if the UK is found to provide an adequate level of protection.  The ICO wants the UK to obtain an adequacy decision as part of Brexit.

The EU Home Affairs Sub-Committee has now published its report (following the session at which the Information Commissioner gave evidence referred to above).  The report says that the government must set out clearly, and as soon as possible, how it plans to deliver the unhindered and uninterrupted flows of data between the UK and the EU and the Sub-Committee was “struck by the lack of detail in the government’s assurances so far”.

Data transfers between the UK and the EU are not mentioned in the press release.

Hopefully when the Data Protection Bill is published, it will provide the much needed detail on how GDPR will be implemented in the UK and what data protection in the UK will look like post-Brexit.

Walker Morris will be publishing updates as and when more information becomes available.